Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp636636ybi;
        Fri, 24 May 2019 09:02:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwDzDdcDEvRVVqXUAEW2PLXWLAtIsiBQtlCjEIqhfkr/zh25mu1F4KbJOat1XlN9fH/WOM9
X-Received: by 2002:a63:d615:: with SMTP id q21mr104101523pgg.401.1558713721553;
        Fri, 24 May 2019 09:02:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558713721; cv=none;
        d=google.com; s=arc-20160816;
        b=HThcR+9vyaQbEC3jt2DxmGuMV4jBeauKaeaa+LnCJNjzNalKkhLkPaR+cTLJkt1AjA
         0TE1oSk+klvTuVEhUfbIs6J0PqU5DzQskjE0bWznLgcqcJh1Lt6S9+ZjapkljioG0pte
         5L1U0yHYvvaJLrhsmWRNKqDVnSRlkE/9fisNh15pJOQ3AgIotmD1I02Vev8ScPFMZsz6
         AmRmq+fPFCcykUf6EiYeIYYwfWB1f8rEfKKaIn4bm5h1K8rOPQwRpGhYJCu+2XE8PJZK
         FcuN4fu+EY1Hm4HwUndQ65gPqNzm9Q83Py4U05Vn0z3G+3QmTArzE2cxSl5cswyX1hRm
         hzyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=4+MHJBrmm9KRjn/wDS7WWHu8Cy42aeEnK0sLNpM5l60=;
        b=rmaVEm+2ouytQ5cL9ZnU9Mo5igIhkS6nrbJZy7Av+65ie2zhYaL2UXy/m5EhJZDwOx
         ktdsha4W0VMW0r0zYN/BvCurFOPVd+J7ypMTHIHjAsOUFOQeX9wRWfLbO2vvSly+9EEs
         SfPdaSQptTMC6sAknhYKHscLvuX3fWKMOWX4UIZ9M0svIPxUfdCicko0ypfmtpheW1f1
         nO76YM94ID5UHvF7UHZjz5iO/APtaG6lklyg/jc9mCRWSsOrppTkEO4Rj6shBn0fN79V
         MxrohbCn2P9R2iGVUEaIcAVfWTQbWUPfRRskRJw8o/jVqqtMhtoOj8GZtljBwRgXC226
         16Xg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kinvolk.io header.s=google header.b=IsM8T9AQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t125si4935870pgc.528.2019.05.24.09.01.41;
        Fri, 24 May 2019 09:02:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kinvolk.io header.s=google header.b=IsM8T9AQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390646AbfEXP7t (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Fri, 24 May 2019 11:59:49 -0400
Received: from mail-wr1-f65.google.com ([209.85.221.65]:37052 "EHLO
        mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2390447AbfEXP7q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 May 2019 11:59:46 -0400
Received: by mail-wr1-f65.google.com with SMTP id e15so10562039wrs.4
        for <linux-kernel@vger.kernel.org>; Fri, 24 May 2019 08:59:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kinvolk.io; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=4+MHJBrmm9KRjn/wDS7WWHu8Cy42aeEnK0sLNpM5l60=;
        b=IsM8T9AQUvHcFdkvbVn/nCpV40RfegBRI1RF4/IFpEtGoHhiq9M+D55zdSpJsBZgOB
         Mi5CGVEBQqSXcjrJFfHdV/9j/MMAI7bZQcyrHJ1J09gCYj/Q7kjh3DEiSoWTi+I2dTFD
         CkNfB7T9/TbOZ4bSkK12GtDrR44F+Sr/eQ1uI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=4+MHJBrmm9KRjn/wDS7WWHu8Cy42aeEnK0sLNpM5l60=;
        b=m4wAQmq9u1Sa5d5HUaINHpJSthFTCiNzd887brYO39kBrtU0MfiVNiDQvwalcET1II
         S2AU1u0arr3xYPlAM1dHryV8TR89zJFP3CtDewro3wJx8NwNBdGnng178On/5omyV0U1
         XijGHfXvH9C/ewawgLpIYtGDJYvuWb0AsDFwxKM1uxokaW4OBiscCWxsZiexlnG7z0Pm
         2erEeFQ59m/IlyVgiUPkhTVC5kayLrWlBgejzpWuNkjYw1P4tBufYO0qAl/lk2akm2GF
         FVndNJ9YcpAnBlyaJ0Gh/mevGVYjzbwRrSgQpi6jbepHPyru8ReUK0N8/MOb7lzG5U8e
         p7vQ==
X-Gm-Message-State: APjAAAVq9cmLSyJaCFDFnyiMQgN4+WPEW5vbpCUl5aV16sQx7XX5UM7U
        5IHyWJ+LJJun0n45vD8TtPCkTA==
X-Received: by 2002:adf:f041:: with SMTP id t1mr5510970wro.74.1558713584903;
        Fri, 24 May 2019 08:59:44 -0700 (PDT)
Received: from locke-xps13.localdomain (69.pool85-58-237.dynamic.orange.es. [85.58.237.69])
        by smtp.gmail.com with ESMTPSA id i185sm4535054wmg.32.2019.05.24.08.59.43
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 May 2019 08:59:44 -0700 (PDT)
From:   =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= <iago@kinvolk.io>
To:     john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net
Cc:     alban@kinvolk.io, krzesimir@kinvolk.io, bpf@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= <iago@kinvolk.io>
Subject: [PATCH bpf-next v4 1/4] bpf: sock ops: add netns ino and dev in bpf context
Date:   Fri, 24 May 2019 17:59:28 +0200
Message-Id: <20190524155931.7946-2-iago@kinvolk.io>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190524155931.7946-1-iago@kinvolk.io>
References: <20190524155931.7946-1-iago@kinvolk.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alban Crequy <alban@kinvolk.io>

sockops programs can now access the network namespace inode and device
via (struct bpf_sock_ops)->netns_ino and ->netns_dev. This can be useful
to apply different policies on different network namespaces.

In the unlikely case where network namespaces are not compiled in
(CONFIG_NET_NS=n), the verifier will return netns_dev as usual and will
return 0 for netns_ino.

The generated BPF bytecode for netns_ino is loading the correct inode
number at the time of execution.

However, the generated BPF bytecode for netns_dev is loading an
immediate value determined at BPF-load-time by looking at the initial
network namespace. In practice, this works because all netns currently
use the same virtual device. If this was to change, this code would need
to be updated too.

Co-authored-by: Iago López Galeiras <iago@kinvolk.io>
Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Iago López Galeiras <iago@kinvolk.io>

---

Changes since v1:
- add netns_dev (review from Alexei)

Changes since v2:
- replace __u64 by u64 in kernel code (review from Y Song)
- remove unneeded #else branch: program would be rejected in
  is_valid_access (review from Y Song)
- allow partial reads (<u64) (review from Y Song)

Changes since v3:
- return netns_dev unconditionally and set netns_ino to 0 if
  CONFIG_NET_NS is not enabled (review from Jakub Kicinski)
- use bpf_ctx_record_field_size and bpf_ctx_narrow_access_ok instead of
  manually deal with partial reads (review from Y Song)
- update commit message to reflect new code and remove note about
  partial reads since it was discussed in the review
- use bpf_ctx_range() and offsetofend()
---
 include/uapi/linux/bpf.h |  2 ++
 net/core/filter.c        | 70 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 63e0cf66f01a..e64066a09a5f 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3261,6 +3261,8 @@ struct bpf_sock_ops {
 	__u32 sk_txhash;
 	__u64 bytes_received;
 	__u64 bytes_acked;
+	__u64 netns_dev;
+	__u64 netns_ino;
 };
 
 /* Definitions for bpf_sock_ops_cb_flags */
diff --git a/net/core/filter.c b/net/core/filter.c
index 55bfc941d17a..2b1552a8dd74 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -76,6 +76,8 @@
 #include <net/lwtunnel.h>
 #include <net/ipv6_stubs.h>
 #include <net/bpf_sk_storage.h>
+#include <linux/kdev_t.h>
+#include <linux/proc_ns.h>
 
 /**
  *	sk_filter_trim_cap - run a packet through a socket filter
@@ -6822,6 +6824,18 @@ static bool sock_ops_is_valid_access(int off, int size,
 		}
 	} else {
 		switch (off) {
+		case bpf_ctx_range(struct bpf_sock_ops, netns_dev):
+			if (off >= offsetofend(struct bpf_sock_ops, netns_dev))
+				return false;
+
+			bpf_ctx_record_field_size(info, sizeof(u64));
+			if (!bpf_ctx_narrow_access_ok(off, size, sizeof(u64)))
+				return false;
+			break;
+		case offsetof(struct bpf_sock_ops, netns_ino):
+			if (size != sizeof(u64))
+				return false;
+			break;
 		case bpf_ctx_range_till(struct bpf_sock_ops, bytes_received,
 					bytes_acked):
 			if (size != sizeof(__u64))
@@ -7739,6 +7753,11 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type,
 	return insn - insn_buf;
 }
 
+static struct ns_common *sockops_netns_cb(void *private_data)
+{
+	return &init_net.ns;
+}
+
 static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 				       const struct bpf_insn *si,
 				       struct bpf_insn *insn_buf,
@@ -7747,6 +7766,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 {
 	struct bpf_insn *insn = insn_buf;
 	int off;
+	struct inode *ns_inode;
+	struct path ns_path;
+	u64 netns_dev;
+	void *res;
 
 /* Helper macro for adding read access to tcp_sock or sock fields. */
 #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ)			      \
@@ -7993,6 +8016,53 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 		SOCK_OPS_GET_OR_SET_FIELD(sk_txhash, sk_txhash,
 					  struct sock, type);
 		break;
+
+	case bpf_ctx_range(struct bpf_sock_ops, netns_dev):
+		/* We get the netns_dev at BPF-load-time and not at
+		 * BPF-exec-time. We assume that netns_dev is a constant.
+		 */
+		res = ns_get_path_cb(&ns_path, sockops_netns_cb, NULL);
+		if (IS_ERR(res)) {
+			netns_dev = 0;
+		} else {
+			ns_inode = ns_path.dentry->d_inode;
+			netns_dev = new_encode_dev(ns_inode->i_sb->s_dev);
+		}
+		*target_size = 8;
+		*insn++ = BPF_MOV64_IMM(si->dst_reg, netns_dev);
+		break;
+
+	case offsetof(struct bpf_sock_ops, netns_ino):
+#ifdef CONFIG_NET_NS
+		/* Loading: sk_ops->sk->__sk_common.skc_net.net->ns.inum
+		 * Type: (struct bpf_sock_ops_kern *)
+		 *       ->(struct sock *)
+		 *       ->(struct sock_common)
+		 *       .possible_net_t
+		 *       .(struct net *)
+		 *       ->(struct ns_common)
+		 *       .(unsigned int)
+		 */
+		BUILD_BUG_ON(offsetof(struct sock, __sk_common) != 0);
+		BUILD_BUG_ON(offsetof(possible_net_t, net) != 0);
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						struct bpf_sock_ops_kern, sk),
+				      si->dst_reg, si->src_reg,
+				      offsetof(struct bpf_sock_ops_kern, sk));
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						possible_net_t, net),
+				      si->dst_reg, si->dst_reg,
+				      offsetof(struct sock_common, skc_net));
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						struct ns_common, inum),
+				      si->dst_reg, si->dst_reg,
+				      offsetof(struct net, ns) +
+				      offsetof(struct ns_common, inum));
+#else
+		*insn++ = BPF_MOV64_IMM(si->dst_reg, 0);
+#endif
+		break;
+
 	}
 	return insn - insn_buf;
 }
-- 
2.21.0