On 06/01/2017 03:15 AM, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the system,
for example, by creating an iptables rules that causes the packet to
be passed to userspace via NFLOG.
Signed-off-by: Chenbo Feng <fe...@google.com>
Sorry, but I am puzzled what above change log has to do with the
below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
to may_access_skb(), since one can already use bpf_skb_load_bytes()
helper to access pkt data, which is a much more flexible interface.
Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?
---
kernel/bpf/verifier.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 339c8a1..94a9bc9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2419,6 +2419,7 @@ static bool may_access_skb(enum bpf_prog_type type)
case BPF_PROG_TYPE_SOCKET_FILTER:
case BPF_PROG_TYPE_SCHED_CLS:
case BPF_PROG_TYPE_SCHED_ACT:
+ case BPF_PROG_TYPE_CGROUP_SKB:
return true;
default:
return false;
