This turns rpc_auth_create_args into a const as it gets passed through the
auth stack.
Signed-off-by: Sargun Dhillon
---
include/linux/sunrpc/auth.h| 5 +++--
net/sunrpc/auth.c | 2 +-
net/sunrpc/auth_gss/auth_gss.c | 9 +
net/sunrpc/auth_null.c | 2 +-
net
Today, sunrpc lives in net/sunrpc. As far as I can tell, the primary
production consumer of it is NFS. The RPC clients have the concept of
being tied back to a network namespace. On the other hand, NFS has its
own superblock with its own user namespace.
When sunrpc convert kuids to UIDs to send
On Tue, Mar 6, 2018 at 12:31 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 03/06/2018 05:02 PM, Sargun Dhillon wrote:
>> On Tue, Mar 6, 2018 at 3:26 AM, Daniel Borkmann <dan...@iogearbox.net> wrote:
>>> On 03/06/2018 02:53 AM, Alexei Starovoitov wrote:
>
On Mon, Mar 5, 2018 at 8:10 AM, Tycho Andersen wrote:
> Hi Andy,
>
> On Thu, Mar 01, 2018 at 10:05:47PM +, Andy Lutomirski wrote:
>> But Tycho: would hooking user notifiers in right here work for you?
>> As I see it, this would be the best justification for seccomp eBPF.
>
>
On Thu, Mar 1, 2018 at 1:59 PM, Andy Lutomirski <l...@kernel.org> wrote:
> On Thu, Mar 1, 2018 at 9:51 PM, Sargun Dhillon <sar...@sargun.me> wrote:
>> On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski <l...@amacapital.net> wrote:
>>> On Wed, Feb 28, 2
On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote:
> On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote:
>> On 02/28/2018 12:55 AM, chris hyser wrote:
On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM,
chris
On Mon, Feb 26, 2018 at 7:57 PM, Tycho Andersen <ty...@tycho.ws> wrote:
> On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote:
>> On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen <ty...@tycho.ws> wrote:
>> > On Mon, Feb 26, 2018 at 07:27:05AM +, Sargu
On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen <ty...@tycho.ws> wrote:
> On Mon, Feb 26, 2018 at 07:27:05AM +0000, Sargun Dhillon wrote:
>> +config SECCOMP_FILTER_EXTENDED
>> + bool "Extended BPF seccomp filters"
>> + depends on SECCOMP_F
On Mon, Feb 26, 2018 at 5:01 PM, Tycho Andersen <ty...@tycho.ws> wrote:
> On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote:
>> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov
>> <alexei.starovoi...@gmail.com> wrote:
>> > On Mon, Feb 26, 2018 at 07
On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Mon, Feb 26, 2018 at 07:26:54AM +0000, Sargun Dhillon wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although, this
>> patchset doesn't introduce much of the
This adds a sample program that uses seccomp-eBPF, called
seccomp1. It shows the simple ability to code seccomp filters
in C.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
samples/bpf/Makefile| 5 +
samples/bpf/bpf_load.c | 9 ++--
sampl
to a cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
includ
ot a separate command
* Remove printk helper
* Remove ptrace patch / restore filter / sample
* Add some safe helpers
Sargun Dhillon (2):
bpf, seccomp: Add eBPF filter capabilities
bpf: Add eBPF seccomp sample programs
arch/Kconfig| 8 ++
include/linux/bpf_types.
On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 02/19/2018 05:22 PM, Sargun Dhillon wrote:
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
>> to be used for seccomp filters as an alternative to cBPF filters. Th
On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 02/19/2018 05:22 PM, Sargun Dhillon wrote:
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
>> to be used for seccomp filters as an alternative to cBPF filters. Th
to a cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
includ
On Sat, Feb 17, 2018 at 9:58 AM, Randy Dunlap <rdun...@infradead.org> wrote:
> On 02/16/2018 11:36 PM, Sargun Dhillon wrote:
>> + close(111);
>> + assert(errno == EBADF);
>> + close(999);
>> + assert(errno = EPERM);
>
> should that be
to a cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
includ
This adds a sample program that uses seccomp-eBPF, called
seccomp1. It shows the simple ability to code seccomp filters
in C.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
samples/bpf/Makefile| 5 +
samples/bpf/bpf_load.c | 9 +++--
samples/bpf/seccomp1_kern.
ptrace patch / restore filter / sample
* Add some safe helpers
Sargun Dhillon (2):
bpf, seccomp: Add eBPF filter capabilities
bpf: Add eBPF seccomp sample programs
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
include/uap
On Tue, Feb 13, 2018 at 12:34 PM, Kees Cook <keesc...@chromium.org> wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon <sar...@sargun.me> wrote:
>> From: Sargun Dhillon <sar...@netflix.com>
>>
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf
On Wed, Feb 14, 2018 at 8:30 PM, Alexei Starovoitov
wrote:
> On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote:
>> > >
>> > > What's the reason for adding eBPF support? seccomp shouldn't need it,
>> > > and it only makes the code more complex. I'd rather
On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle <m...@jessfraz.com> wrote:
> On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon <sar...@sargun.me> wrote:
>> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook <keesc...@chromium.org> wrote:
>>> On Tue, Feb 13,
On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook <keesc...@chromium.org> wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon <sar...@sargun.me> wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although,
>> this patchset doesn't introduce much o
From: Sargun Dhillon <sar...@netflix.com>
This adds two sample programs:
seccomp1: A simple eBPF seccomp filter
seccomp2: A program which installs an eBPF filter
and then retrieves it via ptrace to show
checkpoint / restore capability.
Signed-off-by: Sargun Dhillo
if we come
to an agreement, this can be in a follow-up patchset.
Sargun Dhillon (3):
bpf, seccomp: Add eBPF filter capabilities
seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp
filters
bpf: Add eBPF seccomp sample programs
arch/Kconfig | 7 ++
inc
From: Sargun Dhillon <sar...@netflix.com>
This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
to be used for seccomp filters as an alternative to cBPF filters. The
program type has relatively limited capabilities in terms of helpers,
but that can be extended later on.
I
From: Sargun Dhillon <sar...@netflix.com>
This extends the the ptrace API to allow fetching eBPF seccomp filters
attached to programs. This is to enable checkpoint / restore cases.
The user will have to use the traditional PTRACE_SECCOMP_GET_FILTER
API call, and if they get an invalid mediu
On Fri, Dec 2, 2016 at 4:20 PM, Alexei Starovoitov
wrote:
> On Fri, Dec 02, 2016 at 11:42:15AM -0800, John Fastabend wrote:
>> >> As far as pattern search for DNS packets...
>> >> it was requested by Cloudflare guys back in March:
>> >>
This patch modifies test_current_task_under_cgroup_user. The test has
several helpers around creating a temporary environment for cgroup
testing, and moving the current task around cgroups. This set of
helpers can then be used in other tests.
Signed-off-by: Sargun Dhillon <sar...@sargun
is enabled,
this test will fail.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
samples/bpf/Makefile | 2 +
samples/bpf/test_cgrp2_attach2.c | 132 +++
2 files changed, 134 insertions(+)
create mode 100644 samples/bpf/test_cgrp2_attach2.c
diff
ault. With this code, we're able
to pretty easily add an automated test for future cgroupsv2 functionality.
Sargun Dhillon (2):
samples, bpf: Refactor test_current_task_under_cgroup - separate out
helpers
samples, bpf: Add automated test for cgroup filter attachments
samples/bpf/Make
On Mon, Nov 28, 2016 at 7:50 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Mon, Nov 28, 2016 at 02:52:42PM -0800, Sargun Dhillon wrote:
>> This patch modifies test_cgrp2_attach to use getopt so we can use standard
>> command line parsing.
>>
>&
and then attach. It relies
on the 'hotswap' behaviour of CGroup BPF programs to be able to change
in-place. If detach-then-attach behaviour needs to be tested, the example
can be run in detach only mode prior to attachment.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
sampl
m could come from outside a process (e.g. passed through
>> a
>> UNIX socket). It is then useful to differentiate the creation/load of
>> Landlock
>> eBPF programs via bpf(2), from rule enforcing via seccomp(2).
>>
>>
>> ## Why using cgroups?
>>
>
On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote:
>
> On 15/09/2016 06:48, Alexei Starovoitov wrote:
> > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov
> >> wrote:
> >>> On Wed,
I'm fine giving up the Checmate name. Landlock seems easy enough to
Google. I haven't gotten a chance to look through the entire patchset
yet, but it does seem like they are somewhat similar.
On Mon, Sep 19, 2016 at 5:12 PM, Alexei Starovoitov
wrote:
> On Thu, Sep
On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote:
> Hi,
>
> On 09/16/2016 09:57 PM, Sargun Dhillon wrote:
> > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
>
> >> I have no idea what makes you think this is limited to systemd. As I
>
On Fri, Sep 16, 2016 at 12:57:29PM -0700, Sargun Dhillon wrote:
> On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
> > Hi Pablo,
> >
> > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote:
> > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:
On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
> Hi Pablo,
>
> On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote:
> > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:
> >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote:
> >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200,
On Mon, Sep 05, 2016 at 04:49:26PM +0200, Daniel Mack wrote:
> Hi,
>
> On 08/30/2016 01:04 AM, Sargun Dhillon wrote:
> > On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote:
> >> This patch adds two sets of eBPF program pointers to struct cgroup.
> >> One
On Mon, Aug 29, 2016 at 02:49:17PM -0700, Alexei Starovoitov wrote:
> On 8/29/16 12:24 PM, Tejun Heo wrote:
> >Hello, Sargun.
> >
> >On Mon, Aug 29, 2016 at 11:49:07AM -0700, Sargun Dhillon wrote:
> >>It would be a separate hook per LSM hook. Why wouldn't we want a
On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote:
> This patch adds two sets of eBPF program pointers to struct cgroup.
> One for such that are directly pinned to a cgroup, and one for such
> that are effective for it.
>
> To illustrate the logic behind that, assume the following
On Tue, Aug 30, 2016 at 12:03:23AM +0200, Daniel Borkmann wrote:
> On 08/26/2016 09:58 PM, Daniel Mack wrote:
> >If the cgroup associated with the receiving socket has an eBPF
> >programs installed, run them from __dev_queue_xmit().
> >
> >eBPF programs used in this context are expected to either
On Mon, Aug 29, 2016 at 01:01:18PM -0400, Tejun Heo wrote:
> Hello,
>
> On Mon, Aug 29, 2016 at 04:47:07AM -0700, Sargun Dhillon wrote:
> > This patch adds a minor LSM, Checmate. Checmate is a flexible programmable,
> > extensible minor LSM that's coupled with cgroups an
easier.
This patch is used in follow on samples.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
samples/bpf/Makefile | 2 +-
samples/bpf/cgroup_helpers.c | 103 ++
samples/bpf/cgroup_helpers.h
for not refcnting 2-tuples using atomic counters is the lack of
a safe free mechanism.
In order to run this program, you may need to bump your ulimit -l.
2) remap_bind
This program rewrites binds from 6789 to 12345. It is meant to mimic
the usage of DNAT.
Signed-off-by: Sargun Dhillon <
This adds documentation on how to operate, and develop against the
Checmate LSM and Cgroup controller.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
Documentation/security/Checmate.txt | 54 +
1 file changed, 54 insertions(+)
create mode
This patch exposes the current_task_under_cgroup helper to Checmate
programs. It can be used to implement exemptions for certain policies
when using Checmate programs by wrapping a pre-compiled policy
in a tail call along with this helper.
Signed-off-by: Sargun Dhillon <sar...@sargun
for introspecting sockets (getpeername) still works.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include/uapi/linux/bpf.h | 11
security/checmate/checmate_bpf.c | 55
2 files changed, 66 insertions(+)
diff --git a/includ
complex policies can be installed on the cgroup hierarchy.
These cgroup programs are tied to the kernel ABI version. If one tries
to load a BPF program compiled against a different kernel version,
an error will be thrown.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include
This patch changes the order of allocations / calls to allocate the
sock_cgroup_data before calling security_sk_alloc. In addition, this
patch also reorders the deallocation when calling security_sk_free
so that LSMs can examine the cgroup that a particular sk belongs to.
Signed-off-by: Sarguun
This patch moves cgroup_parent into cgroup.h as a static inline helper
function so that others can use it. Although this pattern is easy
to implement, having it in one place simplifies the creation
of new cgroup controllers.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include
This patch moves bpf_probe_read and bpf_get_current_task to be the shared
cgroup infrastructure. These are useful outside of the context of just
tracing, but also inspection of a process memory during security
policy enforcement.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include
way around this unless we decide that a subset of the lsm hooks API is
immutable. That's a question for the LSM maintainers.
Thanks to Alexei, Daniel B, and Daniel Mack, and Tejun for input. I would love
to know what y'all think.
Sargun Dhillon (9):
net: Make cgroup sk data present when cal
On Tue, Aug 23, 2016 at 10:27:28AM +0200, Daniel Mack wrote:
> On 08/22/2016 07:20 PM, Sargun Dhillon wrote:
> > On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:
> >> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:
>
> >>> This patchset also needs an
On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:
> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:
> > On Fri, Aug 19, 2016 at 07:07:39PM +0200, Thomas Graf wrote:
>
> >> You brought up multiple tables which reflect the cumulative approach.
> >> This sometimes works but has its
On Wed, Aug 17, 2016 at 04:00:47PM +0200, Daniel Mack wrote:
> If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the
> receiving socket has an eBPF programs installed, run them from
> sk_filter_trim_cap().
>
> eBPF programs used in this context are expected to either return 1 to
>
On Mon, Aug 15, 2016 at 12:59:13PM +0200, Mickaël Salaün wrote:
>
> On 15/08/2016 05:09, Sargun Dhillon wrote:
> > On Mon, Aug 15, 2016 at 12:57:44AM +0200, Mickaël Salaün wrote:
> >> Our approaches have some common points (i.e. use eBPF in an LSM, stacked
> >>
cess limiter. Do you have a way to make it
so
that a given container can only write, say, 100mb of data to disk?
> Mickaël
>
>
> [1] http://www.openwall.com/lists/kernel-hardening/2016/03/24/2
>
>
>
> On 09/08/2016 02:22, Kees Cook wrote:
> > On Mon, Aug 8,
out of *.c files, add an "integration" test
v3->v4: De-genercize arraymap fetching function;
rename helper from in_cgroup to under_cgroup (makes much more sense)
Split adding cgroups task_under_cgroup_hierarchy function
v4->v5: Fix formatting
S
to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
Cc: Tejun He
return an error. The helper is primarily to be used in debugging
activities for containers, where you may have multiple programs running in
a given top-level "container".
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann
This commit adds an inline function to cgroup.h to check whether a given
task is under a given cgroup hierarchy. This is to avoid having to put
ifdefs in .c files to gate access to cgroups. When cgroups are disabled
this always returns true.
Signed-off-by: Sargun Dhillon <sar...@sargun.me&
On Fri, Aug 12, 2016 at 09:16:07AM +0200, Daniel Borkmann wrote:
> On 08/12/2016 06:50 AM, Sargun Dhillon wrote:
> >I realize that in_cgroup is more consistent, but under_cgroup makes
> >far more sense to me. I think it's more intuitive.
> >
> >On Thu, Aug 11, 2016 at
I realize that in_cgroup is more consistent, but under_cgroup makes
far more sense to me. I think it's more intuitive.
On Thu, Aug 11, 2016 at 9:48 PM, Alexei Starovoitov
<alexei.starovoi...@gmail.com> wrote:
> On Thu, Aug 11, 2016 at 08:14:56PM -0700, Sargun Dhillon wrote:
>>
to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
Cc: Tejun He
return an error. The helper is primarily to be used in debugging
activities for containers, where you may have multiple programs running in
a given top-level "container".
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann
This commit adds an inline function to cgroup.h to check whether a given
task is under a given cgroup hierarchy. This is to avoid having to put
ifdefs in .c files to gate access to cgroups. When cgroups are disabled
this always returns true.
Signed-off-by: Sargun Dhillon <sar...@sargun.me&
out of *.c files, add an "integration" test
v3->v4: De-genercize arraymap fetching function;
rename helper from in_cgroup to under_cgroup (makes much more sense)
Split adding cgroups task_under_cgroup_hierarchy function
Sargun Dhillon (3):
cgroup: Add task_under_c
to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
Cc: Tejun He
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
Cc: Tejun Heo <t...@kernel.org>
---
include/linux/bpf.h | 22 ++
include/linux/cgroup.h | 23
f *.c files, add an "integration" test
Sargun Dhillon (2):
bpf: Add bpf_current_task_in_cgroup helper
samples/bpf: Add test_current_task_in_cgroup test
include/linux/bpf.h| 22
include/linux/cgroup.h | 23
include/uapi/linux/bpf.h
On Tue, Aug 09, 2016 at 08:52:01PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 08:40:05PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote:
>
On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote:
>
On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote:
On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote:
> > This adds a bpf helper that's similar to the skb_in_cgroup helper to check
> > whether the probe is currently executing in the context of a spec
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
---
samples/bpf/Makefile | 4 +++
samples
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
---
include/linux/bpf.h | 24
include/uapi/linux/bpf.h | 11 +++
kernel/bpf/arraymap.c| 2 +-
k
ust supply a specific
cgroup in the hierarchy, and it'll print out all files being opened under it.
v1->v2: Add better example code -- OpenSnoop, clean up
Sargun Dhillon (2):
bpf: Add bpf_current_task_in_cgroup helper
samples/bpf: Add opensnoop example that uses current_task_in_cgro
On Mon, Aug 08, 2016 at 04:44:02PM -0700, Kees Cook wrote:
> On Thu, Aug 4, 2016 at 12:11 AM, Sargun Dhillon <sar...@sargun.me> wrote:
> > I distributed this patchset to linux-security-mod...@vger.kernel.org
> > earlier,
> > but based on the fact that the archive is
On Mon, Aug 08, 2016 at 11:27:32AM +0200, Daniel Borkmann wrote:
> On 08/08/2016 05:52 AM, Alexei Starovoitov wrote:
> >On Sun, Aug 07, 2016 at 08:08:19PM -0700, Sargun Dhillon wrote:
> >>Thanks for your feedback Alexei,
> >>I really appreciate it.
> >>
> >
Thanks for your feedback Alexei,
I really appreciate it.
On Sun, Aug 07, 2016 at 05:52:36PM -0700, Alexei Starovoitov wrote:
> On Sat, Aug 06, 2016 at 09:56:06PM -0700, Sargun Dhillon wrote:
> > On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote:
> > > On Sat,
On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote:
> On Sat, Aug 06, 2016 at 09:06:53PM -0700, Sargun Dhillon wrote:
> > This patchset includes a helper and an example to determine whether the
> > kprobe
> > is currently executing in the context of a
This is a simple trace example that shows programs connecting,
but only if they're in a chosen cgroup.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Daniel Borkmann <dan...@iogearbox.net>
---
samples/bpf/Makefile
This patchset includes a helper and an example to determine whether the kprobe
is currently executing in the context of a specific cgroup based on a cgroup
bpf map / array.
Sargun Dhillon (2):
bpf: Add bpf_current_in_cgroup helper
samples/bpf: Add example using current_in_cgroup
include
This adds a kprobe helper that's similar to the skb_in_cgroup helper. It
checks whether the probe is currently executing in the context of the
cgroup at the given index a CGROUP_ARRAY.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Starovoitov <a...@kernel.org>
Cc: Dan
On Thu, Aug 04, 2016 at 05:34:32PM +0800, zhuyj wrote:
> Sure.
> Is it better to add
> #ifndef CONFIG_PREEMPT_RCU ?
>
> On Thu, Aug 4, 2016 at 4:28 PM, Eric Dumazet wrote:
> > Please do not top post
> >
> > On Thu, 2016-08-04 at 16:08 +0800, zhuyj wrote:
> >> +void
On Thu, Aug 04, 2016 at 11:45:08AM +0200, Daniel Borkmann wrote:
> Hi Sargun,
>
> On 08/04/2016 09:11 AM, Sargun Dhillon wrote:
> [...]
> >[It's a] minor LSM. My particular use case is one in which containers are
> >being
> >dynamically deployed to machines by inte
On Thu, Aug 04, 2016 at 10:41:17AM +0200, Richard Weinberger wrote:
> Sargun,
>
> On Thu, Aug 4, 2016 at 9:11 AM, Sargun Dhillon <sar...@sargun.me> wrote:
> > I distributed this patchset to linux-security-mod...@vger.kernel.org
> > earlier,
> > but based on
I think it makes sense to restrict Checmate to loading programs that have been
compiled with the current kernel ABI. We can further stabilize the ABI, and
perhaps lift this restriction later.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
kernel/bpf/syscall.c | 2 +-
sampl
blobs in some cases.
I would love to know what y'all think.
Sargun Dhillon (4):
bpf: move tracing helpers to shared helpers
bpf, security: Add Checmate
security/checmate: Add Checmate sample
bpf: Restrict Checmate bpf programs to current kernel ABI
include/linux/bpf.h | 2
would lock
their hooks.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include/linux/checmate.h | 38 +
include/uapi/linux/Kbuild| 1 +
include/uapi/linux/bpf.h | 1 +
include/uapi/linux/checmate.h| 65 +
include/uapi/linux/p
Move bpf_probe_read and bpf_get_current_task to the shared helpers
so that Checmate can use them.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
---
include/linux/bpf.h | 2 ++
kernel/bpf/helpers.c | 34 ++
kernel/trace/bpf_trace.
The Checmate sample installs a policy barring new AF_INET connections
to port 1. We install the hook, and show an example of connect
returning EPERM, and then reset the policy.
If this is running concurrently with other policy engines, bad things
could happen.
Signed-off-by: Sargun Dhillon <
me bpf_probe_write -> bpf_probe_write_user
v6->v7: More formatting cleanup.
Clarifying a few comments
Clarified log message
Sargun Dhillon (2):
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
samples/bpf: Add test/example of using bpf_probe_write_user bpf hel
this feature is meant for experiments, and it has a risk of
crashing the system, and running programs, we print a warning on
when a proglet that attempts to use this helper is installed,
along with the pid and process name.
Signed-off-by: Sargun Dhillon <sar...@sargun.me>
Cc: Alexei Staro
/dev/null
+++ b/samples/bpf/test_probe_write_user_kern.c
@@ -0,0 +1,52 @@
+/* Copyright (c) 2016 Sargun Dhillon <sar...@sargun.me>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as publishe
In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so
attr.kern_version must be exactly equal to what the user is running at the
moment. This makes a lot of sense because kprobes can touch lots of
unstable bits of the kernel ABI.
Unfortunately, this makes it really
/dev/null
+++ b/samples/bpf/test_probe_write_user_kern.c
@@ -0,0 +1,52 @@
+/* Copyright (c) 2016 Sargun Dhillon <sar...@sargun.me>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as publishe
1 - 100 of 127 matches
Mail list logo