[PATCH] net/sunrpc: Make rpc_auth_create_args a const

This turns rpc_auth_create_args into a const as it gets passed through the auth stack. Signed-off-by: Sargun Dhillon --- include/linux/sunrpc/auth.h| 5 +++-- net/sunrpc/auth.c | 2 +- net/sunrpc/auth_gss/auth_gss.c | 9 + net/sunrpc/auth_null.c | 2 +- net

How should NFS, SUNRPC interact with Network and User Namespaces?

Today, sunrpc lives in net/sunrpc. As far as I can tell, the primary production consumer of it is NFS. The RPC clients have the concept of being tied back to a network namespace. On the other hand, NFS has its own superblock with its own user namespace. When sunrpc convert kuids to UIDs to send

Re: Userspace helper design

On Tue, Mar 6, 2018 at 12:31 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: > On 03/06/2018 05:02 PM, Sargun Dhillon wrote: >> On Tue, Mar 6, 2018 at 3:26 AM, Daniel Borkmann <dan...@iogearbox.net> wrote: >>> On 03/06/2018 02:53 AM, Alexei Starovoitov wrote: >

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

On Mon, Mar 5, 2018 at 8:10 AM, Tycho Andersen wrote: > Hi Andy, > > On Thu, Mar 01, 2018 at 10:05:47PM +, Andy Lutomirski wrote: >> But Tycho: would hooking user notifiers in right here work for you? >> As I see it, this would be the best justification for seccomp eBPF. > >

Re: [net-next v3 0/2] eBPF seccomp filters

On Thu, Mar 1, 2018 at 1:59 PM, Andy Lutomirski <l...@kernel.org> wrote: > On Thu, Mar 1, 2018 at 9:51 PM, Sargun Dhillon <sar...@sargun.me> wrote: >> On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski <l...@amacapital.net> wrote: >>> On Wed, Feb 28, 2

Re: [net-next v3 0/2] eBPF seccomp filters

On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote: > On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote: >> On 02/28/2018 12:55 AM, chris hyser wrote: On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM, chris

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

On Mon, Feb 26, 2018 at 7:57 PM, Tycho Andersen <ty...@tycho.ws> wrote: > On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote: >> On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen <ty...@tycho.ws> wrote: >> > On Mon, Feb 26, 2018 at 07:27:05AM +, Sargu

Re: [net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen <ty...@tycho.ws> wrote: > On Mon, Feb 26, 2018 at 07:27:05AM +0000, Sargun Dhillon wrote: >> +config SECCOMP_FILTER_EXTENDED >> + bool "Extended BPF seccomp filters" >> + depends on SECCOMP_F

Re: [net-next v3 0/2] eBPF seccomp filters

On Mon, Feb 26, 2018 at 5:01 PM, Tycho Andersen <ty...@tycho.ws> wrote: > On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote: >> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov >> <alexei.starovoi...@gmail.com> wrote: >> > On Mon, Feb 26, 2018 at 07

Re: [net-next v3 0/2] eBPF seccomp filters

On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Mon, Feb 26, 2018 at 07:26:54AM +0000, Sargun Dhillon wrote: >> This patchset enables seccomp filters to be written in eBPF. Although, this >> patchset doesn't introduce much of the

[net-next v3 2/2] bpf: Add eBPF seccomp sample programs

This adds a sample program that uses seccomp-eBPF, called seccomp1. It shows the simple ability to code seccomp filters in C. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- samples/bpf/Makefile| 5 + samples/bpf/bpf_load.c | 9 ++-- sampl

[net-next v3 1/2] bpf, seccomp: Add eBPF filter capabilities

to a cBPF one. Verification occurs at program load time, so the user should only receive errors related to attachment. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- arch/Kconfig | 8 +++ include/linux/bpf_types.h| 3 + include/linux/seccomp.h | 3 +- includ

[net-next v3 0/2] eBPF seccomp filters

ot a separate command * Remove printk helper * Remove ptrace patch / restore filter / sample * Add some safe helpers Sargun Dhillon (2): bpf, seccomp: Add eBPF filter capabilities bpf: Add eBPF seccomp sample programs arch/Kconfig| 8 ++ include/linux/bpf_types.

Re: [net-next v2 1/2] bpf, seccomp: Add eBPF filter capabilities

On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: > On 02/19/2018 05:22 PM, Sargun Dhillon wrote: >> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant >> to be used for seccomp filters as an alternative to cBPF filters. Th

Re: [net-next v2 1/2] bpf, seccomp: Add eBPF filter capabilities

On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann <dan...@iogearbox.net> wrote: > On 02/19/2018 05:22 PM, Sargun Dhillon wrote: >> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant >> to be used for seccomp filters as an alternative to cBPF filters. Th

[net-next v2 1/2] bpf, seccomp: Add eBPF filter capabilities

to a cBPF one. Verification occurs at program load time, so the user should only receive errors related to attachment. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- arch/Kconfig | 8 +++ include/linux/bpf_types.h| 3 + include/linux/seccomp.h | 3 +- includ

Re: [net-next v2 2/2] bpf: Add eBPF seccomp sample programs

On Sat, Feb 17, 2018 at 9:58 AM, Randy Dunlap <rdun...@infradead.org> wrote: > On 02/16/2018 11:36 PM, Sargun Dhillon wrote: >> + close(111); >> + assert(errno == EBADF); >> + close(999); >> + assert(errno = EPERM); > > should that be

[net-next v2 1/2] bpf, seccomp: Add eBPF filter capabilities

to a cBPF one. Verification occurs at program load time, so the user should only receive errors related to attachment. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- arch/Kconfig | 8 +++ include/linux/bpf_types.h| 3 + include/linux/seccomp.h | 3 +- includ

[net-next v2 2/2] bpf: Add eBPF seccomp sample programs

This adds a sample program that uses seccomp-eBPF, called seccomp1. It shows the simple ability to code seccomp filters in C. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- samples/bpf/Makefile| 5 + samples/bpf/bpf_load.c | 9 +++-- samples/bpf/seccomp1_kern.

[net-next v2 0/2] eBPF Seccomp filters

ptrace patch / restore filter / sample * Add some safe helpers Sargun Dhillon (2): bpf, seccomp: Add eBPF filter capabilities bpf: Add eBPF seccomp sample programs arch/Kconfig | 8 +++ include/linux/bpf_types.h| 3 + include/linux/seccomp.h | 3 +- include/uap

Re: [PATCH net-next 1/3] bpf, seccomp: Add eBPF filter capabilities

On Tue, Feb 13, 2018 at 12:34 PM, Kees Cook <keesc...@chromium.org> wrote: > On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon <sar...@sargun.me> wrote: >> From: Sargun Dhillon <sar...@netflix.com> >> >> This introduces the BPF_PROG_TYPE_SECCOMP bpf

Re: [PATCH net-next 0/3] eBPF Seccomp filters

On Wed, Feb 14, 2018 at 8:30 PM, Alexei Starovoitov wrote: > On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote: >> > > >> > > What's the reason for adding eBPF support? seccomp shouldn't need it, >> > > and it only makes the code more complex. I'd rather

Re: [PATCH net-next 0/3] eBPF Seccomp filters

On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle <m...@jessfraz.com> wrote: > On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon <sar...@sargun.me> wrote: >> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook <keesc...@chromium.org> wrote: >>> On Tue, Feb 13,

Re: [PATCH net-next 0/3] eBPF Seccomp filters

On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook <keesc...@chromium.org> wrote: > On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon <sar...@sargun.me> wrote: >> This patchset enables seccomp filters to be written in eBPF. Although, >> this patchset doesn't introduce much o

[PATCH net-next 3/3] bpf: Add eBPF seccomp sample programs

From: Sargun Dhillon <sar...@netflix.com> This adds two sample programs: seccomp1: A simple eBPF seccomp filter seccomp2: A program which installs an eBPF filter and then retrieves it via ptrace to show checkpoint / restore capability. Signed-off-by: Sargun Dhillo

[PATCH net-next 0/3] eBPF Seccomp filters

if we come to an agreement, this can be in a follow-up patchset. Sargun Dhillon (3): bpf, seccomp: Add eBPF filter capabilities seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp filters bpf: Add eBPF seccomp sample programs arch/Kconfig | 7 ++ inc

[PATCH net-next 1/3] bpf, seccomp: Add eBPF filter capabilities

From: Sargun Dhillon <sar...@netflix.com> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant to be used for seccomp filters as an alternative to cBPF filters. The program type has relatively limited capabilities in terms of helpers, but that can be extended later on. I

[PATCH net-next 2/3] seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp filters

From: Sargun Dhillon <sar...@netflix.com> This extends the the ptrace API to allow fetching eBPF seccomp filters attached to programs. This is to enable checkpoint / restore cases. The user will have to use the traditional PTRACE_SECCOMP_GET_FILTER API call, and if they get an invalid mediu

Re: bpf bounded loops. Was: [flamebait] xdp

On Fri, Dec 2, 2016 at 4:20 PM, Alexei Starovoitov wrote: > On Fri, Dec 02, 2016 at 11:42:15AM -0800, John Fastabend wrote: >> >> As far as pattern search for DNS packets... >> >> it was requested by Cloudflare guys back in March: >> >>

[PATCH net-next 1/2] samples, bpf: Refactor test_current_task_under_cgroup - separate out helpers

This patch modifies test_current_task_under_cgroup_user. The test has several helpers around creating a temporary environment for cgroup testing, and moving the current task around cgroups. This set of helpers can then be used in other tests. Signed-off-by: Sargun Dhillon <sar...@sargun

[PATCH net-next 2/2] samples, bpf: Add automated test for cgroup filter attachments

is enabled, this test will fail. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- samples/bpf/Makefile | 2 + samples/bpf/test_cgrp2_attach2.c | 132 +++ 2 files changed, 134 insertions(+) create mode 100644 samples/bpf/test_cgrp2_attach2.c diff

[PATCH net-next 0/2] samples, bpf: Refactor; Add automated tests for cgroups

ault. With this code, we're able to pretty easily add an automated test for future cgroupsv2 functionality. Sargun Dhillon (2): samples, bpf: Refactor test_current_task_under_cgroup - separate out helpers samples, bpf: Add automated test for cgroup filter attachments samples/bpf/Make

Re: [net-next 1/1] samples: bpf: Refactor test_cgrp2_attach -- use getopt, and add mode

On Mon, Nov 28, 2016 at 7:50 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Mon, Nov 28, 2016 at 02:52:42PM -0800, Sargun Dhillon wrote: >> This patch modifies test_cgrp2_attach to use getopt so we can use standard >> command line parsing. >> >&

[net-next 1/1] samples: bpf: Refactor test_cgrp2_attach -- use getopt, and add mode

and then attach. It relies on the 'hotswap' behaviour of CGroup BPF programs to be able to change in-place. If detach-then-attach behaviour needs to be tested, the example can be run in detach only mode prior to attachment. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- sampl

Re: [RFC v4 00/18] Landlock LSM: Unprivileged sandboxing

m could come from outside a process (e.g. passed through >> a >> UNIX socket). It is then useful to differentiate the creation/load of >> Landlock >> eBPF programs via bpf(2), from rule enforcing via seccomp(2). >> >> >> ## Why using cgroups? >> >

Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks

On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote: > > On 15/09/2016 06:48, Alexei Starovoitov wrote: > > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote: > >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov > >> wrote: > >>> On Wed,

Re: lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons

I'm fine giving up the Checmate name. Landlock seems easy enough to Google. I haven't gotten a chance to look through the entire patchset yet, but it does seem like they are somewhat similar. On Mon, Sep 19, 2016 at 5:12 PM, Alexei Starovoitov wrote: > On Thu, Sep

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote: > Hi, > > On 09/16/2016 09:57 PM, Sargun Dhillon wrote: > > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > >> I have no idea what makes you think this is limited to systemd. As I >

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

On Fri, Sep 16, 2016 at 12:57:29PM -0700, Sargun Dhillon wrote: > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > Hi Pablo, > > > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > Hi Pablo, > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200,

Re: [PATCH v3 2/6] cgroup: add support for eBPF programs

On Mon, Sep 05, 2016 at 04:49:26PM +0200, Daniel Mack wrote: > Hi, > > On 08/30/2016 01:04 AM, Sargun Dhillon wrote: > > On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote: > >> This patch adds two sets of eBPF program pointers to struct cgroup. > >> One

Re: [net-next RFC v2 4/9] bpf, security: Add Checmate security LSM and BPF program type

On Mon, Aug 29, 2016 at 02:49:17PM -0700, Alexei Starovoitov wrote: > On 8/29/16 12:24 PM, Tejun Heo wrote: > >Hello, Sargun. > > > >On Mon, Aug 29, 2016 at 11:49:07AM -0700, Sargun Dhillon wrote: > >>It would be a separate hook per LSM hook. Why wouldn't we want a

Re: [PATCH v3 2/6] cgroup: add support for eBPF programs

On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote: > This patch adds two sets of eBPF program pointers to struct cgroup. > One for such that are directly pinned to a cgroup, and one for such > that are effective for it. > > To illustrate the logic behind that, assume the following

Re: [PATCH v3 5/6] net: core: run cgroup eBPF egress programs

On Tue, Aug 30, 2016 at 12:03:23AM +0200, Daniel Borkmann wrote: > On 08/26/2016 09:58 PM, Daniel Mack wrote: > >If the cgroup associated with the receiving socket has an eBPF > >programs installed, run them from __dev_queue_xmit(). > > > >eBPF programs used in this context are expected to either

Re: [net-next RFC v2 4/9] bpf, security: Add Checmate security LSM and BPF program type

On Mon, Aug 29, 2016 at 01:01:18PM -0400, Tejun Heo wrote: > Hello, > > On Mon, Aug 29, 2016 at 04:47:07AM -0700, Sargun Dhillon wrote: > > This patch adds a minor LSM, Checmate. Checmate is a flexible programmable, > > extensible minor LSM that's coupled with cgroups an

[net-next RFC v2 7/9] samples/bpf: Split out helper code from test_current_task_under_cgroup_user

easier. This patch is used in follow on samples. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- samples/bpf/Makefile | 2 +- samples/bpf/cgroup_helpers.c | 103 ++ samples/bpf/cgroup_helpers.h

[net-next RFC v2 8/9] samples/bpf: Add limit_connections, remap_bind checmate examples / tests

for not refcnting 2-tuples using atomic counters is the lack of a safe free mechanism. In order to run this program, you may need to bump your ulimit -l. 2) remap_bind This program rewrites binds from 6789 to 12345. It is meant to mimic the usage of DNAT. Signed-off-by: Sargun Dhillon <

[net-next RFC v2 9/9] doc: Add LSM / BPF Checmate docs

This adds documentation on how to operate, and develop against the Checmate LSM and Cgroup controller. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- Documentation/security/Checmate.txt | 54 + 1 file changed, 54 insertions(+) create mode

[net-next RFC v2 6/9] bpf: Share current_task_under_cgroup helper and expose to Checmate programs

This patch exposes the current_task_under_cgroup helper to Checmate programs. It can be used to implement exemptions for certain policies when using Checmate programs by wrapping a pre-compiled policy in a tail call along with this helper. Signed-off-by: Sargun Dhillon <sar...@sargun

[net-next RFC v2 5/9] bpf: Add bpf_probe_write_checmate helper

for introspecting sockets (getpeername) still works. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include/uapi/linux/bpf.h | 11 security/checmate/checmate_bpf.c | 55 2 files changed, 66 insertions(+) diff --git a/includ

[net-next RFC v2 4/9] bpf, security: Add Checmate security LSM and BPF program type

complex policies can be installed on the cgroup hierarchy. These cgroup programs are tied to the kernel ABI version. If one tries to load a BPF program compiled against a different kernel version, an error will be thrown. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include

[net-next RFC v2 1/9] net: Make cgroup sk data present when calling security_sk_(alloc/free)

This patch changes the order of allocations / calls to allocate the sock_cgroup_data before calling security_sk_alloc. In addition, this patch also reorders the deallocation when calling security_sk_free so that LSMs can examine the cgroup that a particular sk belongs to. Signed-off-by: Sarguun

[net-next RFC v2 2/9] cgroups: move helper cgroup_parent to cgroup.h

This patch moves cgroup_parent into cgroup.h as a static inline helper function so that others can use it. Although this pattern is easy to implement, having it in one place simplifies the creation of new cgroup controllers. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include

[net-next RFC v2 3/9] bpf: move tracing helpers (probe_read, get_current_task) to shared helpers

This patch moves bpf_probe_read and bpf_get_current_task to be the shared cgroup infrastructure. These are useful outside of the context of just tracing, but also inspection of a process memory during security policy enforcement. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include

[net-next RFC v2 0/9] Add Checmate: BPF-driven minor LSM

way around this unless we decide that a subset of the lsm hooks API is immutable. That's a question for the LSM maintainers. Thanks to Alexei, Daniel B, and Daniel Mack, and Tejun for input. I would love to know what y'all think. Sargun Dhillon (9): net: Make cgroup sk data present when cal

Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

On Tue, Aug 23, 2016 at 10:27:28AM +0200, Daniel Mack wrote: > On 08/22/2016 07:20 PM, Sargun Dhillon wrote: > > On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote: > >> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote: > > >>> This patchset also needs an

Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote: > On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote: > > On Fri, Aug 19, 2016 at 07:07:39PM +0200, Thomas Graf wrote: > > >> You brought up multiple tables which reflect the cumulative approach. > >> This sometimes works but has its

Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs

On Wed, Aug 17, 2016 at 04:00:47PM +0200, Daniel Mack wrote: > If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the > receiving socket has an eBPF programs installed, run them from > sk_filter_trim_cap(). > > eBPF programs used in this context are expected to either return 1 to >

Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

On Mon, Aug 15, 2016 at 12:59:13PM +0200, Mickaël Salaün wrote: > > On 15/08/2016 05:09, Sargun Dhillon wrote: > > On Mon, Aug 15, 2016 at 12:57:44AM +0200, Mickaël Salaün wrote: > >> Our approaches have some common points (i.e. use eBPF in an LSM, stacked > >>

Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

cess limiter. Do you have a way to make it so that a given container can only write, say, 100mb of data to disk? > Mickaël > > > [1] http://www.openwall.com/lists/kernel-hardening/2016/03/24/2 > > > > On 09/08/2016 02:22, Kees Cook wrote: > > On Mon, Aug 8,

[PATCH net-next v5 0/3] Add test_current_task_under_cgroup bpf helper and test

out of *.c files, add an "integration" test v3->v4: De-genercize arraymap fetching function; rename helper from in_cgroup to under_cgroup (makes much more sense) Split adding cgroups task_under_cgroup_hierarchy function v4->v5: Fix formatting S

[PATCH net-next v5 3/3] samples/bpf: Add test_current_task_under_cgroup test

to execution in userspace. This means that the program must be run in the same cgroups namespace as the programs that are being traced. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: Tejun He

[PATCH net-next v5 2/3] bpf: Add bpf_current_task_under_cgroup helper

return an error. The helper is primarily to be used in debugging activities for containers, where you may have multiple programs running in a given top-level "container". Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann

[PATCH net-next v5 1/3] cgroup: Add task_under_cgroup_hierarchy cgroup inline function to headers

This commit adds an inline function to cgroup.h to check whether a given task is under a given cgroup hierarchy. This is to avoid having to put ifdefs in .c files to gate access to cgroups. When cgroups are disabled this always returns true. Signed-off-by: Sargun Dhillon <sar...@sargun.me&

Re: [PATCH net-next v4 2/3] bpf: Add bpf_current_task_under_cgroup helper

On Fri, Aug 12, 2016 at 09:16:07AM +0200, Daniel Borkmann wrote: > On 08/12/2016 06:50 AM, Sargun Dhillon wrote: > >I realize that in_cgroup is more consistent, but under_cgroup makes > >far more sense to me. I think it's more intuitive. > > > >On Thu, Aug 11, 2016 at

Re: [PATCH net-next v4 2/3] bpf: Add bpf_current_task_under_cgroup helper

I realize that in_cgroup is more consistent, but under_cgroup makes far more sense to me. I think it's more intuitive. On Thu, Aug 11, 2016 at 9:48 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Thu, Aug 11, 2016 at 08:14:56PM -0700, Sargun Dhillon wrote: >>

[PATCH net-next v4 3/3] samples/bpf: Add test_current_task_under_cgroup test

to execution in userspace. This means that the program must be run in the same cgroups namespace as the programs that are being traced. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: Tejun He

[PATCH net-next v4 2/3] bpf: Add bpf_current_task_under_cgroup helper

return an error. The helper is primarily to be used in debugging activities for containers, where you may have multiple programs running in a given top-level "container". Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann

[PATCH net-next v4 1/3] cgroup: Add task_under_cgroup_hierarchy cgroup inline function to headers

This commit adds an inline function to cgroup.h to check whether a given task is under a given cgroup hierarchy. This is to avoid having to put ifdefs in .c files to gate access to cgroups. When cgroups are disabled this always returns true. Signed-off-by: Sargun Dhillon <sar...@sargun.me&

[PATCH net-next v4 0/3]

out of *.c files, add an "integration" test v3->v4: De-genercize arraymap fetching function; rename helper from in_cgroup to under_cgroup (makes much more sense) Split adding cgroups task_under_cgroup_hierarchy function Sargun Dhillon (3): cgroup: Add task_under_c

[PATCH net-next v3 2/2] samples/bpf: Add test_current_task_in_cgroup test

to execution in userspace. This means that the program must be run in the same cgroups namespace as the programs that are being traced. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: Tejun He

[PATCH net-next v3 1/2] bpf: Add bpf_current_task_in_cgroup helper

Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: Tejun Heo <t...@kernel.org> --- include/linux/bpf.h | 22 ++ include/linux/cgroup.h | 23

[PATCH net-next v3 0/2] Add bpf current_task_in_cgroup helper & opensnoop example

f *.c files, add an "integration" test Sargun Dhillon (2): bpf: Add bpf_current_task_in_cgroup helper samples/bpf: Add test_current_task_in_cgroup test include/linux/bpf.h| 22 include/linux/cgroup.h | 23 include/uapi/linux/bpf.h

Re: [net-next v2 v2 1/2] bpf: Add bpf_current_task_in_cgroup helper

On Tue, Aug 09, 2016 at 08:52:01PM -0700, Alexei Starovoitov wrote: > On Tue, Aug 09, 2016 at 08:40:05PM -0700, Sargun Dhillon wrote: > > On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote: > > > On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote: >

Re: [net-next v2 v2 1/2] bpf: Add bpf_current_task_in_cgroup helper

On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote: > On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote: > > On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote: > > > On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote: >

Re: [net-next v2 v2 1/2] bpf: Add bpf_current_task_in_cgroup helper

On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote: > On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote: > > On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote: > > > On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote:

Re: [net-next v2 v2 1/2] bpf: Add bpf_current_task_in_cgroup helper

On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote: > On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote: > > This adds a bpf helper that's similar to the skb_in_cgroup helper to check > > whether the probe is currently executing in the context of a spec

[net-next v2 v2 2/2] samples/bpf: Add opensnoop example that uses current_task_in_cgroup helper

that the program must be run in the same cgroups namespace as the programs that are being traced. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> --- samples/bpf/Makefile | 4 +++ samples

[net-next v2 v2 1/2] bpf: Add bpf_current_task_in_cgroup helper

Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> --- include/linux/bpf.h | 24 include/uapi/linux/bpf.h | 11 +++ kernel/bpf/arraymap.c| 2 +- k

[net-next v2 v2 0/2] Add bpf current_task_in_cgroup helper & opensnoop example

ust supply a specific cgroup in the hierarchy, and it'll print out all files being opened under it. v1->v2: Add better example code -- OpenSnoop, clean up Sargun Dhillon (2): bpf: Add bpf_current_task_in_cgroup helper samples/bpf: Add opensnoop example that uses current_task_in_cgro

Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

On Mon, Aug 08, 2016 at 04:44:02PM -0700, Kees Cook wrote: > On Thu, Aug 4, 2016 at 12:11 AM, Sargun Dhillon <sar...@sargun.me> wrote: > > I distributed this patchset to linux-security-mod...@vger.kernel.org > > earlier, > > but based on the fact that the archive is

Re: [net-next 0/2] BPF, kprobes: Add current_in_cgroup helper

On Mon, Aug 08, 2016 at 11:27:32AM +0200, Daniel Borkmann wrote: > On 08/08/2016 05:52 AM, Alexei Starovoitov wrote: > >On Sun, Aug 07, 2016 at 08:08:19PM -0700, Sargun Dhillon wrote: > >>Thanks for your feedback Alexei, > >>I really appreciate it. > >> > >

Re: [net-next 0/2] BPF, kprobes: Add current_in_cgroup helper

Thanks for your feedback Alexei, I really appreciate it. On Sun, Aug 07, 2016 at 05:52:36PM -0700, Alexei Starovoitov wrote: > On Sat, Aug 06, 2016 at 09:56:06PM -0700, Sargun Dhillon wrote: > > On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote: > > > On Sat,

Re: [net-next 0/2] BPF, kprobes: Add current_in_cgroup helper

On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote: > On Sat, Aug 06, 2016 at 09:06:53PM -0700, Sargun Dhillon wrote: > > This patchset includes a helper and an example to determine whether the > > kprobe > > is currently executing in the context of a

[net-next 2/2] samples/bpf: Add example using current_in_cgroup

This is a simple trace example that shows programs connecting, but only if they're in a chosen cgroup. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> --- samples/bpf/Makefile

[net-next 0/2] BPF, kprobes: Add current_in_cgroup helper

This patchset includes a helper and an example to determine whether the kprobe is currently executing in the context of a specific cgroup based on a cgroup bpf map / array. Sargun Dhillon (2): bpf: Add bpf_current_in_cgroup helper samples/bpf: Add example using current_in_cgroup include

[net-next 1/2] bpf: Add bpf_current_in_cgroup helper

This adds a kprobe helper that's similar to the skb_in_cgroup helper. It checks whether the probe is currently executing in the context of the cgroup at the given index a CGROUP_ARRAY. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Starovoitov <a...@kernel.org> Cc: Dan

Re: [RFC 2/4] bpf, security: Add Checmate

On Thu, Aug 04, 2016 at 05:34:32PM +0800, zhuyj wrote: > Sure. > Is it better to add > #ifndef CONFIG_PREEMPT_RCU ? > > On Thu, Aug 4, 2016 at 4:28 PM, Eric Dumazet wrote: > > Please do not top post > > > > On Thu, 2016-08-04 at 16:08 +0800, zhuyj wrote: > >> +void

Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

On Thu, Aug 04, 2016 at 11:45:08AM +0200, Daniel Borkmann wrote: > Hi Sargun, > > On 08/04/2016 09:11 AM, Sargun Dhillon wrote: > [...] > >[It's a] minor LSM. My particular use case is one in which containers are > >being > >dynamically deployed to machines by inte

Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

On Thu, Aug 04, 2016 at 10:41:17AM +0200, Richard Weinberger wrote: > Sargun, > > On Thu, Aug 4, 2016 at 9:11 AM, Sargun Dhillon <sar...@sargun.me> wrote: > > I distributed this patchset to linux-security-mod...@vger.kernel.org > > earlier, > > but based on

[RFC 4/4] bpf: Restrict Checmate bpf programs to current kernel ABI

I think it makes sense to restrict Checmate to loading programs that have been compiled with the current kernel ABI. We can further stabilize the ABI, and perhaps lift this restriction later. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- kernel/bpf/syscall.c | 2 +- sampl

[RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

blobs in some cases. I would love to know what y'all think. Sargun Dhillon (4): bpf: move tracing helpers to shared helpers bpf, security: Add Checmate security/checmate: Add Checmate sample bpf: Restrict Checmate bpf programs to current kernel ABI include/linux/bpf.h | 2

[RFC 2/4] bpf, security: Add Checmate

would lock their hooks. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include/linux/checmate.h | 38 + include/uapi/linux/Kbuild| 1 + include/uapi/linux/bpf.h | 1 + include/uapi/linux/checmate.h| 65 + include/uapi/linux/p

[RFC 1/4] bpf: move tracing helpers to shared helpers

Move bpf_probe_read and bpf_get_current_task to the shared helpers so that Checmate can use them. Signed-off-by: Sargun Dhillon <sar...@sargun.me> --- include/linux/bpf.h | 2 ++ kernel/bpf/helpers.c | 34 ++ kernel/trace/bpf_trace.

[RFC 3/4] security/checmate: Add Checmate sample

The Checmate sample installs a policy barring new AF_INET connections to port 1. We install the hook, and show an example of connect returning EPERM, and then reset the policy. If this is running concurrently with other policy engines, bad things could happen. Signed-off-by: Sargun Dhillon <

[PATCH net-next v7 0/2] bpf: add bpf_probe_write_user helper & example

me bpf_probe_write -> bpf_probe_write_user v6->v7: More formatting cleanup. Clarifying a few comments Clarified log message Sargun Dhillon (2): bpf: Add bpf_probe_write_user BPF helper to be called in tracers samples/bpf: Add test/example of using bpf_probe_write_user bpf hel

[PATCH net-next v7 1/2] bpf: Add bpf_probe_write_user BPF helper to be called in tracers

this feature is meant for experiments, and it has a risk of crashing the system, and running programs, we print a warning on when a proglet that attempts to use this helper is installed, along with the pid and process name. Signed-off-by: Sargun Dhillon <sar...@sargun.me> Cc: Alexei Staro

[PATCH net-next v7 2/2] samples/bpf: Add test/example of using bpf_probe_write_user bpf helper

/dev/null +++ b/samples/bpf/test_probe_write_user_kern.c @@ -0,0 +1,52 @@ +/* Copyright (c) 2016 Sargun Dhillon <sar...@sargun.me> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as publishe

Relax kern_version constraints on bpf kprobes?

In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so attr.kern_version must be exactly equal to what the user is running at the moment. This makes a lot of sense because kprobes can touch lots of unstable bits of the kernel ABI. Unfortunately, this makes it really

[PATCH net-next v6 2/2] samples/bpf: Add test/example of using bpf_probe_write_user bpf helper

/dev/null +++ b/samples/bpf/test_probe_write_user_kern.c @@ -0,0 +1,52 @@ +/* Copyright (c) 2016 Sargun Dhillon <sar...@sargun.me> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as publishe

  1   2   >