[RFC bpf-next 0/4] bpf: cgroup_sock lsm flavor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is an RFC proposal for a recent discussion about default socket
policy [0]. The series implements new lsm flavor for attaching
lsm-like programs to existing lsm hooks that operate on 'struct socket'
The actual requirement is that the first argument is of type 'struct
socket'. Later on we can add support 'struct sock' based hooks without
any user-visible changes.

For demonstration purposes only two hooks are included (can be extended
to more later). Also, for demonstration purposes, writes to sock->sk_priority
are exposed to lsm hooks (can cover more bpf_sock fields later).

The intended workflow is:

The users load lsm_cgroup_sock tracepoint into the system. This installs
generic fmod_ret trampoline that runs __cgroup_bpf_run_lsm_sock.

After that, bpf_prog_attach should be called to activate this program
for the particular cgroup. This interface uses exiting cgroup_bpf
functionality and should support all existing inheritance flags.

I'd like to get a generic feedback whether I'm going into the right
direction or not. The thing I'm not sure about is the way I'm
abusing jit generation (maybe fmod_ret should be automagically
installed instead?).

For non-socket specific hooks, we can add a similar BPF_LSM_CGROUP
attach point that looks at current->cgroup instead of socket->cgroup.

[0] https://lore.kernel.org/bpf/YgPz8akQ4+qBz7nf@xxxxxxxxxx/

Cc: ast@xxxxxxxxxx
Cc: daniel@xxxxxxxxxxxxx
Cc: kafai@xxxxxx
Cc: kpsingh@xxxxxxxxxx

Stanislav Fomichev (4):
  bpf: cgroup_sock lsm flavor
  bpf: allow writing to sock->sk_priority from lsm progtype
  libbpf: add lsm_cgoup_sock type
  selftest: lsm_cgroup_sock sample usage

 arch/x86/net/bpf_jit_comp.c                   | 27 +++++--
 include/linux/bpf-cgroup-defs.h               |  4 +
 include/linux/bpf.h                           |  2 +
 include/uapi/linux/bpf.h                      |  1 +
 kernel/bpf/bpf_lsm.c                          | 49 +++++++++++
 kernel/bpf/btf.c                              | 10 +++
 kernel/bpf/cgroup.c                           | 43 +++++++++-
 kernel/bpf/syscall.c                          |  6 +-
 kernel/bpf/trampoline.c                       |  1 +
 kernel/bpf/verifier.c                         |  4 +-
 tools/include/uapi/linux/bpf.h                |  1 +
 tools/lib/bpf/libbpf.c                        |  2 +
 .../bpf/prog_tests/lsm_cgroup_sock.c          | 81 +++++++++++++++++++
 .../selftests/bpf/progs/lsm_cgroup_sock.c     | 55 +++++++++++++
 14 files changed, 273 insertions(+), 13 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_cgroup_sock.c
 create mode 100644 tools/testing/selftests/bpf/progs/lsm_cgroup_sock.c

-- 
2.35.1.265.g69c8d7142f-goog
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux