Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp319232pxj; Fri, 14 May 2021 04:22:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzX4dyndUF9wxGsqu6JcbBc8kervTEt273zjGYjTfdhPrEPxmmcyG2z+/hPo6howvN9zPr+ X-Received: by 2002:a5d:9b03:: with SMTP id y3mr13938174ion.191.1620991376910; Fri, 14 May 2021 04:22:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620991376; cv=none; d=google.com; s=arc-20160816; b=KdXmxrafUfZCAPpiIzA4HhDv5M3C1pOSJc/1wjnEAafj23U/n00zfmPHrMNU9/DAx6 +792NZhuHYpUo4ipbwDS2fEHQdx3GCC0vycXG4zccP+bmmaCAoqMvCjbZ0hTJu1lUht1 u8rETHWc2vNlLAfGWWJ2QTpmtMy/A9/ifrqHnrmSm3Uy1YSoccqOwMcWlX/U6oCdOOIX tmKBA61Uag9fYCxWkcY2RwjJr1AUg/cpNcC29DbLuj7bAqCiH+zSpAr9B+UOPsMyzrni y1fmuZrgUz0NZ+9JTADX3/jRRpPLUJH/sMc4Cddy/v3AZd+PtvadwTsUEHAI6xB/bxaR R5gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=wnaxFoKFMqMultv5aHrS/zUjG4DdQlkyhCwu9zjEbu8=; b=yXinGDdkGwAK9haunm4iCP+72tw4vbq0Ct/jEa304FLZR+6e0sbzyxHtF/6w4D7lhS 8ty5JcnjpKL6zGrY4sjGE+yovZvBHFrNnI4pNR/hAvtvSM3e+dW6CfB1dJblBbERr+g2 W8PxUtamKWBGbHs7aKuc5t1/eXmCk27fIUfux5CzU1hMDY0rBIucBlk2HcQjgdap/JBv uWMrX3IrjXkRCsOm0fuYA3MvCUeeAwoJAEU4mH8gqcb07lqgyFrgAjtXMfOTFgjvnFvY /qhAlch/DaX46u1fG+4fNtjNtfOr7Rfw06EONTrQsmZ+ZqDyixCfpGTg3tVFDjs1Jpth B8eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RXWMpTEt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k17si7250834ion.39.2021.05.14.04.22.42; Fri, 14 May 2021 04:22:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RXWMpTEt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229445AbhENLV6 (ORCPT + 99 others); Fri, 14 May 2021 07:21:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:55814 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229554AbhENLV5 (ORCPT ); Fri, 14 May 2021 07:21:57 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E1AB661469 for ; Fri, 14 May 2021 11:20:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1620991245; bh=d1QDAQZ60obWUxgQJmiEA+FKlikVqoTz4eCnAtLMGx8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=RXWMpTEthVDf7TGL2KFsH80ibKBqS3kz8Z6qJZZUpP74QytGTgJ9nUN9CbTefIMeD QuAiWjvUsOYDq3yX4NOZXalN2a/ImEwO0vUE24RQvDUywCRYL8vZXozs6pyPpFwnqm TVZoV0pnxvEkE24YKaLz27gdpVBkb0Aj52hZ6dP/+gdcHETwurNmeq1CQIqcqfpWbZ jDBFLgVFkQ4P4lIdKRSl5d/2knY1Mb7MvbfCGBTa0bgnM0X7zd6Ab7DO6S1dV0FySt g2gdUbjs61xI4x/IMGXw8I3r/xJT6vjGc+44RJkriurANq7XqGyfb1/6doQGvEadXb 4GH1ghIah6Rhg== Received: by mail-lj1-f170.google.com with SMTP id s25so12763503ljo.11 for ; Fri, 14 May 2021 04:20:45 -0700 (PDT) X-Gm-Message-State: AOAM5309aPSYnDCUFIw9RD6ho9BrA4iu/LT7wIWsyKWF2kdk1G1Aqn3v 7h9dxKTp+lSGgnSXi8GVfEoR6vU06B4Dr3kZ4M9Ilg== X-Received: by 2002:a05:651c:285:: with SMTP id b5mr23795422ljo.348.1620991244001; Fri, 14 May 2021 04:20:44 -0700 (PDT) MIME-Version: 1.0 References: <20210512095823.99162-1-yunbo.xufeng@linux.alibaba.com> <20210512095823.99162-2-yunbo.xufeng@linux.alibaba.com> <20210512225504.3kt6ij4xqzbtyej5@ast-mbp.dhcp.thefacebook.com> <1b6dfe61-29ed-5d4d-fa1f-1bd46a4f5860@linux.alibaba.com> In-Reply-To: <1b6dfe61-29ed-5d4d-fa1f-1bd46a4f5860@linux.alibaba.com> From: KP Singh Date: Fri, 14 May 2021 13:20:32 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC] [PATCH bpf-next 1/1] bpf: Add a BPF helper for getting the cgroup path of current task To: xufeng zhang Cc: Alexei Starovoitov , Daniel Borkmann , bpf , open list , Linux Security Module list , Florent Revest , Brendan Jackman , Yonghong Song , Song Liu , Martin KaFai Lau , John Fastabend , joe@cilium.io, quentin@isovalent.com, Alexei Starovoitov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 14, 2021 at 6:06 AM xufeng zhang wrote: > > > =E5=9C=A8 2021/5/13 =E4=B8=8A=E5=8D=886:55, Alexei Starovoitov =E5=86=99= =E9=81=93: > > On Wed, May 12, 2021 at 05:58:23PM +0800, Xufeng Zhang wrote: > >> To implement security rules for application containers by utilizing > >> bpf LSM, the container to which the current running task belongs need > >> to be known in bpf context. Think about this scenario: kubernetes > >> schedules a pod into one host, before the application container can ru= n, > >> the security rules for this application need to be loaded into bpf > >> maps firstly, so that LSM bpf programs can make decisions based on > >> this rule maps. > >> > >> However, there is no effective bpf helper to achieve this goal, > >> especially for cgroup v1. In the above case, the only available inform= ation > >> from user side is container-id, and the cgroup path for this container > >> is certain based on container-id, so in order to make a bridge between > >> user side and bpf programs, bpf programs also need to know the current > >> cgroup path of running task. > > ... > >> +#ifdef CONFIG_CGROUPS > >> +BPF_CALL_2(bpf_get_current_cpuset_cgroup_path, char *, buf, u32, buf_= len) > >> +{ > >> + struct cgroup_subsys_state *css; > >> + int retval; > >> + > >> + css =3D task_get_css(current, cpuset_cgrp_id); > >> + retval =3D cgroup_path_ns(css->cgroup, buf, buf_len, &init_cgroup= _ns); > >> + css_put(css); > >> + if (retval >=3D buf_len) > >> + retval =3D -ENAMETOOLONG; > > Manipulating string path to check the hierarchy will be difficult to do > > inside bpf prog. It seems to me this helper will be useful only for > > simplest cgroup setups where there is no additional cgroup nesting > > within containers. > > Have you looked at *ancestor_cgroup_id and *cgroup_id helpers? > > They're a bit more flexible when dealing with hierarchy and > > can be used to achieve the same correlation between kernel and user cgr= oup ids. > > > KP, > > do you have any suggestion? I haven't really tried this yet, but have you considered using task local storage to identify the container? - Add a task local storage with container ID somewhere in the container manager - Propagate this ID to all the tasks within a container using task security blob management hooks (like task_alloc and task_free) etc. > > what I am thinking is the internal kernel object(cgroup id or ns.inum) > is not so user friendly, we can get the container-context from them for > tracing scenario, but not for LSM blocking cases, I'm not sure how > Google internally resolve similar issue. > > > Thanks! > > Xufeng >