Commit a11c397c authored by Stanislav Fomichev's avatar Stanislav Fomichev Committed by Alexei Starovoitov

bpf/flow_dissector: add mode to enforce global BPF flow dissector

Always use init_net flow dissector BPF program if it's attached and fall
back to the per-net namespace one. Also, deny installing new programs if
there is already one attached to the root namespace.
Users can still detach their BPF programs, but can't attach any
new ones (-EEXIST).

Cc: Petar Penkov <ppenkov@google.com>
Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
Acked-by: default avatarSong Liu <songliubraving@fb.com>
Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 4564a8bb
...@@ -142,3 +142,6 @@ BPF flow dissector doesn't support exporting all the metadata that in-kernel ...@@ -142,3 +142,6 @@ BPF flow dissector doesn't support exporting all the metadata that in-kernel
C-based implementation can export. Notable example is single VLAN (802.1Q) C-based implementation can export. Notable example is single VLAN (802.1Q)
and double VLAN (802.1AD) tags. Please refer to the ``struct bpf_flow_keys`` and double VLAN (802.1AD) tags. Please refer to the ``struct bpf_flow_keys``
for a set of information that's currently can be exported from the BPF context. for a set of information that's currently can be exported from the BPF context.
When BPF flow dissector is attached to the root network namespace (machine-wide
policy), users can't override it in their child network namespaces.
...@@ -114,19 +114,46 @@ int skb_flow_dissector_bpf_prog_attach(const union bpf_attr *attr, ...@@ -114,19 +114,46 @@ int skb_flow_dissector_bpf_prog_attach(const union bpf_attr *attr,
{ {
struct bpf_prog *attached; struct bpf_prog *attached;
struct net *net; struct net *net;
int ret = 0;
net = current->nsproxy->net_ns; net = current->nsproxy->net_ns;
mutex_lock(&flow_dissector_mutex); mutex_lock(&flow_dissector_mutex);
if (net == &init_net) {
/* BPF flow dissector in the root namespace overrides
* any per-net-namespace one. When attaching to root,
* make sure we don't have any BPF program attached
* to the non-root namespaces.
*/
struct net *ns;
for_each_net(ns) {
if (rcu_access_pointer(ns->flow_dissector_prog)) {
ret = -EEXIST;
goto out;
}
}
} else {
/* Make sure root flow dissector is not attached
* when attaching to the non-root namespace.
*/
if (rcu_access_pointer(init_net.flow_dissector_prog)) {
ret = -EEXIST;
goto out;
}
}
attached = rcu_dereference_protected(net->flow_dissector_prog, attached = rcu_dereference_protected(net->flow_dissector_prog,
lockdep_is_held(&flow_dissector_mutex)); lockdep_is_held(&flow_dissector_mutex));
if (attached) { if (attached) {
/* Only one BPF program can be attached at a time */ /* Only one BPF program can be attached at a time */
mutex_unlock(&flow_dissector_mutex); ret = -EEXIST;
return -EEXIST; goto out;
} }
rcu_assign_pointer(net->flow_dissector_prog, prog); rcu_assign_pointer(net->flow_dissector_prog, prog);
out:
mutex_unlock(&flow_dissector_mutex); mutex_unlock(&flow_dissector_mutex);
return 0; return ret;
} }
int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr) int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr)
...@@ -910,6 +937,9 @@ bool __skb_flow_dissect(const struct net *net, ...@@ -910,6 +937,9 @@ bool __skb_flow_dissect(const struct net *net,
WARN_ON_ONCE(!net); WARN_ON_ONCE(!net);
if (net) { if (net) {
rcu_read_lock(); rcu_read_lock();
attached = rcu_dereference(init_net.flow_dissector_prog);
if (!attached)
attached = rcu_dereference(net->flow_dissector_prog); attached = rcu_dereference(net->flow_dissector_prog);
if (attached) { if (attached) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment