On Sat, Apr 06, 2019 at 09:43:50AM -0700, Kees Cook wrote: > On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov <rdna@xxxxxx> wrote: > > > > v2->v3: > > - simplify C based selftests by relying on variable offset stack access. > > > > v1->v2: > > - add fs/proc/proc_sysctl.c mainteners to Cc:. > > > > The patch set introduces new BPF hook for sysctl. > > > > It adds new program type BPF_PROG_TYPE_CGROUP_SYSCTL and attach type > > BPF_CGROUP_SYSCTL. > > > > BPF_CGROUP_SYSCTL hook is placed before calling to sysctl's proc_handler so > > that accesses (read/write) to sysctl can be controlled for specific cgroup > > and either allowed or denied, or traced. > > > > The hook has access to sysctl name, current sysctl value and (on write > > only) to new sysctl value via corresponding helpers. New sysctl value can > > be overridden by program. Both name and values (current/new) are > > represented as strings same way they're visible in /proc/sys/. It is up to > > program to parse these strings. > > > > To help with parsing the most common kind of sysctl value, vector of > > integers, two new helpers are provided: bpf_strtol and bpf_strtoul with > > semantic similar to user space strtol(3) and strtoul(3). > > > > The hook also provides bpf_sysctl context with two fields: > > * @write indicates whether sysctl is being read (= 0) or written (= 1); > > * @file_pos is sysctl file position to read from or write to, can be > > overridden. > > > > The hook allows to make better isolation for containerized applications > > that are run as root so that one container can't change a sysctl and affect > > all other containers on a host, make changes to allowed sysctl in a safer > > way and simplify sysctl tracing for cgroups. > > This sounds more like an LSM than BPF. not at all. the key difference is being cgroup scoped. essentially for different containers. > So sysctls can get blocked when > new BPF is added to a cgroup? bpf prog is attached to this hook in a particular cgroup and executed for sysctls for tasks that belong to that cgroup. > Can the BPF be removed (or rather, > what's the lifetime of such BPF?) same as all other cgroup-bpf hooks. Do you have a specific concern or just asking how life time of programs is managed? High level description of lifetime is here: https://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html
