Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp908964rwe; Thu, 25 Aug 2022 11:18:27 -0700 (PDT) X-Google-Smtp-Source: AA6agR4u0wJ0PhwfogV4XRXVHkg8Tsh8a54koFIRVFH/YN1JWnxzDI5MyzMnVuKrqBwlpzfJW4tK X-Received: by 2002:a17:90b:1c81:b0:1fb:887c:f82e with SMTP id oo1-20020a17090b1c8100b001fb887cf82emr392759pjb.92.1661451507667; Thu, 25 Aug 2022 11:18:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661451507; cv=none; d=google.com; s=arc-20160816; b=HDaaIFZuDQA3LJmBSWU5pYQiqgapirY4OjSmVDApMZosz6rMXemRk3R45Iz23IJ7qm VPaBvic1qm1L+Us/cjms45FHdKH401467k4IlRD7dyIlqByVGlqY8x1Xhkd7zLP0odQ6 /Yx+Oois8UywYVfrMZrrH49b6PaPZ6Uagej0SmLu4ImzTfmFcOLur49330Pkq25HxDvJ gzZy4l/C5uPH4izQD5Pc1thSHNtjaxeOt6IEze2yoaHzn125142KUSDXEcv2V3bBIOnD n9Zlwcrh6VewIHi7hqFyoxmsXd8CTUXz39UNbqYBncUyQv9NpOpjh7Z61xYAM56HY7iL 6low== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/GYRroV0j1HQtttqGy5ikwY0tvszI/gqxle1gBMtBi8=; b=TEvi84BUpDJSliFtBtVxQE52RwjSMmJsUY+/hnPRcvOLBnXRMFb1rUg1yRuwV+hvHO 1h/UxkQPBjO7b4ZL8GjFcxxc3CMH7ZqOpJyVIoYEzWWmUpXMZr/oKEu498py9Es3NoT1 SByH5KXR9nO2bX+iFy0ZrK/A3POoN0ce07vAuPnitXPGWEr8VTvSTJ0sY4Bf56rYheln miTYcLCeuPp38EhKTMJCqL8eaUrf//MkcyuyH52Y+9PvU8JeMX/35/VybwJmIElmKXdb zlEWQpPDUmlhzDSUt1ObvOXXP47WyALxqMTPYSm32zuksgRJeA+Lib1BRAdf3vepyQ0V Xg3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ck2vOHHo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b14-20020a170903228e00b00171345701dbsi22204840plh.526.2022.08.25.11.18.12; Thu, 25 Aug 2022 11:18:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ck2vOHHo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242669AbiHYR6o (ORCPT + 99 others); Thu, 25 Aug 2022 13:58:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240713AbiHYR6j (ORCPT ); Thu, 25 Aug 2022 13:58:39 -0400 Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92F71BD0B3 for ; Thu, 25 Aug 2022 10:58:38 -0700 (PDT) Received: by mail-qk1-x735.google.com with SMTP id f14so15807574qkm.0 for ; Thu, 25 Aug 2022 10:58:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc; bh=/GYRroV0j1HQtttqGy5ikwY0tvszI/gqxle1gBMtBi8=; b=ck2vOHHo88Dym2Eg5dmOrOFWsd+DiRYzQswvx+qDw/AaR6oiFaBJuXUDozxFm5NdeY RyIHT6ucnHWVYW6HD8rQ+SaVdPk0knVAyhXIGj5w8crdLz6PBdvQtFIIaAYJdupUr7Jf m1xm1ISYsse8LApnX9JzNrTmopx1LnHBt+ZKHiKPVL0+L8GUr6VeP3JxqlvNj8ckaxzE V4nu1m+hX8cIclMyiKgMwCNn4rkZdPf3FccCw+8fdv7PtEeMjXwsvWy9eT3Gia6EroBO DE334U1ACpqjXh+T9+MFSK12LcnccR145icds02vQe0SfVkKnQiwa6FtY2yGHSVjM2t+ KwEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc; bh=/GYRroV0j1HQtttqGy5ikwY0tvszI/gqxle1gBMtBi8=; b=O1atg1zuHPAdtQucODphZtGAcQOHG0ryqIkKelOW6uPjYTLYUZZIZDIe09gppe7ibK BYsaJnlCwFe6jk+POaD5vvrY5wCji0ypf/6N0iuCQhQgeukiLAQeULGRnLL/RcGymQB6 kL2zlxlP3xcCaoZH9uGOUrVzNkNqPS1ynHnmD0BAv5LeQpTlnkfT39wiQjbpz8GjFBPC hJHhy5cmSCeKhEECM9SbalpkL0tYetqYCxrVd808YeF1XshLRyNJrpyvMugBfvH7cpLB Uw1Uc3ELxw2heZEPSGgKCoteJVI8gZNfQFpSHv5U+4uAggsiVlItgfmu9yf5yjKADIlx G/Mw== X-Gm-Message-State: ACgBeo2cSNXQuTXQKsdE1V+O6eeQOM/OGri7b7bE8UQIlVNg8GyUUr8T kVzMXuldkoRAa6rh0Wwv4GkcxDYOsQxybIoRzQEGLA== X-Received: by 2002:a05:620a:458c:b0:6bb:848a:b86b with SMTP id bp12-20020a05620a458c00b006bb848ab86bmr3882934qkb.267.1661450317552; Thu, 25 Aug 2022 10:58:37 -0700 (PDT) MIME-Version: 1.0 References: <20220824030031.1013441-1-haoluo@google.com> <20220824030031.1013441-2-haoluo@google.com> <20220825152455.GA29058@blackbody.suse.cz> In-Reply-To: <20220825152455.GA29058@blackbody.suse.cz> From: Hao Luo Date: Thu, 25 Aug 2022 10:58:26 -0700 Message-ID: Subject: Re: [PATCH bpf-next v9 1/5] bpf: Introduce cgroup iter To: =?UTF-8?Q?Michal_Koutn=C3=BD?= Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, cgroups@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , Tejun Heo , Zefan Li , KP Singh , Johannes Weiner , Michal Hocko , John Fastabend , Jiri Olsa , Roman Gushchin , David Rientjes , Stanislav Fomichev , Shakeel Butt , Yosry Ahmed Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2022 at 8:24 AM Michal Koutn=C3=BD wrote= : > > Hello. > > On Tue, Aug 23, 2022 at 08:00:27PM -0700, Hao Luo wro= te: > > +static int bpf_iter_attach_cgroup(struct bpf_prog *prog, > > + union bpf_iter_link_info *linfo, > > + struct bpf_iter_aux_info *aux) > > +{ > > + int fd =3D linfo->cgroup.cgroup_fd; > > + u64 id =3D linfo->cgroup.cgroup_id; > > + int order =3D linfo->cgroup.order; > > + struct cgroup *cgrp; > > + > > + if (order !=3D BPF_ITER_DESCENDANTS_PRE && > > + order !=3D BPF_ITER_DESCENDANTS_POST && > > + order !=3D BPF_ITER_ANCESTORS_UP && > > + order !=3D BPF_ITER_SELF_ONLY) > > + return -EINVAL; > > + > > + if (fd && id) > > + return -EINVAL; > > + > > + if (fd) > > + cgrp =3D cgroup_get_from_fd(fd); > > + else if (id) > > + cgrp =3D cgroup_get_from_id(id); > > + else /* walk the entire hierarchy by default. */ > > + cgrp =3D cgroup_get_from_path("/"); > > + > > + if (IS_ERR(cgrp)) > > + return PTR_ERR(cgrp); > > This section caught my eye. > > Perhaps the simpler way for the default hierachy fallback would be > > cgrp =3D &cgrp_dfl_root.cgrp; > cgroup_get(cgroup) > > But maybe it's not what is the intention if cgroup NS should be taken > into account and cgroup_get_from_path() is buggy in this regard. > > Would it make sense to prepend the patch below to your series? Yep. Being able to take cgroup NS into account is my intention here. Right now, I imagine the control plane who uses this default option is the system daemon which lives in the init cgroup ns. They could always specify a particular cgroup using ID or FD. Printing the whole hierarchy is something a system daemon would do. Anyhow, can I add the appended patch if there is going to be a v10 of this patch series? If v9 is ok to merge, I can send the appended patch separately. Does that sound good? The appended patch looks good to me, thanks! > > Also, that makes me think about iter initialization with ID. In contrast > with FD passing (that's subject to some permissions and NS checks), the > retrieval via ID is not equipped with that, ids are not unguessable and > I'd consider cgroup IDs an implementation detail. > > So, is the ID initialization that much useful? (I have no idea about > permissions model of BPF here, so it might be just fine but still it'd > be good to take cgroup NS into account. Likely for BPF_ITER_ANCESTORS_UP > too.) > Permission is a valid point about FD. There was discussion in an earlier version of this patch series [0]. The good thing about ID is that it can be passed across processes and it's meaningful to appear in logs. It's more user-friendly. So we decided to support both. [0] https://lore.kernel.org/netdev/YuK+eg3lgwJ2CJnJ@slm.duckdns.org/ > HTH, > Michal > > ----8<---- > From 1098e60e89d4d901b7eef04e531f2c889309a91b Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?Michal=3D20Koutn=3DC3=3DBD?=3D > Date: Thu, 25 Aug 2022 15:19:04 +0200 > Subject: [PATCH] cgroup: Honor caller's cgroup NS when resolving path > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > cgroup_get_from_path() is not widely used function. Its callers presume > the path is resolved under cgroup namespace. (There is one caller > currently and resolving in init NS won't make harm (netfilter). However, > future users may be subject to different effects when resolving > globally.) > Since, there's currently no use for the global resolution, modify the > existing function to take cgroup NS into account. > > Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") > Signed-off-by: Michal Koutn=C3=BD > --- > kernel/cgroup/cgroup.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c > index ffaccd6373f1..9280f4b41d8b 100644 > --- a/kernel/cgroup/cgroup.c > +++ b/kernel/cgroup/cgroup.c > @@ -6603,8 +6603,12 @@ struct cgroup *cgroup_get_from_path(const char *pa= th) > { > struct kernfs_node *kn; > struct cgroup *cgrp =3D ERR_PTR(-ENOENT); > + struct cgroup *root_cgrp; > > - kn =3D kernfs_walk_and_get(cgrp_dfl_root.cgrp.kn, path); > + spin_lock_irq(&css_set_lock); > + root_cgrp =3D current_cgns_cgroup_from_root(&cgrp_dfl_root); > + kn =3D kernfs_walk_and_get(root_cgrp->kn, path); > + spin_unlock_irq(&css_set_lock); > if (!kn) > goto out; > > > base-commit: 3cc40a443a04d52b0c95255dce264068b01e9bfe > -- > 2.37.0 >