Message ID | 20200825232003.2877030-1-udippant@fb.com |
---|---|
Headers | show |
Series | bpf: verifier: use target program's type for access verifications | expand |
On 8/25/20 4:19 PM, Udip Pant wrote: > This patch series adds changes in verifier to make decisions such as granting > of read / write access or enforcement of return code status based on > the program type of the target program while using dynamic program > extension (of type BPF_PROG_TYPE_EXT). > > The BPF_PROG_TYPE_EXT type can be used to extend types such as XDP, SKB > and others. Since the BPF_PROG_TYPE_EXT program type on itself is just a > placeholder for those, we need this extended check for those extended > programs to actually work with proper access, while using this option. > > Patch #1 includes changes in the verifier. > Patch #2 adds selftests to verify write access on a packet for a valid > extension program type > Patch #3 adds selftests to verify proper check for the return code > Patch #4 adds selftests to ensure access permissions and restrictions > for some map types such sockmap. > > Changelogs: > v2 -> v3: > * more comprehensive resolution of the program type in the verifier > based on the target program (and not just for the packet access) > * selftests for checking return code and map access > * Also moved this patch to 'bpf-next' from 'bpf' tree > v1 -> v2: > * extraction of the logic to resolve prog type into a separate method > * selftests to check for packet access for a valid freplace prog > > Udip Pant (4): > bpf: verifier: use target program's type for access verifications > selftests/bpf: add test for freplace program with write access > selftests/bpf: test for checking return code for the extended prog > selftests/bpf: test for map update access from within EXT programs > > kernel/bpf/verifier.c | 32 ++++++--- > .../selftests/bpf/prog_tests/fexit_bpf2bpf.c | 68 +++++++++++++++++++ > .../selftests/bpf/progs/fexit_bpf2bpf.c | 27 ++++++++ > .../bpf/progs/freplace_attach_probe.c | 40 +++++++++++ > .../bpf/progs/freplace_cls_redirect.c | 34 ++++++++++ > .../bpf/progs/freplace_connect_v4_prog.c | 19 ++++++ > .../selftests/bpf/progs/test_pkt_access.c | 20 ++++++ > 7 files changed, 229 insertions(+), 11 deletions(-) > create mode 100644 tools/testing/selftests/bpf/progs/freplace_attach_probe.c > create mode 100644 tools/testing/selftests/bpf/progs/freplace_cls_redirect.c > create mode 100644 tools/testing/selftests/bpf/progs/freplace_connect_v4_prog.c Thanks. LGTM. Ack for the whole series. Acked-by: Yonghong Song <yhs@fb.com>
Udip Pant <udippant@fb.com> writes: > This patch series adds changes in verifier to make decisions such as granting > of read / write access or enforcement of return code status based on > the program type of the target program while using dynamic program > extension (of type BPF_PROG_TYPE_EXT). > > The BPF_PROG_TYPE_EXT type can be used to extend types such as XDP, SKB > and others. Since the BPF_PROG_TYPE_EXT program type on itself is just a > placeholder for those, we need this extended check for those extended > programs to actually work with proper access, while using this option. > > Patch #1 includes changes in the verifier. > Patch #2 adds selftests to verify write access on a packet for a valid > extension program type > Patch #3 adds selftests to verify proper check for the return code > Patch #4 adds selftests to ensure access permissions and restrictions > for some map types such sockmap. Thanks for fixing this! For the series: Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
On Tue, Aug 25, 2020 at 04:19:59PM -0700, Udip Pant wrote: > This patch series adds changes in verifier to make decisions such as granting > of read / write access or enforcement of return code status based on > the program type of the target program while using dynamic program > extension (of type BPF_PROG_TYPE_EXT). > > The BPF_PROG_TYPE_EXT type can be used to extend types such as XDP, SKB > and others. Since the BPF_PROG_TYPE_EXT program type on itself is just a > placeholder for those, we need this extended check for those extended > programs to actually work with proper access, while using this option. > > Patch #1 includes changes in the verifier. > Patch #2 adds selftests to verify write access on a packet for a valid > extension program type > Patch #3 adds selftests to verify proper check for the return code > Patch #4 adds selftests to ensure access permissions and restrictions > for some map types such sockmap. > > Changelogs: > v2 -> v3: > * more comprehensive resolution of the program type in the verifier > based on the target program (and not just for the packet access) > * selftests for checking return code and map access > * Also moved this patch to 'bpf-next' from 'bpf' tree Applied. Thanks