Re: [PATCH v4] Wait for running BPF programs when updating map-in-map

Hi netdev, Could we queue up this patch to stable 4.14 and stable 4.19? I can provide a backport patch if needed. I checked it is a clean cherry-pick for 4.19 but have some minor conflict for 4.14. Thanks Chenbo Feng On Thu, Oct 18, 2018 at 4:36 PM Joel Fernandes wrote: > > On Thu, Oct 18

Re: Suggestions on iterating eBPF maps

resend with plain text On Fri, Apr 27, 2018 at 11:22 AM Chenbo Feng <fe...@google.com> wrote: > Hi net-next, > When doing the eBPF tools user-space development I noticed that the map iterating process in user-space have some little flaws. If we want to dump the whole map. The on

bpf stable request

0fa4fe85f4724fff89b09741c437cbee9cf8b008 bpf: skip unnecessary capability check This patch fixes the false alarms from security system such as selinux when doing the capability check. The problem exists since the sysctl_unprivileged_bpf_disabled is added in linux 4.4. So I suggest to

[PATCH bpf-next] bpf: skip unnecessary capability check

From: Chenbo Feng <fe...@google.com> The current check statement in BPF syscall will do a capability check for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This code path will trigger unnecessary security hooks on capability checking and cause false alarms on unpriv

[PATCH net-next v7 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> Acked-by: Daniel B

[PATCH net-next v7 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v7 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v7 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v7 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next v7 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

[PATCH net-next v6 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next v6 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

[PATCH net-next v6 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v6 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v6 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v6 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> --- tools/testing/selftests/bpf

Re: [PATCH net-next v5 5/5] selinux: bpf: Add addtional check for bpf object file receive

On Mon, Oct 16, 2017 at 9:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Thu, 2017-10-12 at 13:55 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a bpf object related check when sending and receiving files >> throu

[PATCH net-next v5 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v5 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v5 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v5 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next v5 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

[PATCH net-next v5 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> --- tools/testing/selftests/bpf

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

On Thu, Oct 12, 2017 at 5:25 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Wed, 2017-10-11 at 13:43 -0700, Chenbo Feng via Selinux wrote: >> On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> > On Tue, 2017-10-10 at 17:09 -

[PATCH net-next v4 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v4 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

[PATCH net-next v4 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> --- tools/testing/selftests/bpf

[PATCH net-next v4 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v4 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v4 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a bpf object related check when sending and receiving files >> throu

[PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next v3 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> --- tools/testing/selftests/bpf

[PATCH net-next v3 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v3 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v3 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v3 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

Re: [Non-DoD Source] Re: [PATCH net-next v2 5/5] selinux: bpf: Add addtional check for bpf object file receive

On Tue, Oct 10, 2017 at 12:23 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Tue, 2017-10-10 at 10:48 -0700, Chenbo Feng wrote: >> On Tue, Oct 10, 2017 at 7:24 AM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> > On Mon, 2017-10-09 at 15:20 -0700, Ch

Re: [PATCH net-next v2 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

On Tue, Oct 10, 2017 at 7:52 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Tue, 2017-10-10 at 10:18 -0400, Stephen Smalley wrote: >> On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote: >> > From: Chenbo Feng <fe...@google.com> >> > >> >

Re: [PATCH net-next v2 5/5] selinux: bpf: Add addtional check for bpf object file receive

On Tue, Oct 10, 2017 at 7:24 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a bpf object related check when sending and receiving files >> throu

Re: [PATCH net-next v2 1/5] bpf: Add file mode configuration into bpf maps

On Mon, Oct 9, 2017 at 4:07 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Mon, Oct 09, 2017 at 03:20:24PM -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce the map read/write flags to the eBPF syscalls that

[PATCH net-next v2 2/5] bpf: Add tests for eBPF file mode

From: Chenbo Feng <fe...@google.com> Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by: Chenbo Feng <fe...@google.com> --- tools/testing/selftests/bpf

[PATCH net-next v2 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next v2 3/5] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

[PATCH net-next v2 5/5] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next v2 1/5] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH net-next v2 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

On Thu, Oct 5, 2017 at 11:26 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Thu, 2017-10-05 at 09:37 -0400, Stephen Smalley wrote: >> On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote: >> > From: Chenbo Feng <fe...@google.com> >> > >> > I

Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

On Thu, Oct 5, 2017 at 6:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a bpf object related check when sending and receiving files >> throu

Re: [PATCH net-next 1/4] bpf: Add file mode configuration into bpf maps

On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: > On 10/04/2017 08:29 PM, Chenbo Feng wrote: >> >> From: Chenbo Feng <fe...@google.com> >> >> Introduce the map read/write flags to the eBPF syscalls that returns the >> map

[PATCH net-next 1/4] bpf: Add file mode configuration into bpf maps

From: Chenbo Feng <fe...@google.com> Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag

[PATCH 0/4] net-next: security: New file mode and LSM hooks for eBPF object permission control

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

[PATCH net-next 3/4] selinux: bpf: Add selinux check for eBPF syscall operations

From: Chenbo Feng <fe...@google.com> Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processe

[PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

From: Chenbo Feng <fe...@google.com> Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bp

[PATCH net-next 2/4] security: bpf: Add LSM hooks for bpf object related syscall

From: Chenbo Feng <fe...@google.com> Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the

Re: [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module

On Fri, Sep 1, 2017 at 5:50 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce 5 LSM hooks to provide finer granularity controls on eBPF >> relate

Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

On Thu, Aug 31, 2017 at 7:05 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Thu, Aug 31, 2017 at 01:56:34PM -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a pointer into struct bpf_map to hold the secu

Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

On Thu, Aug 31, 2017 at 3:38 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: > On 08/31/2017 10:56 PM, Chenbo Feng wrote: >> >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a pointer into struct bpf_map to hold the security information >> abo

Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

On Thu, Aug 31, 2017 at 2:17 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote: >> From: Chenbo Feng <fe...@google.com> >> >> Introduce a pointer into struct bpf_map to hold the security information >> ab

[PATCH 3/3] selinux: bpf: Implement the selinux checks for eBPF object

From: Chenbo Feng <fe...@google.com> Introduce 5 new selinux checks for eBPF object related operations. The check is based on the ownership information of eBPF maps and the capability of creating eBPF object. Signed-off-by: Chenbo Feng <fe...@google.com> --- security/sel

[PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

From: Chenbo Feng <fe...@google.com> Introduce a pointer into struct bpf_map to hold the security information about the map. The actual security struct varies based on the security models implemented. Place the LSM hooks before each of the unrestricted eBPF operations, the map_updat

[PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module

From: Chenbo Feng <fe...@google.com> Introduce 5 LSM hooks to provide finer granularity controls on eBPF related operations including create eBPF maps, modify and read eBPF maps content and load eBPF programs to the kernel. Hooks use the new security pointer inside the eBPF map struct to

[PATCH 0/3] Security: add lsm hooks for checking permissions on eBPF objects

From: Chenbo Feng <fe...@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting acc

Re: Permissions for eBPF objects

On Mon, Aug 28, 2017 at 6:15 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote: >> On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov >> <alexei.starovoi...@gmail.com> wrote: >> > On F

Re: Permissions for eBPF objects

On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote: >> On 08/25/2017 09:52 PM, Chenbo Feng wrote: >> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <je

Re: Permissions for eBPF objects

On Fri, Aug 25, 2017 at 1:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Fri, 2017-08-25 at 12:52 -0700, Chenbo Feng via Selinux wrote: >> On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@google. >> com> wrote: >> > On Fri, Aug 25,

Re: Permissions for eBPF objects

On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep wrote: > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley wrote: >> On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux >> wrote: >>> I’d like to get your thoughts on adding LSM

[PATCH net-next] Add a tcp_filter hook before handle ack packet

From: Chenbo Feng <fe...@google.com> Currently in both ipv4 and ipv6 code path, the ack packet received when sk at TCP_NEW_SYN_RECV state is not filtered by socket filter or cgroup filter since it is handled from tcp_child_process and never reaches the tcp_filter inside tcp_v4_rcv or tcp_

Re: [PATCH net-next] Revert "ipv6: Initial skb->dev and skb->protocol in ip6_output"

On 06/10/2017 07:55 AM, Eric Dumazet wrote: On Fri, 2017-06-09 at 12:56 -0700, Chenbo Feng wrote: From: Chenbo Feng <fe...@google.com> This reverts commit 97a7a37a7b7b("ipv6: Initial skb->dev and skb->protocol in ip6_output") since it does not handles the skb-

[PATCH net-next] Remove the redundant skb->dev initialization in ip6_fragment

From: Chenbo Feng <fe...@google.com> After moves the skb->dev and skb->protocol initialization into ip6_output, setting the skb->dev inside ip6_fragment is unnecessary. Fixes: 97a7a37a7b7b("ipv6: Initial skb->dev and skb->protocol in ip6_output") Signed-off-by

Re: [PATCH net-next] ipv6: Initial skb->dev and skb->protocol in ip6_output

On 06/09/2017 12:39 PM, David Miller wrote: From: Chenbo Feng <chenbofeng.ker...@gmail.com> Date: Fri, 9 Jun 2017 12:13:57 -0700 On 06/09/2017 12:08 PM, David Miller wrote: From: Chenbo Feng <chenbofeng.ker...@gmail.com> Date: Fri, 9 Jun 2017 12:06:07 -0700 From: Che

[PATCH net-next] Revert "ipv6: Initial skb->dev and skb->protocol in ip6_output"

From: Chenbo Feng <fe...@google.com> This reverts commit 97a7a37a7b7b("ipv6: Initial skb->dev and skb->protocol in ip6_output") since it does not handles the skb->dev assignment inside ip6_fragment() code path properly. Need to rework and upload again Fixes: 97a7a37a7b7

Re: [PATCH net-next] ipv6: Initial skb->dev and skb->protocol in ip6_output

On 06/09/2017 12:24 PM, Bjørn Mork wrote: Chenbo Feng <chenbofeng.ker...@gmail.com> writes: This patch is still under working since it may have problem with ip_fragment() call, did you applied it already? Should I send a revert patch to you then? It does? I initially thought

[PATCH net-next] bpf: Remove duplicate tcp_filter hook in ipv6

From: Chenbo Feng <fe...@google.com> There are two tcp_filter hooks in tcp_ipv6 ingress path currently. One is at tcp_v6_rcv and another is in tcp_v6_do_rcv. It seems the tcp_filter() call inside tcp_v6_do_rcv is redundent and some packet will be filtered twice in this situation. This will

Re: [PATCH net-next] ipv6: Initial skb->dev and skb->protocol in ip6_output

On 06/09/2017 12:08 PM, David Miller wrote: From: Chenbo Feng <chenbofeng.ker...@gmail.com> Date: Fri, 9 Jun 2017 12:06:07 -0700 From: Chenbo Feng <fe...@google.com> Move the initialization of skb->dev and skb->protocol from ip6_finish_output2 to ip6_output. This can

[PATCH net-next] ipv6: Initial skb->dev and skb->protocol in ip6_output

From: Chenbo Feng <fe...@google.com> Move the initialization of skb->dev and skb->protocol from ip6_finish_output2 to ip6_output. This can make the skb->dev and skb->protocol information avalaible to the CGROUP eBPF filter. Signed-off-by: Chenbo Feng <fe...@google.com>

Question about tcp_filter() in tcp_v6_do_rcv()

a eBPF program is attached to a socket or a cgroup in ingress side, the filter program will be applied on some packets twice. And it affect the accuracy when using eBPF program for traffic accounting. Thanks! Chenbo Feng

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

On 06/06/2017 09:56 AM, Daniel Borkmann wrote: On 06/02/2017 01:42 AM, Alexei Starovoitov wrote: On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote: From: Chenbo Feng <fe...@google.com> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while att

[PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

From: Chenbo Feng <fe...@google.com> This allows cgroup eBPF program to classify packet based on their protocol or other detail information. Currently program need CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A process with CAP_NET_ADMIN can already see all packets on the

[PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

From: Chenbo Feng <fe...@google.com> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter p

[PATCH net-next v2] bpf: Remove the capability check for cgroup skb eBPF program

From: Chenbo Feng <fe...@google.com> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter p

[PATCH net-next 2/2] bpf: Remove the capability check for cgroup skb eBPF program

From: Chenbo Feng <fe...@google.com> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter p

[PATCH net-next 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

From: Chenbo Feng <fe...@google.com> This allows cgroup eBPF program to classify packet based on their protocol or other detail information. Currently program need CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A process with CAP_NET_ADMIN can already see all packets on the

[PATCH net-next] Fix inaccurate helper function description

From: Chenbo Feng <fe...@google.com> The description inside uapi/linux/bpf.h about bpf_get_socket_uid helper function is no longer valid. It returns overflowuid rather than 0 when failed. Signed-off-by: Chenbo Feng <fe...@google.com> --- include/uapi/linux/bpf.h | 3 +-- 1 fil

[PATCH net-next v2] Add uid and cookie bpf helper to cg_skb_func_proto

From: Chenbo Feng <fe...@google.com> BPF helper functions get_socket_cookie and get_socket_uid can be used for network traffic classifications, among others. Expose them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of commit 8f917bba0042 ("bpf: pass sk to helper functions&quo

[PATCH net-next] Add uid and cookie bpf helper to cg_skb_func_proto

From: Chenbo Feng <fe...@google.com> BPF helper functions get_socket_cookie and get_socket_uid can be used for network traffic classifications, among others. Expose them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of commit 8f917bba0042 ("bpf: pass sk to helper functions&quo

[PATCH net-next 2/2] Sample program using SO_COOKIE

From: Chenbo Feng <fe...@google.com> Added a per socket traffic monitoring option to illustrate the usage of new getsockopt SO_COOKIE. The program is based on the socket traffic monitoring program using xt_eBPF and in the new option the data entry can be directly accessed using socket

[PATCH net-next 1/2] New getsockopt option to get socket cookie

From: Chenbo Feng <fe...@google.com> Introduce a new getsockopt operation to retrieve the socket cookie for a specific socket based on the socket fd. It returns a unique non-decreasing cookie for each socket. Tested: https://android-review.googlesource.com/#/c/358163/ Acked-by: Willem de

[PATCH net-next 0/2] New getsockopt option to retrieve socket cookie

From: Chenbo Feng <fe...@google.com> In the current kernel socket cookie implementation, there is no simple and direct way to retrieve the socket cookie based on file descriptor. A process mat need to get it from sock fd if it want to correlate with sock_diag output or use a bpf map wi

[PATCH net-next v8 1/3] Add a helper function to get socket cookie in eBPF

From: Chenbo Feng <fe...@google.com> Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff with a known socket. Generates a new cookie if one was not yet set.If the socket pointer inside sk_buff is NULL, 0 is returned. The helper function coud be useful in monitoring per

[PATCH net-next v8 2/3] Add a eBPF helper function to retrieve socket uid

From: Chenbo Feng <fe...@google.com> Returns the owner uid of the socket inside a sk_buff. This is useful to perform per-UID accounting of network traffic or per-UID packet filtering. The socket need to be a fullsock otherwise overflowuid is returned. Signed-off-by: Chenbo Feng <fe...@g

[PATCH net-next v8 3/3] A Sample of using socket cookie and uid for traffic monitoring

From: Chenbo Feng <fe...@google.com> Add a sample program to demostrate the possible usage of get_socket_cookie and get_socket_uid helper function. The program will store bytes and packets counting of in/out traffic monitored by iptables and store the stats in a bpf map in per socke

[PATCH net-next v8 0/3] net: core: Two Helper function about socket information

From: Chenbo Feng <fe...@google.com> Introduce two eBpf helper function to get the socket cookie and socket uid for each packet. The helper function is useful when the *sk field inside sk_buff is not empty. These helper functions can be used on socket and uid based traffic monitoring pr

[PATCH net-next v7 3/3] A Sample of using socket cookie and uid for traffic monitoring

From: Chenbo Feng <fe...@google.com> Add a sample program to demostrate the possible usage of get_socket_cookie and get_socket_uid helper function. The program will store bytes and packets counting of in/out traffic monitored by iptables and store the stats in a bpf map in per socke

[PATCH net-next v7 0/3] net: core: Two Helper function about socket information

From: Chenbo Feng <fe...@google.com> Introduce two eBpf helper function to get the socket cookie and socket uid for each packet. The helper function is useful when the *sk field inside sk_buff is not empty. These helper functions can be used on socket and uid based traffic monitoring pr

[PATCH net-next v7 1/3] Add a helper function to get socket cookie in eBPF

From: Chenbo Feng <fe...@google.com> Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff with a known socket. Generates a new cookie if one was not yet set.If the socket pointer inside sk_buff is NULL, 0 is returned. The helper function coud be useful in monitoring per

[PATCH net-next v7 2/3] Add a eBPF helper function to retrieve socket uid

From: Chenbo Feng <fe...@google.com> Returns the owner uid of the socket inside a sk_buff. This is useful to perform per-UID accounting of network traffic or per-UID packet filtering. The socket need to be a fullsock otherwise overflowuid is returned. Signed-off-by: Chenbo Feng <fe...@g

[PATCH net-next v6 2/3] Add a eBPF helper function to retrieve socket uid

From: Chenbo Feng <fe...@google.com> Returns the owner uid of the socket inside a sk_buff. This is useful to perform per-UID accounting of network traffic or per-UID packet filtering. The socket need to be a fullsock otherwise overflowuid is returned. Signed-off-by: Chenbo Feng <fe...@g

[PATCH net-next v6 1/3] Add a helper function to get socket cookie in eBPF

From: Chenbo Feng <fe...@google.com> Retrieve the socket cookie generated by sock_gen_cookie() from a sk_buff with a known socket. Generates a new cookie if one was not yet set.If the socket pointer inside sk_buff is NULL, 0 is returned. The helper function coud be useful in monitoring per

[PATCH net-next v6 0/3] net: core: Two Helper function about socket information

From: Chenbo Feng <fe...@google.com> Introduce two eBpf helper function to get the socket cookie and socket uid for each packet. The helper function is useful when the *sk field inside sk_buff is not empty. These helper functions can be used on socket and uid based traffic monitoring pr

  1   2   >