On Mon, Dec 30, 2019 at 7:11 AM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
>
> On 23-Dec 22:36, Andrii Nakryiko wrote:
> > On Fri, Dec 20, 2019 at 7:43 AM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> > >
> > > From: KP Singh <kpsingh@xxxxxxxxxx>
> > >
> > > This helper is similar to bpf_perf_event_output except that
> > > it does need a ctx argument which is more usable in the
> > > BTF based LSM programs where the context is converted to
> > > the signature of the attacthed BTF type.
> > >
> > > An example usage of this function would be:
> > >
> > > struct {
> > > __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
> > > __uint(key_size, sizeof(int));
> > > __uint(value_size, sizeof(u32));
> > > } perf_map SEC(".maps");
> > >
> > > BPF_TRACE_1(bpf_prog1, "lsm/bprm_check_security,
> > > struct linux_binprm *, bprm)
> > > {
> > > char buf[BUF_SIZE];
> > > int len;
> > > u64 flags = BPF_F_CURRENT_CPU;
> > >
> > > /* some logic that fills up buf with len data */
> > > len = fill_up_buf(buf);
> > > if (len < 0)
> > > return len;
> > > if (len > BU)
> > > return 0;
> > >
> > > bpf_lsm_event_output(&perf_map, flags, buf, len);
> >
> > This seems to be generally useful and not LSM-specific, so maybe name
> > it more generically as bpf_event_output instead?
>
> Agreed, I am happy to rename this.
>
> >
> > I'm also curious why we needed both bpf_perf_event_output and
> > bpf_perf_event_output_raw_tp, if it could be done as simply as you did
> > it here. What's different between those three and why your
> > bpf_lsm_event_output doesn't need pt_regs passed into them?
>
> That's because my implementation uses the following function from
> bpf_trace.c:
>
> u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
> void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy)
>
> This does not require a pt_regs argument and handles fetching them
> internally:
>
> regs = this_cpu_ptr(&bpf_pt_regs.regs[nest_level - 1]);
>
> perf_fetch_caller_regs(regs);
> perf_sample_data_init(sd, 0, 0);
> sd->raw = &raw;
>
> ret = __bpf_perf_event_output(regs, map, flags, sd);
>
> - KP
Yeah, I saw that bit. I guess I'm confused why we couldn't do the same
for, say, raw_tracepoint case. Now Jiri Olsa is adding another similar
helper doing its own storage of pt_regs. If all of them can share the
same (even if with bigger nest_level) array of pt_regs, that would
great.
>
> >
> > > return 0;
> > > }
> > >
> > > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > > ---
> > > include/uapi/linux/bpf.h | 10 +++++++++-
> > > kernel/bpf/verifier.c | 1 +
> > > security/bpf/ops.c | 21 +++++++++++++++++++++
> > > tools/include/uapi/linux/bpf.h | 10 +++++++++-
> > > 4 files changed, 40 insertions(+), 2 deletions(-)
> > >
> >
> > [...]
