Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp235110ybi; Fri, 7 Jun 2019 07:15:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqwlRCIVJXxMgYQyvu2d9NAJ6EkFOHhA4loy5a9S6xLh4CAK1rXXwm0ImK28EqwN2s8MG9bg X-Received: by 2002:a17:902:758b:: with SMTP id j11mr55364985pll.191.1559916904298; Fri, 07 Jun 2019 07:15:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559916904; cv=none; d=google.com; s=arc-20160816; b=LMAGGhEhjhyq5l7k5FpSoFrATbKlbMu8uvKFEYicMttLpBJE+eHPsMIWv0ppU0xQwc xMFEOEY2x+PHdu9KdpCtg1JkL3x+PcJRQF+slKAHH2WhlA+vU5ZJiVESYzJe53d+a5j7 gCkYQkTFOLS70Lu8CM4ZIuqVINt2FAi5Mi1ytvTJNwnr8mqqATCSlQVQ46tJrqSu0+Fs 24wYr2rKcrfaIT2L36sor0ZIm+gbXb6wiZ2Gz7lQKSVBlQh4x+yVibLU73tveqViX7Pu beDB9PnA23qDDAOefEL8B+J3jDJtvA2uN3L7oVFkhC4B4jjJR2R9pCNDGE9cTNBNCtHg T+Eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=uGMgJuq5yq87nZc1iXSw3rrA6LJaXGUavU0uLXBD7Zs=; b=vTgkLY3AI0vrMtBOdPlNZP9kDYQx4N+jIT5mokPr4l/NP64uJWW2j680ajDA8Uh1aM v+GnaXAmC33vhGp7jf9CrTybxr5DrBnAKpBN3lo+ssNC7bq9RDdbkpzyXJSbDiGXyV6d JJ6NOpdm0sZfXtMJwK3X5UYcvYfm2azaCmV9Kv57BUSZGiOCCVr2GUlGiJ3puifcPUs4 2DkLW+nDWPyzhytlLFAF0tjtvfHtRNf3zD8ksxuFSUOjxBCyRRq2ZZVOFtmO0p9NkAnK oYYgZ7UT2hZ+kDuB5SUMw5kAJCXs6zDmjKzb8pvIdH/tNxxYaelnaRswSKMRCnDFFGwL n5rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=lK8ebs9w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f64si1844437plf.128.2019.06.07.07.14.48; Fri, 07 Jun 2019 07:15:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=lK8ebs9w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729519AbfFGOLT (ORCPT + 99 others); Fri, 7 Jun 2019 10:11:19 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:42405 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729389AbfFGOLO (ORCPT ); Fri, 7 Jun 2019 10:11:14 -0400 Received: by mail-ed1-f66.google.com with SMTP id z25so3213529edq.9 for ; Fri, 07 Jun 2019 07:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=uGMgJuq5yq87nZc1iXSw3rrA6LJaXGUavU0uLXBD7Zs=; b=lK8ebs9wXyOkapYE4RhrzhhvvopPOCQRlCoKg2ti+4ihvpij2HIRb7/+Yr0erau6p9 cyqsPXRZ7B+d7ZH5g9nNJCSDVnktTXsAHfLBZBxdt1QKwvvgN9C83/mhO5xUqdhnV5WR KtmW5MgHYBkcM4SbMiAgMPxcG9Ijc6fhHKzNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uGMgJuq5yq87nZc1iXSw3rrA6LJaXGUavU0uLXBD7Zs=; b=I5dua3VFawrCzXPJhNkwQFyZU8pl8flBuqEP/tJKyAJ6hFryVYZuKwcA+52cC07jAj igNZ2S66KzyV5+tikNoSMNEENILOrNwtqFXfqCuqPr82vLnyX4NrnKolXajCh7lUnoLM TCmlVxU0w348baOY3wIXGm1JVgQfHG+EdfdCH1Ew8JLSS9VqYyXBv92Ve/GHqKw8X1RD NNjhoDCJcGYIWAzEUDZ+f1bjiWpoKLugWa+TwaoojwK0V4hP0mTxeG+JLJYA7UZ5dlN0 cS3qm/BYIW3PmGlVlXtjH9IBoWnEWdnfouES6TGYR8aFA0fVLAaQmW9QTsiXPXPEH5EU SA6Q== X-Gm-Message-State: APjAAAWhdOMxpUZ3yoSf7lk3/Du93+Sv1h8Xe6bCMzqYUVGgYRPjWr6x /TirgXm/Aq3eidJRKAferx2OHg== X-Received: by 2002:a17:906:3098:: with SMTP id 24mr22761119ejv.106.1559916672400; Fri, 07 Jun 2019 07:11:12 -0700 (PDT) Received: from locke-xps13.fritz.box (dslb-002-205-069-198.002.205.pools.vodafone-ip.de. [2.205.69.198]) by smtp.gmail.com with ESMTPSA id a40sm546116edd.1.2019.06.07.07.11.11 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 07 Jun 2019 07:11:11 -0700 (PDT) From: =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: alban@kinvolk.io, krzesimir@kinvolk.io, bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= Subject: [PATCH bpf-next v5 1/4] bpf: sock ops: add netns ino and dev in bpf context Date: Fri, 7 Jun 2019 16:11:03 +0200 Message-Id: <20190607141106.32148-2-iago@kinvolk.io> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190607141106.32148-1-iago@kinvolk.io> References: <20190607141106.32148-1-iago@kinvolk.io> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alban Crequy sockops programs can now access the network namespace inode and device via (struct bpf_sock_ops)->netns_ino and ->netns_dev. This can be useful to apply different policies on different network namespaces. In the unlikely case where network namespaces are not compiled in (CONFIG_NET_NS=n), the verifier will return netns_dev as usual and will return 0 for netns_ino. The generated BPF bytecode for netns_ino is loading the correct inode number at the time of execution. However, the generated BPF bytecode for netns_dev is loading an immediate value determined at BPF-load-time by looking at the initial network namespace. In practice, this works because all netns currently use the same virtual device. If this was to change, this code would need to be updated too. Co-authored-by: Iago López Galeiras Signed-off-by: Alban Crequy Signed-off-by: Iago López Galeiras --- Changes since v1: - add netns_dev (review from Alexei) Changes since v2: - replace __u64 by u64 in kernel code (review from Y Song) - remove unneeded #else branch: program would be rejected in is_valid_access (review from Y Song) - allow partial reads ( #include #include +#include +#include /** * sk_filter_trim_cap - run a packet through a socket filter @@ -6822,6 +6824,15 @@ static bool sock_ops_is_valid_access(int off, int size, } } else { switch (off) { + case bpf_ctx_range(struct bpf_sock_ops, netns_dev): + bpf_ctx_record_field_size(info, sizeof(u64)); + if (!bpf_ctx_narrow_access_ok(off, size, sizeof(u64))) + return false; + break; + case offsetof(struct bpf_sock_ops, netns_ino): + if (size != sizeof(u64)) + return false; + break; case bpf_ctx_range_till(struct bpf_sock_ops, bytes_received, bytes_acked): if (size != sizeof(__u64)) @@ -7739,6 +7750,11 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type, return insn - insn_buf; } +static struct ns_common *sockops_netns_cb(void *private_data) +{ + return &init_net.ns; +} + static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, const struct bpf_insn *si, struct bpf_insn *insn_buf, @@ -7747,6 +7763,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, { struct bpf_insn *insn = insn_buf; int off; + struct inode *ns_inode; + struct path ns_path; + u64 netns_dev; + void *res; /* Helper macro for adding read access to tcp_sock or sock fields. */ #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ) \ @@ -7993,6 +8013,53 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, SOCK_OPS_GET_OR_SET_FIELD(sk_txhash, sk_txhash, struct sock, type); break; + + case bpf_ctx_range(struct bpf_sock_ops, netns_dev): + /* We get the netns_dev at BPF-load-time and not at + * BPF-exec-time. We assume that netns_dev is a constant. + */ + res = ns_get_path_cb(&ns_path, sockops_netns_cb, NULL); + if (IS_ERR(res)) { + netns_dev = 0; + } else { + ns_inode = ns_path.dentry->d_inode; + netns_dev = new_encode_dev(ns_inode->i_sb->s_dev); + } + *target_size = 8; + *insn++ = BPF_MOV64_IMM(si->dst_reg, netns_dev); + break; + + case offsetof(struct bpf_sock_ops, netns_ino): +#ifdef CONFIG_NET_NS + /* Loading: sk_ops->sk->__sk_common.skc_net.net->ns.inum + * Type: (struct bpf_sock_ops_kern *) + * ->(struct sock *) + * ->(struct sock_common) + * .possible_net_t + * .(struct net *) + * ->(struct ns_common) + * .(unsigned int) + */ + BUILD_BUG_ON(offsetof(struct sock, __sk_common) != 0); + BUILD_BUG_ON(offsetof(possible_net_t, net) != 0); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + struct bpf_sock_ops_kern, sk), + si->dst_reg, si->src_reg, + offsetof(struct bpf_sock_ops_kern, sk)); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + possible_net_t, net), + si->dst_reg, si->dst_reg, + offsetof(struct sock_common, skc_net)); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + struct ns_common, inum), + si->dst_reg, si->dst_reg, + offsetof(struct net, ns) + + offsetof(struct ns_common, inum)); +#else + *insn++ = BPF_MOV64_IMM(si->dst_reg, 0); +#endif + break; + } return insn - insn_buf; } -- 2.21.0