Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4924792pxj; Wed, 12 May 2021 16:44:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+l7+GZZ+k8JJY1NzRC5lpLbBooV75csS8GVPxPcMsQRqpjHyAaCIBz1j4ry0B/ONa+JqB X-Received: by 2002:aa7:cd8b:: with SMTP id x11mr46829850edv.87.1620863041957; Wed, 12 May 2021 16:44:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620863041; cv=none; d=google.com; s=arc-20160816; b=gqQMvAn/6ZIs/sIRfXAvW04KdBJQAS3pH10UT9mOmt5kpNxFFQNbBxLU3KxfPwXwPv 7fOr75f7FGHUkwRLaN/77Cjnf65e5Bu2sZqs9N53tSjmi+7jCUDwwcfrwXzalJbYCLBk 4teIAkYRBSJqB0fUXdG3LwbrOnbbV3pKRhES1cwsPeF4eYAiYVBm4Rht/POaV+260zR1 BwISh6BhSv+l6lg40n6z28EINKNk40m3JpUhQenmHyvuYHCAKQSyQqp0kq8zV2malisS 8Sg/5iUZ53XpxBbTwaSj0erYGye5EiTFzxGspjo9DHDFb2MTRWBqzrxR3SdowCcqC3mM yoIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=U6Yw/aST6fr+ZgDp8ejO8NenUGdJg/UmhmI/pM7yQvE=; b=AlrrviSYE/1vbA3Xp/uZWf8TVn/Nem5hYMGZLcVuoh9mFj+XXHpqw5frcRBYPcR/wM QEFVOANY9lp9+ypZQTaYKcPPfG0Ygu6TUaaDpCbWp4Yv020MIrZitkNn3fzG/VShOYUL F9BUOV0Z+G7n93XW5e4H3z8RsCA3Z8ApmiO/w+cQHJsOP14wzcuE9oCITNbxeEZKYo94 rHMTFUDHZJdQKCPIVRieateiwOhRwjVL5otysegQdOFMkuyhcmYVzxe7ZiScxN4qDwTp y1jmbwatqBnmAyqkQMrBTdkEI8kUeVO3WNWqBBci+GXyQ7lgm6+2bTQubj/QfVq8uhyJ 5/nA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OBMINBaw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s12si1137046edd.416.2021.05.12.16.43.38; Wed, 12 May 2021 16:44:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OBMINBaw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349066AbhELXfF (ORCPT + 99 others); Wed, 12 May 2021 19:35:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33898 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239747AbhELW51 (ORCPT ); Wed, 12 May 2021 18:57:27 -0400 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFD9BC06135A; Wed, 12 May 2021 15:55:09 -0700 (PDT) Received: by mail-pg1-x52a.google.com with SMTP id m190so19500718pga.2; Wed, 12 May 2021 15:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=U6Yw/aST6fr+ZgDp8ejO8NenUGdJg/UmhmI/pM7yQvE=; b=OBMINBawBSAXl5ymaYMRHcQ7jBGlJX8tbkO+VDxVWQFkkMqUmGwpUW/EI8uwfC35Af 7jrxzoUCEKD+RVwXcId53ScX0ROrj4stQcBLQdt7DOeIcGksJ4RewjD/XsYkc1CxeW9C YMAmVQJC9F67Fm7IUt8bDpgAnKweWXaUCWpDPjG4pGmvYCdOnMQXUSsP7X11psFmjjZ6 7iZJgFV8qKb8kXGB6vAqaJP1xwP9ExtIwn5BhDax1NFeDSSVjZXyriZnadAjUDlX8uPN 9lsw0ve/FlR/wmzqIPINV1FURx/IR613DoOLN063LoDxA6cJtf0LBLy4TfORhgsqjkty sFhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=U6Yw/aST6fr+ZgDp8ejO8NenUGdJg/UmhmI/pM7yQvE=; b=IuoNWs0RlR9EKYhhjVB/RJ6EHXMCh4EftKzHRQyaXb2D7HBL4USwBemZJ+SMHKppbS nEmAkIEx/xBHxGZrfi+bDQdWj9kZl8N6mPK7GJ6/MmOVD81VaY9FC3MUkpMQ9ln+4hd6 5MZgBv8pOUNtlcvucEKbFKwHWLfsCLi9G15pk/v02oWsTYTcnqr/1iu7clVahkp8GaMo 0h3Uf0AL7vsBvnmBaBt7AD+/XOtazafoW3FV2iMxGZakum2cEb4NMAEUW9GS4ob52D2j 7NTcY6Ae+SMyAEt4yYXikyKthT8ScOLdpyMM5kQIwfTKBQo7kPlKnTBBqELxLWH7qq/l KPug== X-Gm-Message-State: AOAM531Vu/Xv0EydsZsCiL8pv8cWQIVbMJihKSZX1R5LCcOgV+Pbm4z6 AQytvUmWMgNRG0ITBY0ZZx8= X-Received: by 2002:a63:4f4a:: with SMTP id p10mr886589pgl.384.1620860109475; Wed, 12 May 2021 15:55:09 -0700 (PDT) Received: from ast-mbp.dhcp.thefacebook.com ([2620:10d:c090:400::5:c6f4]) by smtp.gmail.com with ESMTPSA id p11sm642052pjo.19.2021.05.12.15.55.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 May 2021 15:55:08 -0700 (PDT) Date: Wed, 12 May 2021 15:55:04 -0700 From: Alexei Starovoitov To: Xufeng Zhang Cc: kpsingh@kernel.org, ast@kernel.org, daniel@iogearbox.net, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, revest@chromium.org, jackmanb@chromium.org, yhs@fb.com, songliubraving@fb.com, kafai@fb.com, john.fastabend@gmail.com, joe@cilium.io, quentin@isovalent.com Subject: Re: [RFC] [PATCH bpf-next 1/1] bpf: Add a BPF helper for getting the cgroup path of current task Message-ID: <20210512225504.3kt6ij4xqzbtyej5@ast-mbp.dhcp.thefacebook.com> References: <20210512095823.99162-1-yunbo.xufeng@linux.alibaba.com> <20210512095823.99162-2-yunbo.xufeng@linux.alibaba.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210512095823.99162-2-yunbo.xufeng@linux.alibaba.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 12, 2021 at 05:58:23PM +0800, Xufeng Zhang wrote: > To implement security rules for application containers by utilizing > bpf LSM, the container to which the current running task belongs need > to be known in bpf context. Think about this scenario: kubernetes > schedules a pod into one host, before the application container can run, > the security rules for this application need to be loaded into bpf > maps firstly, so that LSM bpf programs can make decisions based on > this rule maps. > > However, there is no effective bpf helper to achieve this goal, > especially for cgroup v1. In the above case, the only available information > from user side is container-id, and the cgroup path for this container > is certain based on container-id, so in order to make a bridge between > user side and bpf programs, bpf programs also need to know the current > cgroup path of running task. ... > +#ifdef CONFIG_CGROUPS > +BPF_CALL_2(bpf_get_current_cpuset_cgroup_path, char *, buf, u32, buf_len) > +{ > + struct cgroup_subsys_state *css; > + int retval; > + > + css = task_get_css(current, cpuset_cgrp_id); > + retval = cgroup_path_ns(css->cgroup, buf, buf_len, &init_cgroup_ns); > + css_put(css); > + if (retval >= buf_len) > + retval = -ENAMETOOLONG; Manipulating string path to check the hierarchy will be difficult to do inside bpf prog. It seems to me this helper will be useful only for simplest cgroup setups where there is no additional cgroup nesting within containers. Have you looked at *ancestor_cgroup_id and *cgroup_id helpers? They're a bit more flexible when dealing with hierarchy and can be used to achieve the same correlation between kernel and user cgroup ids.