Hi netdev,
Could we queue up this patch to stable 4.14 and stable 4.19? I can
provide a backport patch if needed. I checked it is a clean
cherry-pick for 4.19 but have some minor conflict for 4.14.
Thanks
Chenbo Feng
On Thu, Oct 18, 2018 at 4:36 PM Joel Fernandes wrote:
>
> On Thu, Oct 18
resend with plain text
On Fri, Apr 27, 2018 at 11:22 AM Chenbo Feng <fe...@google.com> wrote:
> Hi net-next,
> When doing the eBPF tools user-space development I noticed that the map
iterating process in user-space have some little flaws. If we want to dump
the whole map. The on
0fa4fe85f4724fff89b09741c437cbee9cf8b008 bpf: skip unnecessary
capability check
This patch fixes the false alarms from security system such as selinux
when doing the capability check. The problem exists since the
sysctl_unprivileged_bpf_disabled is added in linux 4.4. So I suggest to
From: Chenbo Feng <fe...@google.com>
The current check statement in BPF syscall will do a capability check
for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This
code path will trigger unnecessary security hooks on capability checking
and cause false alarms on unpriv
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
Acked-by: Daniel B
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
tools/testing/selftests/bpf
On Mon, Oct 16, 2017 at 9:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Thu, 2017-10-12 at 13:55 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a bpf object related check when sending and receiving files
>> throu
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
tools/testing/selftests/bpf
On Thu, Oct 12, 2017 at 5:25 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Wed, 2017-10-11 at 13:43 -0700, Chenbo Feng via Selinux wrote:
>> On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley <s...@tycho.nsa.gov>
>> wrote:
>> > On Tue, 2017-10-10 at 17:09 -
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
tools/testing/selftests/bpf
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a bpf object related check when sending and receiving files
>> throu
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
tools/testing/selftests/bpf
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
On Tue, Oct 10, 2017 at 12:23 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2017-10-10 at 10:48 -0700, Chenbo Feng wrote:
>> On Tue, Oct 10, 2017 at 7:24 AM, Stephen Smalley <s...@tycho.nsa.gov>
>> wrote:
>> > On Mon, 2017-10-09 at 15:20 -0700, Ch
On Tue, Oct 10, 2017 at 7:52 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2017-10-10 at 10:18 -0400, Stephen Smalley wrote:
>> On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
>> > From: Chenbo Feng <fe...@google.com>
>> >
>> >
On Tue, Oct 10, 2017 at 7:24 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a bpf object related check when sending and receiving files
>> throu
On Mon, Oct 9, 2017 at 4:07 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Mon, Oct 09, 2017 at 03:20:24PM -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce the map read/write flags to the eBPF syscalls that
From: Chenbo Feng <fe...@google.com>
Two related tests are added into bpf selftest to test read only map and
write only map. The tests verified the read only and write only flags
are working on hash maps.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
tools/testing/selftests/bpf
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
On Thu, Oct 5, 2017 at 11:26 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Thu, 2017-10-05 at 09:37 -0400, Stephen Smalley wrote:
>> On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
>> > From: Chenbo Feng <fe...@google.com>
>> >
>> > I
On Thu, Oct 5, 2017 at 6:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a bpf object related check when sending and receiving files
>> throu
On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 10/04/2017 08:29 PM, Chenbo Feng wrote:
>>
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce the map read/write flags to the eBPF syscalls that returns the
>> map
From: Chenbo Feng <fe...@google.com>
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the
existing mechanism for eBPF object access control is very limited.
Currently there are two options for granting acc
From: Chenbo Feng <fe...@google.com>
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processe
From: Chenbo Feng <fe...@google.com>
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bp
From: Chenbo Feng <fe...@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the
On Fri, Sep 1, 2017 at 5:50 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce 5 LSM hooks to provide finer granularity controls on eBPF
>> relate
On Thu, Aug 31, 2017 at 7:05 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Thu, Aug 31, 2017 at 01:56:34PM -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a pointer into struct bpf_map to hold the secu
On Thu, Aug 31, 2017 at 3:38 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 08/31/2017 10:56 PM, Chenbo Feng wrote:
>>
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a pointer into struct bpf_map to hold the security information
>> abo
On Thu, Aug 31, 2017 at 2:17 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fe...@google.com>
>>
>> Introduce a pointer into struct bpf_map to hold the security information
>> ab
From: Chenbo Feng <fe...@google.com>
Introduce 5 new selinux checks for eBPF object related operations. The
check is based on the ownership information of eBPF maps and the
capability of creating eBPF object.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
security/sel
From: Chenbo Feng <fe...@google.com>
Introduce a pointer into struct bpf_map to hold the security information
about the map. The actual security struct varies based on the security
models implemented. Place the LSM hooks before each of the unrestricted
eBPF operations, the map_updat
From: Chenbo Feng <fe...@google.com>
Introduce 5 LSM hooks to provide finer granularity controls on eBPF
related operations including create eBPF maps, modify and read eBPF maps
content and load eBPF programs to the kernel. Hooks use the new security
pointer inside the eBPF map struct to
From: Chenbo Feng <fe...@google.com>
Much like files and sockets, eBPF objects are accessed, controlled, and
shared via a file descriptor (FD). Unlike files and sockets, the existing
mechanism for eBPF object access control is very limited. Currently there
are two options for granting acc
On Mon, Aug 28, 2017 at 6:15 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote:
>> On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov
>> <alexei.starovoi...@gmail.com> wrote:
>> > On F
On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote:
>> On 08/25/2017 09:52 PM, Chenbo Feng wrote:
>> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <je
On Fri, Aug 25, 2017 at 1:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Fri, 2017-08-25 at 12:52 -0700, Chenbo Feng via Selinux wrote:
>> On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@google.
>> com> wrote:
>> > On Fri, Aug 25,
On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep wrote:
> On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley wrote:
>> On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux
>> wrote:
>>> I’d like to get your thoughts on adding LSM
From: Chenbo Feng <fe...@google.com>
Currently in both ipv4 and ipv6 code path, the ack packet received when
sk at TCP_NEW_SYN_RECV state is not filtered by socket filter or cgroup
filter since it is handled from tcp_child_process and never reaches the
tcp_filter inside tcp_v4_rcv or tcp_
On 06/10/2017 07:55 AM, Eric Dumazet wrote:
On Fri, 2017-06-09 at 12:56 -0700, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
This reverts commit 97a7a37a7b7b("ipv6: Initial skb->dev and
skb->protocol in ip6_output") since it does not handles the
skb-
From: Chenbo Feng <fe...@google.com>
After moves the skb->dev and skb->protocol initialization into
ip6_output, setting the skb->dev inside ip6_fragment is unnecessary.
Fixes: 97a7a37a7b7b("ipv6: Initial skb->dev and skb->protocol in ip6_output")
Signed-off-by
On 06/09/2017 12:39 PM, David Miller wrote:
From: Chenbo Feng <chenbofeng.ker...@gmail.com>
Date: Fri, 9 Jun 2017 12:13:57 -0700
On 06/09/2017 12:08 PM, David Miller wrote:
From: Chenbo Feng <chenbofeng.ker...@gmail.com>
Date: Fri, 9 Jun 2017 12:06:07 -0700
From: Che
From: Chenbo Feng <fe...@google.com>
This reverts commit 97a7a37a7b7b("ipv6: Initial skb->dev and
skb->protocol in ip6_output") since it does not handles the
skb->dev assignment inside ip6_fragment() code path properly.
Need to rework and upload again
Fixes: 97a7a37a7b7
On 06/09/2017 12:24 PM, Bjørn Mork wrote:
Chenbo Feng <chenbofeng.ker...@gmail.com> writes:
This patch is still under working since it may have problem with
ip_fragment() call, did you applied it already? Should I send a revert
patch to you then?
It does? I initially thought
From: Chenbo Feng <fe...@google.com>
There are two tcp_filter hooks in tcp_ipv6 ingress path currently.
One is at tcp_v6_rcv and another is in tcp_v6_do_rcv. It seems the
tcp_filter() call inside tcp_v6_do_rcv is redundent and some packet
will be filtered twice in this situation. This will
On 06/09/2017 12:08 PM, David Miller wrote:
From: Chenbo Feng <chenbofeng.ker...@gmail.com>
Date: Fri, 9 Jun 2017 12:06:07 -0700
From: Chenbo Feng <fe...@google.com>
Move the initialization of skb->dev and skb->protocol from
ip6_finish_output2 to ip6_output. This can
From: Chenbo Feng <fe...@google.com>
Move the initialization of skb->dev and skb->protocol from
ip6_finish_output2 to ip6_output. This can make the skb->dev and
skb->protocol information avalaible to the CGROUP eBPF filter.
Signed-off-by: Chenbo Feng <fe...@google.com>
a eBPF program is attached to a socket or a cgroup in ingress
side, the filter program will be applied on some packets twice. And it
affect the accuracy when using eBPF program for traffic accounting.
Thanks!
Chenbo Feng
On 06/06/2017 09:56 AM, Daniel Borkmann wrote:
On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while att
From: Chenbo Feng <fe...@google.com>
This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter p
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter p
From: Chenbo Feng <fe...@google.com>
Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter p
From: Chenbo Feng <fe...@google.com>
This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the
From: Chenbo Feng <fe...@google.com>
The description inside uapi/linux/bpf.h about bpf_get_socket_uid
helper function is no longer valid. It returns overflowuid rather
than 0 when failed.
Signed-off-by: Chenbo Feng <fe...@google.com>
---
include/uapi/linux/bpf.h | 3 +--
1 fil
From: Chenbo Feng <fe...@google.com>
BPF helper functions get_socket_cookie and get_socket_uid can be
used for network traffic classifications, among others. Expose
them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of
commit 8f917bba0042 ("bpf: pass sk to helper functions&quo
From: Chenbo Feng <fe...@google.com>
BPF helper functions get_socket_cookie and get_socket_uid can be
used for network traffic classifications, among others. Expose
them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of
commit 8f917bba0042 ("bpf: pass sk to helper functions&quo
From: Chenbo Feng <fe...@google.com>
Added a per socket traffic monitoring option to illustrate the usage
of new getsockopt SO_COOKIE. The program is based on the socket traffic
monitoring program using xt_eBPF and in the new option the data entry
can be directly accessed using socket
From: Chenbo Feng <fe...@google.com>
Introduce a new getsockopt operation to retrieve the socket cookie
for a specific socket based on the socket fd. It returns a unique
non-decreasing cookie for each socket.
Tested: https://android-review.googlesource.com/#/c/358163/
Acked-by: Willem de
From: Chenbo Feng <fe...@google.com>
In the current kernel socket cookie implementation, there is no simple
and direct way to retrieve the socket cookie based on file descriptor. A
process mat need to get it from sock fd if it want to correlate with
sock_diag output or use a bpf map wi
From: Chenbo Feng <fe...@google.com>
Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff
with a known socket. Generates a new cookie if one was not yet set.If
the socket pointer inside sk_buff is NULL, 0 is returned. The helper
function coud be useful in monitoring per
From: Chenbo Feng <fe...@google.com>
Returns the owner uid of the socket inside a sk_buff. This is useful to
perform per-UID accounting of network traffic or per-UID packet
filtering. The socket need to be a fullsock otherwise overflowuid is
returned.
Signed-off-by: Chenbo Feng <fe...@g
From: Chenbo Feng <fe...@google.com>
Add a sample program to demostrate the possible usage of
get_socket_cookie and get_socket_uid helper function. The program will
store bytes and packets counting of in/out traffic monitored by iptables
and store the stats in a bpf map in per socke
From: Chenbo Feng <fe...@google.com>
Introduce two eBpf helper function to get the socket cookie and
socket uid for each packet. The helper function is useful when
the *sk field inside sk_buff is not empty. These helper functions
can be used on socket and uid based traffic monitoring pr
From: Chenbo Feng <fe...@google.com>
Add a sample program to demostrate the possible usage of
get_socket_cookie and get_socket_uid helper function. The program will
store bytes and packets counting of in/out traffic monitored by iptables
and store the stats in a bpf map in per socke
From: Chenbo Feng <fe...@google.com>
Introduce two eBpf helper function to get the socket cookie and
socket uid for each packet. The helper function is useful when
the *sk field inside sk_buff is not empty. These helper functions
can be used on socket and uid based traffic monitoring pr
From: Chenbo Feng <fe...@google.com>
Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff
with a known socket. Generates a new cookie if one was not yet set.If
the socket pointer inside sk_buff is NULL, 0 is returned. The helper
function coud be useful in monitoring per
From: Chenbo Feng <fe...@google.com>
Returns the owner uid of the socket inside a sk_buff. This is useful to
perform per-UID accounting of network traffic or per-UID packet
filtering. The socket need to be a fullsock otherwise overflowuid is
returned.
Signed-off-by: Chenbo Feng <fe...@g
From: Chenbo Feng <fe...@google.com>
Returns the owner uid of the socket inside a sk_buff. This is useful to
perform per-UID accounting of network traffic or per-UID packet
filtering. The socket need to be a fullsock otherwise overflowuid is
returned.
Signed-off-by: Chenbo Feng <fe...@g
From: Chenbo Feng <fe...@google.com>
Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff
with a known socket. Generates a new cookie if one was not yet set.If
the socket pointer inside sk_buff is NULL, 0 is returned. The helper
function coud be useful in monitoring per
From: Chenbo Feng <fe...@google.com>
Introduce two eBpf helper function to get the socket cookie and
socket uid for each packet. The helper function is useful when
the *sk field inside sk_buff is not empty. These helper functions
can be used on socket and uid based traffic monitoring pr
1 - 100 of 123 matches
Mail list logo