Re: [PATCH bpf-next v5 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start

eturn value to indicate that CAP_NET_BIND_SERVICE > check should be ignored. Use the same idea as we currently use > in cgroup/egress where bit #1 indicates CN. Instead, for > cgroup/bind{4,6}, bit #1 indicates that CAP_NET_BIND_SERVICE should > be bypassed. > > v5: > - renam

Re: [PATCH bpf-next v4 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start

sing IPv6 support (Martin KaFai Lau) > > v3: > - Update description (Martin KaFai Lau) > - Fix capability restore in selftest (Martin KaFai Lau) > > v2: > - Switch to explicit return code (Martin KaFai Lau) > > Cc: Andrey Ignatov > Cc: Martin KaFai Lau > Signed-o

Re: [PATCH bpf-next 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start

P_RUN_PROG_INET4_POST_BIND(sk) ({ 0; }) > #define BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk) ({ 0; }) > #define BPF_CGROUP_RUN_PROG_INET4_CONNECT(sk, uaddr) ({ 0; }) ... [0] https://lore.kernel.org/bpf/20210121223330.pyk4ljtjirm2zlay@kafai-mbp/ -- Andrey Ignatov

Re: [PATCH bpf-next 1/2] bpf: allow rewriting to ports under ip_unprivileged_port_start

Stanislav Fomichev [Fri, 2021-01-22 11:54 -0800]: > On Fri, Jan 22, 2021 at 11:37 AM Andrey Ignatov wrote: > > > > Stanislav Fomichev [Wed, 2021-01-20 18:09 -0800]: > > > At the moment, BPF_CGROUP_INET{4,6}_BIND hooks can rewrite user_port >

Re: [Patch bpf-next v2 3/5] selftests/bpf: update elem_size check in map ptr test

Cong Wang [Mon, 2020-12-14 12:11 -0800]: > From: Cong Wang > > In map ptr test, a hard-coded 64 is used to check hash element size. > Increase it to 72 as we increase the size of struct htab_elem. It > seems struct htab_elem is not visible here. > > Cc: Andrey Ignatov >

Re: [Patch bpf-next v2 5/5] selftests/bpf: add timeout map check in map_ptr tests

Cong Wang [Mon, 2020-12-14 12:11 -0800]: > From: Cong Wang > > Similar to regular hashmap test. > > Cc: Andrey Ignatov > Cc: Alexei Starovoitov > Cc: Daniel Borkmann > Cc: Dongdong Wang > Signed-off-by: Cong Wang Thanks. Acked-by: Andrey Ignatov >

Re: [Patch bpf-next 0/3] bpf: introduce timeout map

heck. `htab->elem_size` was chosen semi-randomly since any bpf_htab-specific field would work for the test's purposes. Hope it clarifies. Also since you add a new map type it would be great to cover it in tools/testing/selftests/bpf/progs/map_ptr_kern.c as well. -- Andrey Ignatov

Re: [PATCH bpf-next 2/3] bpf: allow bpf_{s,g}etsockopt from cgroup bind{4,6} hooks

s...@google.com [Tue, 2020-12-01 10:43 -0800]: > On 11/30, Andrey Ignatov wrote: > > s...@google.com [Mon, 2020-11-30 08:38 -0800]: > > > On 11/29, Andrey Ignatov wrote: > > > > Alexei Starovoitov [Tue, 2020-11-17 > > 20:05 > > > > -0800]: >

Re: [PATCH bpf-next 2/3] bpf: allow bpf_{s,g}etsockopt from cgroup bind{4,6} hooks

Stanislav Fomichev [Tue, 2020-11-17 16:18 -0800]: > I have to now lock/unlock socket for the bind hook execution. > That shouldn't cause any overhead because the socket is unbound > and shouldn't receive any traffic. > > Signed-off-by: Stanislav Fomichev

Re: [PATCH bpf-next 2/3] bpf: allow bpf_{s,g}etsockopt from cgroup bind{4,6} hooks

s...@google.com [Mon, 2020-11-30 08:38 -0800]: > On 11/29, Andrey Ignatov wrote: > > Alexei Starovoitov [Tue, 2020-11-17 20:05 > > -0800]: > > > On Tue, Nov 17, 2020 at 4:17 PM Stanislav Fomichev > > wrote: > [..] > > > > > > I think it is

Re: [PATCH bpf-next 2/3] bpf: allow bpf_{s,g}etsockopt from cgroup bind{4,6} hooks

inet6.c b/net/ipv6/af_inet6.c > > index e648fbebb167..a7e3d170af51 100644 > > --- a/net/ipv6/af_inet6.c > > +++ b/net/ipv6/af_inet6.c > > @@ -451,7 +451,7 @@ int inet6_bind(struct socket *sock, struct sockaddr > > *uaddr, int addr_len) > > /* BPF prog is run before any checks are done so that if the prog > > * changes context in a wrong way it will be caught. > > */ > > - err = BPF_CGROUP_RUN_PROG_INET6_BIND(sk, uaddr); > > + err = BPF_CGROUP_RUN_PROG_INET6_BIND_LOCK(sk, uaddr); > > if (err) > > return err; > > > > -- > > 2.29.2.299.gdc1121823c-goog > > -- Andrey Ignatov

Re: [PATCH bpf-next v3 3/8] libbpf: Add BPF_PROG_BIND_MAP syscall and use it on .metadata section

in the same object. I don't have strong preferences on the implementation side as long as it covers the use-case, e.g. the one in the patch set would work FWIW. > > If it's just unreferenced by program read only data then no special names or > > prefixes are needed. We can introduce BPF_PROG_BIND_MAP to bind any map to > > any > > program and it would be up to tooling to decide the meaning of the data in > > the > > map. For example, bpftool can choose to print all variables from all read > > only > > maps that match "bpf_metadata_" prefix, but it will be bpftool convention > > only > > and not hard coded in libbpf. > > Agree as well. It feels a bit odd for libbpf to handle ".metadata" > specially, given libbpf itself doesn't care about its contents at all. > > So thanks for bringing this up, I think this is an important discussion to > have. -- Andrey Ignatov

Re: [PATCH bpf-next 0/4] Add get{peer,sock}name cgroup attach types

gs/connect_force_port6.c | 70 +++- > 20 files changed, 295 insertions(+), 54 deletions(-) > > -- > 2.21.0 Just one minor nit on network_helpers but other than this LGTM. Thanks for adding these helpers Daniel! Acked-by: Andrey Ignatov -- Andrey Ignatov

Re: [PATCH bpf-next 4/4] bpf, testing: add get{peer,sock}name selftests to test_progs

t; #14 connect_force_port:OK > Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED > > Signed-off-by: Daniel Borkmann > Cc: Andrey Ignatov > --- > --- a/tools/testing/selftests/bpf/network_helpers.c > +++ b/tools/testing/selftests/bpf/network_helpers.c > @@ -5,6 +5,8 @@ > #inclu

Re: [PATCH bpf-next v4 4/4] bpf: allow any port in bpf_bind helper

ndicate that the call site is BPF program. > > v3: > * More bpf_bind documentation refinements (Martin KaFai Lau) > * Add UDP tests as well (Martin KaFai Lau) > * Don't start the thread, just do socket+bind+listen (Martin KaFai Lau) > > v2: > * Update documentation (An

Re: [PATCH bpf-next v2 4/5] bpf: allow any port in bpf_bind helper

ndicate that the call site is BPF program. > > v2: > * Update documentation (Andrey Ignatov) > * Pass BIND_FORCE_ADDRESS_NO_PORT conditionally (Andrey Ignatov) > > Cc: Andrey Ignatov > Signed-off-by: Stanislav Fomichev Thanks. LGMT. Acked-by: Andrey Ignatov -- Andrey Ignatov

Re: [PATCH bpf-next 4/4] bpf: allow any port in bpf_bind helper

s...@google.com [Tue, 2020-05-05 09:02 -0700]: > On 05/04, Andrey Ignatov wrote: > > Stanislav Fomichev [Mon, 2020-05-04 10:34 -0700]: > > > We want to have a tighter control on what ports we bind to in > > > the BPF_CGROUP_INET{4,6}_CONNECT hooks even if it me

Re: [PATCH bpf-next 4/4] bpf: allow any port in bpf_bind helper

s...@google.com [Tue, 2020-05-05 10:09 -0700]: > On 05/05, Stanislav Fomichev wrote: > > On 05/04, Andrey Ignatov wrote: > > > Stanislav Fomichev [Mon, 2020-05-04 10:34 -0700]: > > > > [...] > > > > diff --git a/net/core/filter.c b/net/core/filter.

Re: [PATCH bpf-next 4/4] bpf: allow any port in bpf_bind helper

prevent > us from calling POST_BIND hook anymore, let's add another bind flag > to indicate that the call site is BPF program. > > Cc: Andrey Ignatov > Signed-off-by: Stanislav Fomichev > --- > include/net/inet_common.h | 2 + > net/core/fi

Re: [PATCH bpf-next v3] bpf: bpf_{g,s}etsockopt for struct bpf_sock_addr

Stanislav Fomichev [Fri, 2020-05-01 15:07 -0700]: > On Fri, May 1, 2020 at 2:52 PM Andrey Ignatov wrote: > > > > Stanislav Fomichev [Thu, 2020-04-30 16:32 -0700]: > > > Currently, bpf_getsockopt and bpf_setsockopt helpers operate on the > > >

Re: [PATCH bpf-next v3] bpf: bpf_{g,s}etsockopt for struct bpf_sock_addr

, {sa_family=AF_INET, sin_port=htons(4040), sin_addr=inet_addr("192.168.1.254")}, 128) = -1 EPERM (Operation not permitted) (test_sock_addr.c:1201: errno: Operation not permitted) Fail to connect to server Test case: connect4: rewrite IP & TCP port .. [FAIL] I verified that commenting out this new `if` fixes the problem, but haven't spent time root-causing it. Could you please look at it? Thanks. -- Andrey Ignatov

Re: [PATCH v3 bpf-next] libbpf: make libbpf.map source of truth for libbpf version

r parsing of > version from libbpf.map. > > v2->v3: > - grep -o + sort -rV (Andrey); > > v1->v2: > - eager version vars evaluation (Jakub); > - simplified version regex (Andrey); Acked-by: Andrey Ignatov > Cc: Andrey Ignatov > Signed-off-by: Andrii Nak

Re: [PATCH bpf-next] libbpf: make libbpf.map source of truth for libbpf version

Andrii Nakryiko [Tue, 2019-08-13 21:46 -0700]: > On Tue, Aug 13, 2019 at 5:28 PM Andrey Ignatov wrote: > > > > Andrii Nakryiko [Tue, 2019-08-13 16:24 -0700]: > > > Currently libbpf version is specified in 2 places: libbpf.map and > > > Makefile. They easily get

Re: [PATCH bpf-next] libbpf: make libbpf.map source of truth for libbpf version

r parsing of > version from libbpf.map. Thanks for taking care of this! > Cc: Andrey Ignatov > Signed-off-by: Andrii Nakryiko > --- > tools/lib/bpf/Makefile | 12 +--- > tools/lib/bpf/libbpf.map | 3 +++ > 2 files changed, 8 insertions(+), 7 deletions(-) >

Re: [Potential Spoof] [PATCH bpf v2] libbpf : make libbpf_num_possible_cpus function thread safe

t; * serialized static variable update using WRITE_ONCE() > * fixed Fixes tag This "Changes" section should be after "---" line not to be included in the final commit message. Not sure if resubmit is needed because of it, but other than this looks good to me. Acked-by

Re: [PATCH bpf] selftests/bpf: fix sendmsg6_prog on s390

ines. > > Since checking bitwise operations doesn't seem to be the point of the > test, replace two short comparisons with a single int comparison. > > Signed-off-by: Ilya Leoshkevich Acked-by: Andrey Ignatov IIRC I did it this way to test 16bit loads from C prog

Re: [PATCH bpf-next] bpftool: Add BPF_F_QUERY_EFFECTIVE support in bpftool cgroup [show|tree]

gt; > > > And with new "-e" option it shows all effective programs for cg2: > > > > > > # bpftool -e cgroup show /sys/fs/cgroup/cgroup-test-work-dir/cg1/cg2 > > > ID AttachType AttachFlags Name > > > 273 egress o

Re: [PATCH bpf v2 0/4] Fix unconnected bpf cgroup hooks

Andrey Ignatov [Thu, 2019-06-06 13:45 -0700]: > Daniel Borkmann [Thu, 2019-06-06 07:36 -0700]: > > Please refer to the patch 1/4 as the main patch with the details > > on the current sendmsg hook API limitations and proposal to fix > > it in order to work with basic

Re: [PATCH bpf v2 0/4] Fix unconnected bpf cgroup hooks

/linux/bpf.h| 2 + > tools/testing/selftests/bpf/test_sock_addr.c | 213 -- > 14 files changed, 250 insertions(+), 26 deletions(-) tools/lib/bpf/libbpf.c should also be updated: section_names and bpf_prog_type__needs_kver. Please either follow-up separately or send v3. Other than this LGMT. Acked-by: Andrey Ignatov -- Andrey Ignatov

[PATCH bpf-next] bpf: Document BPF_PROG_TYPE_CGROUP_SYSCTL

either cgroup-bpf programs or programs that access skb. The new file is added to the index and verified by `make htmldocs` / sanity-check by lynx. Signed-off-by: Andrey Ignatov --- Documentation/bpf/index.rst | 9 ++ Documentation/bpf/prog_cgroup_sysctl.rst | 125

[PATCH bpf-next] bpftool: Support sysctl hook

sysctl_tcp_mem # bpftool c d /mnt/cgroup2/bla sysctl id 9 # bpftool c t CgroupPath ID AttachType AttachFlags Name Signed-off-by: Andrey Ignatov --- tools/bpf/bpftool/Documentation/bpftool-cgroup.rst | 5 +++-- tools/bpf/bpftool/Documentation

[PATCH bpf-next] bpf: Fix distinct pointer types warning for ARCH=i386

nel/bpf/cgroup.c:837:17: note: in expansion of macro 'min' ctx.new_len = min(PAGE_SIZE, *pcount); ^~~ Fixes: 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value helpers") Signed-off-by: Andrey Ignatov --- kernel/bpf/cgroup.c | 2 +- 1 file changed,

Re: [PATCH 8/9] bpf: Check address length before reading address family

t sockaddr, sa_family)) > > + return err; > > the verifier will check that addr_len is not zero, > but it can be one byte, so it's a good check. > Thanks! True, I missed this corner-case. Thanks for fixing. Acked-by: Andrey Ignatov > > if (a

Re: [PATCH 9/9] udpv6: Check address length before reading address family

;s already handled. But if it helps KMSAN, that's probably fine to double-check it here. Or it's considered false positive? > /* The following checks are replicated from __ip6_datagram_connect() > * and intended to prevent BPF program called below from accessing >* bytes that are out of the bound specified by user in addr_len. -- Andrey Ignatov

[PATCH bpf-next] libbpf: Fix build with gcc-8

gcc/Warning-Options.html Fixes: d859900c4c56 ("bpf, libbpf: support global data/bss/rodata sections") Reported-by: Evgeny Vereshchagin Signed-off-by: Andrey Ignatov --- tools/lib/bpf/libbpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/lib/bpf/libbpf.c b/

[PATCH bpf-next] libbpf: Ignore -Wformat-nonliteral warning

[-Werror,-Wformat-nonliteral] return vfprintf(stderr, format, args); ^~ 1 error generated. Ignore this warning since the use case in libbpf.c is legit. Signed-off-by: Andrey Ignatov --- tools/lib/bpf/libbpf.c | 5 + 1 file changed, 5 insertions

[PATCH v3 bpf-next 5/7] bpf: Sanity check max value for var_off stack access

433357510597&w=2 Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- kernel/bpf/verifier.c | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/veri

[PATCH v3 bpf-next 2/7] selftests/bpf: Test indirect var_off stack access in raw mode

Test that verifier rejects indirect access to uninitialized stack with variable offset. Example of output: # ./test_verifier ... #859/p indirect variable-offset stack access, uninitialized OK Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/var_off.c | 27

[PATCH v3 bpf-next 3/7] bpf: Reject indirect var_off stack access in unpriv mode

ack access for unprivileged mode in check_stack_boundary() explicitly. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- kernel/bpf/verifier.c | 16 1 file changed, 16 insertions(+)

[PATCH v3 bpf-next 7/7] bpf: Add missed newline in verifier verbose log

missing newline so that log is more readable: variable stack access var_off=(0xfff0; 0x4) off=-16 size=1 R2 stack pointer arithmetic goes out of range, prohibited for !root Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Andrey Ignatov ---

[PATCH v3 bpf-next 4/7] selftests/bpf: Test indirect var_off stack access in unpriv mode

time when that variable offset is trying to be constructed. Example of output: # ./test_verifier ... #859/u indirect variable-offset stack access, priv vs unpriv OK #859/p indirect variable-offset stack access, priv vs unpriv OK Signed-off-by: Andrey Ignatov --- .../testing/selftests

[PATCH v3 bpf-next 6/7] selftests/bpf: Test unbounded var_off stack access

OK #858/p indirect variable-offset stack access, min out of bound OK Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/var_off.c | 57 ++- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/verifier/var_off.c b/to

[PATCH v3 bpf-next 0/7] bpf: Fix indirect var_off stack access support

it seems like a good idea to still reject variable offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for more details on this. [1] https://marc.info/?l=linux-netdev&m=155419526427742&w=2 Andrey Ignatov (7): bpf: Reject indirect var_off stack access in raw mo

[PATCH v3 bpf-next 1/7] bpf: Reject indirect var_off stack access in raw mode

sible leaking. There are no known use-cases for indirect uninitialized stack access with variable offset so it shouldn't break anything. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- k

Re: [PATCH bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode

Daniel Borkmann [Wed, 2019-04-03 16:19 -0700]: > On 04/03/2019 11:57 PM, Andrey Ignatov wrote: > > Daniel Borkmann [Wed, 2019-04-03 09:46 -0700]: > >> On 04/03/2019 06:21 PM, Daniel Borkmann wrote: > >>> On 04/02/2019 10:19 PM, Andrey Ignatov wrote: ... > &g

[PATCH v2 bpf-next 4/5] selftests/bpf: Test indirect var_off stack access in unpriv mode

time when that variable offset is trying to be constructed. Example of output: # ./test_verifier ... #859/u indirect variable-offset stack access, priv vs unpriv OK #859/p indirect variable-offset stack access, priv vs unpriv OK Signed-off-by: Andrey Ignatov --- .../testing/selftests

[PATCH v2 bpf-next 5/5] bpf: Add missed newline in verifier verbose log

missing newline so that log is more readable: variable stack access var_off=(0xfff0; 0x4) off=-16 size=1 R2 stack pointer arithmetic goes out of range, prohibited for !root Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Andrey Ignatov ---

[PATCH v2 bpf-next 3/5] bpf: Reject indirect var_off stack access in unpriv mode

ack access for unprivileged mode in check_stack_boundary() explicitly. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- kernel/bpf/verifier.c | 16 1 file changed, 16 insertions(+)

[PATCH v2 bpf-next 0/5] bpf: Fix indirect var_off stack access support

ady prohibited for unprivileged mode. I'm not sure if it's enough though and it seems like a good idea to still reject variable offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for more details on this. [1] https://marc.info/?l=linux-netdev&m=155419526427742&w

[PATCH v2 bpf-next 2/5] selftests/bpf: Test indirect var_off stack access in raw mode

Test that verifier rejects indirect access to uninitialized stack with variable offset. Example of output: # ./test_verifier ... #859/p indirect variable-offset stack access, uninitialized OK Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/var_off.c | 27

[PATCH v2 bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode

sible leaking. There are no known use-cases for indirect uninitialized stack access with variable offset so it shouldn't break anything. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- k

Re: [PATCH bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode

Daniel Borkmann [Wed, 2019-04-03 09:46 -0700]: > On 04/03/2019 06:21 PM, Daniel Borkmann wrote: > > On 04/02/2019 10:19 PM, Andrey Ignatov wrote: > >> It's hard to guarantee that whole memory is marked as initialized on > >> helper return if uninitialized stack

Re: [PATCH bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode

Daniel Borkmann [Wed, 2019-04-03 09:22 -0700]: > On 04/02/2019 10:19 PM, Andrey Ignatov wrote: > > It's hard to guarantee that whole memory is marked as initialized on > > helper return if uninitialized stack is accessed with variable offset > > since specific bounds are

[PATCH bpf-next 3/5] bpf: Reject indirect var_off stack access in unpriv mode

ack access for unprivileged mode in check_stack_boundary() explicitly. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- kernel/bpf/verifier.c | 16 1 file changed, 16 insertions(+)

[PATCH bpf-next 5/5] bpf: Add missed newline in verifier verbose log

missing newline so that log is more readable: variable stack access var_off=(0xfff0; 0x4) off=-16 size=1 R2 stack pointer arithmetic goes out of range, prohibited for !root Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Andrey Ignatov ---

[PATCH bpf-next 4/5] selftests/bpf: Test indirect var_off stack access in unpriv mode

time when that variable offset is trying to be constructed. Example of output: # ./test_verifier ... #859/u indirect variable-offset stack access, priv vs unpriv OK #859/p indirect variable-offset stack access, priv vs unpriv OK Signed-off-by: Andrey Ignatov --- .../testing/selftests

[PATCH bpf-next 2/5] selftests/bpf: Test indirect var_off stack access in raw mode

Test that verifier rejects indirect access to uninitialized stack with variable offset. Example of output: # ./test_verifier ... #859/p indirect variable-offset stack access, uninitialized OK Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/var_off.c | 27

[PATCH bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode

sible leaking. There are no known use-cases for indirect uninitialized stack access with variable offset so it shouldn't break anything. Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann Signed-off-by: Andrey Ignatov --- k

[PATCH bpf-next 0/5] bpf: Fix indirect var_off stack access support

seems like a good idea to still reject variable offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for more details on this. [1] https://marc.info/?l=linux-netdev&m=155419526427742&w=2 Andrey Ignatov (5): bpf: Reject indirect var_off stack access in raw mode s

Re: [PATCH bpf-next 0/2] bpf: Support variable offset stack access from helpers

Daniel Borkmann [Mon, 2019-04-01 11:58 -0700]: > On 04/01/2019 07:23 PM, Alexei Starovoitov wrote: > > On 4/1/19 9:09 AM, Daniel Borkmann wrote: > >> On 03/29/2019 08:10 PM, Alexei Starovoitov wrote: > >>> On Thu, Mar 28, 2019 at 6:02 PM Andrey Ignatov wrote: &g

[PATCH bpf-next 2/2] selftests/bpf: Test variable offset stack access

OK #857/p indirect variable-offset stack access, max_off+size > max_initialized OK #858/p indirect variable-offset stack access, min_off < min_initialized OK #859/p indirect variable-offset stack access, ok OK ... Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/

[PATCH bpf-next 1/2] bpf: Support variable offset stack access from helpers

11343a80 8: (85) call bpf_map_lookup_elem#1 invalid variable stack read R2 var_off=(0xfff0; 0x4) Add support for variable offset access to check_stack_boundary so that if offset is checked by program to be in a safe range it's accepted by verifier. Signed-off-by: Andrey Ignatov ---

[PATCH bpf-next 0/2] bpf: Support variable offset stack access from helpers

The patch set adds support for stack access with variable offset from helpers. Patch 1 is the main patch in the set and provides more details. Patch 2 adds selftests for new functionality. Andrey Ignatov (2): bpf: Support variable offset stack access from helpers selftests/bpf: Test variable

[PATCH v2 bpf-next 00/21] bpf: Sysctl hook

C based test for sysctl value parsing. Andrey Ignatov (21): bpf: Add base proto function for cgroup-bpf programs bpf: Sysctl hook bpf: Introduce bpf_sysctl_get_name helper bpf: Introduce bpf_sysctl_get_current_value helper bpf: Introduce bpf_sysctl_{get,set}_new_value

Re: [PATCH bpf-next 00/21] bpf: Sysctl hook

Daniel Borkmann [Mon, 2019-03-25 03:27 -0700]: > Hi Andrey, Hi Daniel, > On 03/24/2019 01:12 AM, Andrey Ignatov wrote: > > The patch set introduces new BPF hook for sysctl. ... > The change in patch 2 which this whole series is centered around would > need a consent f

[PATCH bpf-next 14/21] selftests/bpf: Test file_pos field in bpf_sysctl ctx

] ... Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/test_sysctl.c | 64 +++ 1 file changed, 64 insertions(+) diff --git a/tools/testing/selftests/bpf/test_sysctl.c b/tools/testing/selftests/bpf/test_sysctl.c index 95437b72404f..43008aae32d3 100644 --- a/tools

[PATCH bpf-next 15/21] bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types

s. It's not done due to lack of use-case though. Signed-off-by: Andrey Ignatov --- include/linux/bpf.h | 2 ++ kernel/bpf/verifier.c | 29 + 2 files changed, 31 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index f62897198844..ce53d435

[PATCH bpf-next 16/21] bpf: Introduce bpf_strtol and bpf_strtoul helpers

same way as fs/proc/base.c already does. Unfortunately existing kstrtoX function can't be used directly since they fail if any invalid character is present right after integer in the string. Existing simple_strtoX functions can't be used either since they're obsolete and don

[PATCH bpf-next 13/21] selftests/bpf: Test bpf_sysctl_{get,set}_new_value helpers

case: sysctl_get_new_value sysctl:write ok long .. [PASS] Test case: sysctl_get_new_value sysctl:write E2BIG .. [PASS] Test case: sysctl_set_new_value sysctl:read EINVAL .. [PASS] Test case: sysctl_set_new_value sysctl:write ok .. [PASS] Summary: 22 PASSED, 0 FAILED Signed-off-by: Andrey

[PATCH bpf-next 17/21] bpf: Sync bpf.h to tools/

Sync bpf_strtoX related bpf UAPI changes to tools/. Signed-off-by: Andrey Ignatov --- tools/include/uapi/linux/bpf.h | 51 +- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index

[PATCH bpf-next 10/21] selftests/bpf: Test BPF_CGROUP_SYSCTL

ase: sysctl:read deny all .. [PASS] Test case: ctx:write sysctl:read read ok .. [PASS] Test case: ctx:write sysctl:write read ok .. [PASS] Test case: ctx:write sysctl:read write reject .. [PASS] Summary: 6 PASSED, 0 FAILED Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/Makef

[PATCH bpf-next 11/21] selftests/bpf: Test bpf_sysctl_get_name helper

: sysctl_get_name sysctl:full ok .. [PASS] Test case: sysctl_get_name sysctl:full E2BIG truncated .. [PASS] Test case: sysctl_get_name sysctl:full E2BIG truncated small .. [PASS] Summary: 11 PASSED, 0 FAILED Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/test_sysctl.c | 222

[PATCH bpf-next 12/21] selftests/bpf: Test sysctl_get_current_value helper

.. [PASS] Test case: sysctl_get_current_value sysctl:read E2BIG truncated .. [PASS] Test case: sysctl_get_current_value sysctl:read EINVAL .. [PASS] Test case: sysctl_get_current_value sysctl:write ok .. [PASS] Summary: 16 PASSED, 0 FAILED Signed-off-by: Andrey Ignatov --- tools/testing

[PATCH bpf-next 09/21] selftests/bpf: Test sysctl section name

Add unit test to verify that program and attach types are properly identified for "cgroup/sysctl" section name. Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/test_section_names.c | 5 + 1 file changed, 5 insertions(+) diff --git a/tools/testing/sel

[PATCH bpf-next 08/21] libbpf: Support sysctl hook

Support BPF_PROG_TYPE_CGROUP_SYSCTL program in libbpf: identifying program and attach types by section name, probe. Signed-off-by: Andrey Ignatov --- tools/lib/bpf/libbpf.c| 3 +++ tools/lib/bpf/libbpf_probes.c | 1 + 2 files changed, 4 insertions(+) diff --git a/tools/lib/bpf/libbpf.c

[PATCH bpf-next 01/21] bpf: Add base proto function for cgroup-bpf programs

Currently kernel/bpf/cgroup.c contains only one program type and one proto function cgroup_dev_func_proto(). It'd be useful to have base proto function that can be reused for new cgroup-bpf program types coming soon. Introduce cgroup_base_func_proto(). Signed-off-by: Andrey Ignatov --- k

[PATCH bpf-next 18/21] selftests/bpf: Add sysctl and strtoX helpers to bpf_helpers.h

Add bpf_sysctl_* and bpf_strtoX helpers to bpf_helpers.h. Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/bpf_helpers.h | 19 +++ 1 file changed, 19 insertions(+) diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h

[PATCH bpf-next 05/21] bpf: Introduce bpf_sysctl_{get,set}_new_value helpers

, where X > 0, then the value set by bpf_sysctl_set_new_value() will be written starting from X. If program wants to override whole value with specified buffer, file position has to be set to zero. Documentation for the new helpers is provided in bpf.h UAPI. Signed-off-by: Andrey Ignatov --- fs/p

[PATCH bpf-next 20/21] selftests/bpf: Test bpf_strtol and bpf_strtoul helpers

case: bpf_strtoul negative number, EINVAL .. [PASS] Test case: bpf_strtol negative number, ok .. [PASS] Test case: bpf_strtol hex number, ok .. [PASS] Test case: bpf_strtol max long .. [PASS] Test case: bpf_strtol overflow, ERANGE .. [PASS] Summary: 36 PASSED, 0 FAILED Signed-off-by: Andrey

[PATCH bpf-next 21/21] selftests/bpf: C based test for sysctl and strtoX

e: C prog: deny all writes .. [PASS] Test case: C prog: deny access by name .. [PASS] Test case: C prog: read tcp_mem .. [PASS] Summary: 39 PASSED, 0 FAILED Signed-off-by: Andrey Ignatov --- .../selftests/bpf/progs/test_sysctl_prog.c| 85 +++ tools/testing/selftests/b

[PATCH bpf-next 07/21] bpf: Sync bpf.h to tools/

Sync BPF_PROG_TYPE_CGROUP_SYSCTL related bpf UAPI changes to tools/. Signed-off-by: Andrey Ignatov --- tools/include/uapi/linux/bpf.h | 90 +- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux

[PATCH bpf-next 19/21] selftests/bpf: Test ARG_PTR_TO_LONG arg type

ARG_PTR_TO_LONG size < sizeof(long) OK #460/p ARG_PTR_TO_LONG initialized OK Signed-off-by: Andrey Ignatov --- .../testing/selftests/bpf/verifier/int_ptr.c | 160 ++ 1 file changed, 160 insertions(+) create mode 100644 tools/testing/selftests/bpf/verifier/int_ptr.c d

[PATCH bpf-next 04/21] bpf: Introduce bpf_sysctl_get_current_value helper

sed. Since ctl_table->proc_handler() expects __user buffer, conversion to __user happens for kernel allocated one where the value is stored. Signed-off-by: Andrey Ignatov --- include/linux/filter.h | 2 ++ include/uapi/linux/bpf.h | 22 +- kerne

[PATCH bpf-next 06/21] bpf: Add file_pos field to bpf_sysctl ctx

may reject such accesses. Signed-off-by: Andrey Ignatov --- fs/proc/proc_sysctl.c | 2 +- include/linux/bpf-cgroup.h | 9 --- include/linux/filter.h | 3 +++ include/uapi/linux/bpf.h | 3 +++ kernel/bpf/cgroup.c| 54 +++--- 5 files changed,

[PATCH bpf-next 02/21] bpf: Sysctl hook

). Helpers to access sysctl name and value will be introduced separately. BPF_CGROUP_SYSCTL attach point is added to sysctl code right before passing control to ctl_table->proc_handler so that BPF program can either allow or deny access to sysctl. Suggested-by: Roman Gushchin Signed-off-by: And

[PATCH bpf-next 03/21] bpf: Introduce bpf_sysctl_get_name helper

. "tcp_mem". Documentation for the new helper is provided in bpf.h UAPI. Signed-off-by: Andrey Ignatov --- include/uapi/linux/bpf.h | 22 - kernel/bpf/cgroup.c | 70 +++- 2 files changed, 90 insertions(+), 2 deletions(-) diff --git a/incl

[PATCH bpf-next 00/21] bpf: Sysctl hook

elpers to parse integers from sysctl value. Patch 17 updates UAPI in tools. Patch 18 updates bpf_helpers.h. Patch 19 adds selftests for pointer to integer in verifier. Patches 20-21 add selftests for bpf_strto{l,ul}, including integration C based test for sysctl value parsing. And

Re: [PATCH bpf-next v4] tools/bpf: generate pkg-config file for libbpf

consistency with > how the headers are used now and to avoid a dependency from > the pc file to the headers installation Thanks for the change Luca! The other part about install target is nit, so no strong preference. Acked-by: Andrey Ignatov > tools/lib/bpf/.gi

Re: [PATCH bpf-next v3] tools/bpf: generate pkg-config file for libbpf

. all programs I have access to and that use libbpf do this: #include #include But `includedir=${prefix}/include/bpf` will force it to be: #include #include , what may create inconsistency with already written code. I also checked .pc files on my devbox and this is what I see: % grep -h includedir /usr/share/pkgconfig/*.pc | sort | uniq -c 28 Cflags: -I${includedir} 1 Cflags: -I${includedir}/X11/dri 29 includedir=/usr/include > + > +Name: libbpf > +URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > +Description: Linux kernel BPF library > +Version: @VERSION@ > +Libs: -L${libdir} -lbpf > +Requires.private: libelf > +Cflags: -I${includedir} > -- > 2.20.1 > -- Andrey Ignatov

[PATCH bpf-next 1/2] libbpf: Introduce bpf_map__resize

bpf_map__resize() to update max_entries. That's much simpler and works with BTF. Signed-off-by: Andrey Ignatov --- tools/lib/bpf/libbpf.c | 14 ++ tools/lib/bpf/libbpf.h | 1 + tools/lib/bpf/libbpf.map | 1 + 3 files changed, 16 insertions(+) diff --git a/tools/lib/bpf/

[PATCH bpf-next 0/2] libbpf: Add new interfaces

The patch set adds a couple of new interfaces to libbpf: Patch 1 adds bpf_map__resize() to resize map before loading bpf_object; Patch 2 adds bpf_object__btf() to get struct btf * from bpf_object__btf. Andrey Ignatov (2): libbpf: Introduce bpf_map__resize libbpf: Introduce bpf_object__btf

[PATCH bpf-next 2/2] libbpf: Introduce bpf_object__btf

done with btf__get_map_kv_tids() but that function requires struct btf *. Similar API can be added for struct btf_ext but no use-case for it yet. Signed-off-by: Andrey Ignatov --- tools/lib/bpf/libbpf.c | 5 + tools/lib/bpf/libbpf.h | 3 +++ tools/lib/bpf/libbpf.map | 1 + 3 files chang

Re: [PATCH bpf-next v5 4/9] tools: bpftool: add probes for eBPF program types

TYPE_SK_MSG: > + case BPF_PROG_TYPE_RAW_TRACEPOINT: > + case BPF_PROG_TYPE_LWT_SEG6LOCAL: > + case BPF_PROG_TYPE_LIRC_MODE2: > + case BPF_PROG_TYPE_SK_REUSEPORT: > + case BPF_PROG_TYPE_FLOW_DISSECTOR: > + default: > + break; > + } > + > + xattr.prog_type = prog_type; > + xattr.insns = insns; > + xattr.insns_cnt = insns_cnt; > + xattr.license = "GPL"; > + xattr.prog_ifindex = ifindex; > + > + fd = bpf_load_program_xattr(&xattr, buf, buf_len); > + if (fd >= 0) > + close(fd); > +} > + > +bool bpf_probe_prog_type(enum bpf_prog_type prog_type, __u32 ifindex) > +{ > + struct bpf_insn insns[2] = { > + BPF_MOV64_IMM(BPF_REG_0, 0), > + BPF_EXIT_INSN() > + }; > + > + if (ifindex && prog_type == BPF_PROG_TYPE_SCHED_CLS) > + /* nfp returns -EINVAL on exit(0) with TC offload */ > + insns[0].imm = 2; > + > + errno = 0; > + probe_load(prog_type, insns, ARRAY_SIZE(insns), NULL, 0, ifindex); > + > + return errno != EINVAL && errno != EOPNOTSUPP; > +} > -- > 2.17.1 > -- Andrey Ignatov

Re: [PATCH bpf-next 0/5] add bpf cgroup hooks that trigger on socket close

Stanislav Fomichev [Fri, 2019-01-18 08:50 -0800]: > On 01/18, Andrey Ignatov wrote: > > Stanislav Fomichev [Thu, 2019-01-17 16:41 -0800]: > > > Currently, we have BPF_CGROUP_INET_SOCK_CREATE hook that triggers on > > > socket creation and there is no way to kn

Re: [PATCH bpf-next 5/5] selftests/bpf: add BPF_CGROUP_INET{4,6}_SOCK_RELEASE to test_sock_addr.c

gt; + case BPF_CGROUP_INET6_SOCK_RELEASE: > + err = run_release_test_case(test); > + break; > default: > goto err; > } > @@ -1405,6 +1530,10 @@ static int run_test_case(int cgfd, const struct > sock_addr_test *test) > /* Detaching w/o checking return code: best effort attempt. */ > if (progfd != -1) > bpf_prog_detach(cgfd, test->attach_type); > + if (cg_storage_fd > 0) { > + close(cg_storage_fd); > + cg_storage_fd = 0; Nit: zero is valid fd (stdin) and should not be used as "undefined" value. That's why -1 is used with progfd and other descriptors in the test. > + } > close(progfd); > printf("[%s]\n", err ? "FAIL" : "PASS"); > return err; > -- > 2.20.1.321.g9e740568ce-goog > -- Andrey Ignatov

Re: [PATCH bpf-next 0/5] add bpf cgroup hooks that trigger on socket close

sts/bpf/test_sock_addr.c | 131 +- > 13 files changed, 307 insertions(+), 3 deletions(-) > > -- > 2.20.1.321.g9e740568ce-goog > -- Andrey Ignatov

Re: [PATCH bpf-next 1/5] bpf: add BPF_CGROUP_INET{4,6}_SOCK_RELEASE hooks

L(inet_release); > > int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > index d99753b5e39b..44c86595eba8 100644 > --- a/net/ipv6/af_inet6.c > +++ b/net/ipv6/af_inet6.c > @@ -464,13 +464,16 @@ int inet6_release(struct socket *sock) > if (!sk) > return -EINVAL; > > + if (!sk->sk_kern_sock) > + BPF_CGROUP_RUN_PROG_INET6_SOCK_RELEASE(sock->sk); Nit: s/sock->sk/sk/ > + > /* Free mc lists */ > ipv6_sock_mc_close(sk); > > /* Free ac lists */ > ipv6_sock_ac_close(sk); > > - return inet_release(sock); > + return __inet_release(sock); > } > EXPORT_SYMBOL(inet6_release); > > -- > 2.20.1.321.g9e740568ce-goog > -- Andrey Ignatov

[PATCH bpf v2 1/2] bpf: Fix [::] -> [::1] rewrite in sys_sendmsg

no matter where it came from: passed by user to sys_sendmsg or set by BPF_CGROUP_UDP6_SENDMSG program. Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg") Reported-by: Nitin Rawat Signed-off-by: Andrey Ignatov --- net/ipv6/udp.c | 8 1 file changed, 4 insertions(+), 4 deletions

[PATCH bpf v2 2/2] selftests/bpf: Test [::] -> [::1] rewrite in sys_sendmsg in test_sock_addr

sg6: preserve dst IP = [::] (BSD'ism) .. [PASS] Signed-off-by: Andrey Ignatov --- tools/testing/selftests/bpf/test_sock_addr.c | 53 ++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/bpf/test_sock_addr.c b/tools/testing/selftests/bpf/test_sock_

[PATCH bpf v2 0/2] bpf: Fix [::] -> [::1] rewrite in sys_sendmsg

Patch 2 adds two test cases to verify the fix. v1->v2: * Fix compile error in patch 1. Andrey Ignatov (2): bpf: Fix [::] -> [::1] rewrite in sys_sendmsg selftests/bpf: Test [::] -> [::1] rewrite in sys_sendmsg in test_sock_addr net/ipv6/udp.c |

  1   2   3   >