From patchwork Thu Apr 18 15:56:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alban Crequy <alban.crequy@gmail.com>
X-Patchwork-Id: 1087700
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="QipZTpMb"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44lNz60F3Gz9s55
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 19 Apr 2019 01:57:22 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2389562AbfDRP5R (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 18 Apr 2019 11:57:17 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:36581 "EHLO
	mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731317AbfDRP5Q (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 18 Apr 2019 11:57:16 -0400
Received: by mail-ed1-f67.google.com with SMTP id u57so2234272edm.3;
	Thu, 18 Apr 2019 08:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=mRIa7YtbcBQn0bTD/QeYRSxAmMEbW6gakCQU+eJmUrM=;
	b=QipZTpMbL3qfg5Cvba0enefPaLwhFSwiZLz9v42+AD9CDIZl9C/78gdXAVlrqxyAfF
	HW1MrLIVK6sGaqb1TjmElO4hijQlOBtuVePA2WuP4RYinOE3E1p7HrVMYPoj9viQkrnt
	a4HWNsfWNzpiGF3qXx6KDeo9BMObMCaEVN+wT9QLm2kzvXp9qIcmao5GwHxbsj3QD4pk
	w2DNkxwud99SEzF9or8FUdMn0uiWkf1HSUKY1yO9GmvihkFyhke9wTQ3R5Vmxyh8GoZe
	RTna5jKuMkTgnGNGUO987xIUF8U32NXCheBHymyeaFIjY8KrFBypdGVcXfam2iMqyWqn
	60tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:mime-version:content-transfer-encoding;
	bh=mRIa7YtbcBQn0bTD/QeYRSxAmMEbW6gakCQU+eJmUrM=;
	b=jbjLQdIGzmowxNjNJl9D7GuEhQ6l5nNhoAr9QcrqtRyXiuc3GY4Os/7tctvgmReEHY
	ot76EXm6XtdgOVVmwWW597DJiqRvTo0Nee8eRH4wmW2wMEgeQUSqcaTJb6D0ReK7TVrD
	CtuL9qFYM/6GbPH0s/954cwytFXF0dh4xaXCZtaWuklTAx7+ujOTUC155vb6Ixn5mSa4
	boYfgXeUu56HHwQA0StdYfif7KBJYOcY6JKX7NnNMviSBcPAw+DGAcx7212HH/3GIGz1
	eAG682rNbcVtmWf89roSAvbIFaQt8jTVfP10RHxcv+SyDLWq9jbCXw+ZuA50p99cbYYH
	dH+Q==
X-Gm-Message-State: APjAAAXg+9nkYjt3k6tngfWtuDxL/GLajo3/j/PKi4XgxlKenYcwsT8j
	T7Ch1s5vr/zEvPDa5XA159c=
X-Google-Smtp-Source: 
 APXvYqz07Be+E6TFm1SXIu3H1LWJLYQXDCwLaRvS1Q5PbQL1B58Y/8ze1eksh7yhe41YLViHkuQyAw==
X-Received: by 2002:a50:e61a:: with SMTP id
	y26mr46513128edm.157.1555603033989;
	Thu, 18 Apr 2019 08:57:13 -0700 (PDT)
Received: from neptune.fritz.box ([178.19.216.175])
	by smtp.gmail.com with ESMTPSA id
	31sm591274edf.18.2019.04.18.08.57.12
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 18 Apr 2019 08:57:13 -0700 (PDT)
From: Alban Crequy <alban.crequy@gmail.com>
X-Google-Original-From: Alban Crequy <alban@kinvolk.io>
To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io
Subject: [PATCH bpf-next v2 1/3] bpf: sock ops: add netns ino and dev in bpf
	context
Date: Thu, 18 Apr 2019 17:56:50 +0200
Message-Id: <20190418155652.22181-1-alban@kinvolk.io>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Alban Crequy <alban@kinvolk.io>

sockops programs can now access the network namespace inode and device
via (struct bpf_sock_ops)->netns_ino and ->netns_dev. This can be useful
to apply different policies on different network namespaces.

In the unlikely case where network namespaces are not compiled in
(CONFIG_NET_NS=n), the verifier will not allow access to ->netns_*.

The generated BPF bytecode for netns_ino is loading the correct inode
number at the time of execution.

However, the generated BPF bytecode for netns_dev is loading an
immediate value determined at BPF-load-time by looking at the initial
network namespace. In practice, this works because all netns currently
use the same virtual device. If this was to change, this code would need
to be updated too.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Acked-by: Song Liu <songliubraving@fb.com>
---

Changes since v1:
- add netns_dev (review from Alexei)
---
 include/uapi/linux/bpf.h |  2 ++
 net/core/filter.c        | 70 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index eaf2d3284248..f4f841dde42c 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3213,6 +3213,8 @@ struct bpf_sock_ops {
 	__u32 sk_txhash;
 	__u64 bytes_received;
 	__u64 bytes_acked;
+	__u64 netns_dev;
+	__u64 netns_ino;
 };
 
 /* Definitions for bpf_sock_ops_cb_flags */
diff --git a/net/core/filter.c b/net/core/filter.c
index 1833926a63fc..93e3429603d7 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -75,6 +75,8 @@
 #include <net/seg6_local.h>
 #include <net/lwtunnel.h>
 #include <net/ipv6_stubs.h>
+#include <linux/kdev_t.h>
+#include <linux/proc_ns.h>
 
 /**
  *	sk_filter_trim_cap - run a packet through a socket filter
@@ -6774,6 +6776,15 @@ static bool sock_ops_is_valid_access(int off, int size,
 		}
 	} else {
 		switch (off) {
+		case offsetof(struct bpf_sock_ops, netns_dev):
+		case offsetof(struct bpf_sock_ops, netns_ino):
+#ifdef CONFIG_NET_NS
+			if (size != sizeof(__u64))
+				return false;
+#else
+			return false;
+#endif
+			break;
 		case bpf_ctx_range_till(struct bpf_sock_ops, bytes_received,
 					bytes_acked):
 			if (size != sizeof(__u64))
@@ -7660,6 +7671,11 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type,
 	return insn - insn_buf;
 }
 
+static struct ns_common *sockops_netns_cb(void *private_data)
+{
+	return &init_net.ns;
+}
+
 static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 				       const struct bpf_insn *si,
 				       struct bpf_insn *insn_buf,
@@ -7668,6 +7684,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 {
 	struct bpf_insn *insn = insn_buf;
 	int off;
+	struct inode *ns_inode;
+	struct path ns_path;
+	__u64 netns_dev;
+	void *res;
 
 /* Helper macro for adding read access to tcp_sock or sock fields. */
 #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ)			      \
@@ -7914,6 +7934,56 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 		SOCK_OPS_GET_OR_SET_FIELD(sk_txhash, sk_txhash,
 					  struct sock, type);
 		break;
+
+	case offsetof(struct bpf_sock_ops, netns_dev):
+#ifdef CONFIG_NET_NS
+		/* We get the netns_dev at BPF-load-time and not at
+		 * BPF-exec-time. We assume that netns_dev is a constant.
+		 */
+		res = ns_get_path_cb(&ns_path, sockops_netns_cb, NULL);
+		if (IS_ERR(res)) {
+			netns_dev = 0;
+		} else {
+			ns_inode = ns_path.dentry->d_inode;
+			netns_dev = new_encode_dev(ns_inode->i_sb->s_dev);
+		}
+#else
+		netns_dev = 0;
+#endif
+		*insn++ = BPF_MOV64_IMM(si->dst_reg, netns_dev);
+		break;
+
+	case offsetof(struct bpf_sock_ops, netns_ino):
+#ifdef CONFIG_NET_NS
+		/* Loading: sk_ops->sk->__sk_common.skc_net.net->ns.inum
+		 * Type: (struct bpf_sock_ops_kern *)
+		 *       ->(struct sock *)
+		 *       ->(struct sock_common)
+		 *       .possible_net_t
+		 *       .(struct net *)
+		 *       ->(struct ns_common)
+		 *       .(unsigned int)
+		 */
+		BUILD_BUG_ON(offsetof(struct sock, __sk_common) != 0);
+		BUILD_BUG_ON(offsetof(possible_net_t, net) != 0);
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						struct bpf_sock_ops_kern, sk),
+				      si->dst_reg, si->src_reg,
+				      offsetof(struct bpf_sock_ops_kern, sk));
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						possible_net_t, net),
+				      si->dst_reg, si->dst_reg,
+				      offsetof(struct sock_common, skc_net));
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+						struct ns_common, inum),
+				      si->dst_reg, si->dst_reg,
+				      offsetof(struct net, ns) +
+				      offsetof(struct ns_common, inum));
+#else
+		*insn++ = BPF_MOV64_IMM(si->dst_reg, 0);
+#endif
+		break;
+
 	}
 	return insn - insn_buf;
 }

From patchwork Thu Apr 18 15:56:51 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alban Crequy <alban.crequy@gmail.com>
X-Patchwork-Id: 1087702
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ujUF89a1"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44lNzS3PhYz9s55
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 19 Apr 2019 01:57:40 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2389603AbfDRP5f (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 18 Apr 2019 11:57:35 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:33700 "EHLO
	mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731317AbfDRP5e (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 18 Apr 2019 11:57:34 -0400
Received: by mail-ed1-f67.google.com with SMTP id d55so2246492ede.0;
	Thu, 18 Apr 2019 08:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=IWlf2jOCi78n1ZlTfvCNvL1fAOtMa6gp1Ms71/Rm22E=;
	b=ujUF89a1ePTsZ8Opt/cSrVgjOg9JkCj0Ye0S1Tvo8V0IoiLvcY1RF9S5eCUTnMQlYH
	jH8kvTb3zcQmcx2Shu6VmbatM6bC+QuBNmhs0g4iIYfISvoUs69IW/lyPDiC5H6CUp83
	DWD/Pu0vO+6ZVwCsHP30MEG4NuE8LyyNfAbHVzMaRyMuuFmL4VdNCqJl+l2n5FaEyv5V
	AfkUoIzNbyG+rGx3uTjyil5dnpdgyZCqz4GziapN4UrS6n4J5k7RPbV5cO2wDZlriYhp
	2OaL73q/89foIWGx0SjoehchR8Z067Zb4esVZzgGR9t4SaPw2PxQgRnoEtwxltLSYGlE
	YDRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references:mime-version:content-transfer-encoding;
	bh=IWlf2jOCi78n1ZlTfvCNvL1fAOtMa6gp1Ms71/Rm22E=;
	b=bqsa6Qy23q4UdWWiEMtjNAxLGRRoiSzI/RLpPpQxpOVg95T0CtrtR8Etzn5V8KPpbn
	M/IzHTJEPlirn352arYuJrguPe5OM0eBja1QsdvMkLcMFKAFs+FUo+cK3fj4/3xJnJeP
	lAoJ1E0GCZtC0X/DI/GX2t0vo8MONBRehieh/3Y+eAPG/GxQN5OluN2EzFhaMehdfef/
	VfjBmuFuHP717fAeYFnfA7zwAE+hptPA7X1ppUm8FhcWzErSwrfQV5lj3Bk7e2KF0RVl
	bOnSh1rbNMwsFkZ35ph5b2mG7OqTYT1tvXBvN/P9hvy7kA/C7s/yjHpKibnQmnDEQcB0
	KlDA==
X-Gm-Message-State: APjAAAWrRzqA09mqtRv9z+FKLzP7Z+Ii1amtUGDoU3ca7JjNuRFIaWtw
	9//xcPXD39MkLnGl5YiQVK0=
X-Google-Smtp-Source: 
 APXvYqwfmwppFrs2Ch2P8+9TAgG2b1urhqgjivR+AGjU74smKWWdWDloTLPDcTJ47PMshMprVc7f5Q==
X-Received: by 2002:a17:906:1347:: with SMTP id
	x7mr51905811ejb.64.1555603052337;
	Thu, 18 Apr 2019 08:57:32 -0700 (PDT)
Received: from neptune.fritz.box ([178.19.216.175])
	by smtp.gmail.com with ESMTPSA id
	31sm591274edf.18.2019.04.18.08.57.31
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 18 Apr 2019 08:57:31 -0700 (PDT)
From: Alban Crequy <alban.crequy@gmail.com>
X-Google-Original-From: Alban Crequy <alban@kinvolk.io>
To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io
Subject: [PATCH bpf-next v2 2/3] selftests: bpf: read netns from struct
	bpf_sock_ops
Date: Thu, 18 Apr 2019 17:56:51 +0200
Message-Id: <20190418155652.22181-2-alban@kinvolk.io>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190418155652.22181-1-alban@kinvolk.io>
References: <20190418155652.22181-1-alban@kinvolk.io>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Alban Crequy <alban@kinvolk.io>

This shows how a sockops program could be restricted to a specific
network namespace. The sockops program looks at the current netns via
(struct bpf_sock_ops)->netns and checks if the value matches the
configuration in the new BPF map "sock_netns".

The test program ./test_sockmap accepts a new parameter "--netns"; the
default value is the current netns found by stat() on /proc/self/ns/net,
so the previous tests still pass:

sudo ./test_sockmap
...
Summary: 412 PASSED 0 FAILED
...
Summary: 824 PASSED 0 FAILED

I run my additional test in the following way:

NETNS=$(readlink /proc/self/ns/net | sed 's/^net:\[\(.*\)\]$/\1/')
CGR=/sys/fs/cgroup/unified/user.slice/user-1000.slice/session-5.scope/
sudo ./test_sockmap --cgroup $CGR --netns $NETNS &

cat /sys/kernel/debug/tracing/trace_pipe

echo foo | nc -l 127.0.0.1 8080 &
echo bar | nc 127.0.0.1 8080

=> the connection goes through the sockmap

When testing with a wrong $NETNS, I get the trace_pipe log:
> not binding connection on netns 4026531992

Signed-off-by: Alban Crequy <alban@kinvolk.io>
---

Changes since v1:
- tools/include/uapi/linux/bpf.h: update with netns_dev
- tools/testing/selftests/bpf/test_sockmap_kern.h: print debugs with
  both netns_dev and netns_ino
---
 tools/include/uapi/linux/bpf.h                |  2 +
 tools/testing/selftests/bpf/test_sockmap.c    | 38 +++++++++++++++++--
 .../testing/selftests/bpf/test_sockmap_kern.h | 22 +++++++++++
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 704bb69514a2..eb56620a9d7a 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -3206,6 +3206,8 @@ struct bpf_sock_ops {
 	__u32 sk_txhash;
 	__u64 bytes_received;
 	__u64 bytes_acked;
+	__u64 netns_dev;
+	__u64 netns_ino;
 };
 
 /* Definitions for bpf_sock_ops_cb_flags */
diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
index 3845144e2c91..5a1b9c96fca1 100644
--- a/tools/testing/selftests/bpf/test_sockmap.c
+++ b/tools/testing/selftests/bpf/test_sockmap.c
@@ -2,6 +2,7 @@
 // Copyright (c) 2017-2018 Covalent IO, Inc. http://covalent.io
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <sys/select.h>
@@ -21,6 +22,7 @@
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/sendfile.h>
+#include <sys/stat.h>
 
 #include <linux/netlink.h>
 #include <linux/socket.h>
@@ -63,8 +65,8 @@ int s1, s2, c1, c2, p1, p2;
 int test_cnt;
 int passed;
 int failed;
-int map_fd[8];
-struct bpf_map *maps[8];
+int map_fd[9];
+struct bpf_map *maps[9];
 int prog_fd[11];
 
 int txmsg_pass;
@@ -84,6 +86,7 @@ int txmsg_ingress;
 int txmsg_skb;
 int ktls;
 int peek_flag;
+uint64_t netns_opt;
 
 static const struct option long_options[] = {
 	{"help",	no_argument,		NULL, 'h' },
@@ -111,6 +114,7 @@ static const struct option long_options[] = {
 	{"txmsg_skb", no_argument,		&txmsg_skb, 1 },
 	{"ktls", no_argument,			&ktls, 1 },
 	{"peek", no_argument,			&peek_flag, 1 },
+	{"netns",	required_argument,	NULL, 'n'},
 	{0, 0, NULL, 0 }
 };
 
@@ -1585,6 +1589,7 @@ char *map_names[] = {
 	"sock_bytes",
 	"sock_redir_flags",
 	"sock_skb_opts",
+	"sock_netns",
 };
 
 int prog_attach_type[] = {
@@ -1619,6 +1624,8 @@ static int populate_progs(char *bpf_file)
 	struct bpf_object *obj;
 	int i = 0;
 	long err;
+	struct stat netns_sb;
+	uint64_t netns_ino;
 
 	obj = bpf_object__open(bpf_file);
 	err = libbpf_get_error(obj);
@@ -1655,6 +1662,28 @@ static int populate_progs(char *bpf_file)
 		}
 	}
 
+	if (netns_opt == 0) {
+		err = stat("/proc/self/ns/net", &netns_sb);
+		if (err) {
+			fprintf(stderr,
+				"ERROR: cannot stat network namespace: %ld (%s)\n",
+				err, strerror(errno));
+			return -1;
+		}
+		netns_ino = netns_sb.st_ino;
+	} else {
+		netns_ino = netns_opt;
+	}
+	i = 1;
+	err = bpf_map_update_elem(map_fd[8], &netns_ino, &i, BPF_ANY);
+	if (err) {
+		fprintf(stderr,
+			"ERROR: bpf_map_update_elem (netns):  %ld (%s)\n",
+			err, strerror(errno));
+		return -1;
+	}
+
+
 	return 0;
 }
 
@@ -1738,7 +1767,7 @@ int main(int argc, char **argv)
 	if (argc < 2)
 		return test_suite(-1);
 
-	while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:",
+	while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:n:",
 				  long_options, &longindex)) != -1) {
 		switch (opt) {
 		case 's':
@@ -1805,6 +1834,9 @@ int main(int argc, char **argv)
 				return -1;
 			}
 			break;
+		case 'n':
+			netns_opt = strtoull(optarg, NULL, 10);
+			break;
 		case 0:
 			break;
 		case 'h':
diff --git a/tools/testing/selftests/bpf/test_sockmap_kern.h b/tools/testing/selftests/bpf/test_sockmap_kern.h
index e7639f66a941..317406dad6cf 100644
--- a/tools/testing/selftests/bpf/test_sockmap_kern.h
+++ b/tools/testing/selftests/bpf/test_sockmap_kern.h
@@ -91,6 +91,13 @@ struct bpf_map_def SEC("maps") sock_skb_opts = {
 	.max_entries = 1
 };
 
+struct bpf_map_def SEC("maps") sock_netns = {
+	.type = BPF_MAP_TYPE_HASH,
+	.key_size = sizeof(__u64),
+	.value_size = sizeof(int),
+	.max_entries = 16
+};
+
 SEC("sk_skb1")
 int bpf_prog1(struct __sk_buff *skb)
 {
@@ -132,9 +139,24 @@ int bpf_sockmap(struct bpf_sock_ops *skops)
 {
 	__u32 lport, rport;
 	int op, err = 0, index, key, ret;
+	int i = 0;
+	__u64 netns_dev, netns_ino;
+	int *allowed;
 
 
 	op = (int) skops->op;
+	netns_dev = skops->netns_dev;
+	netns_ino = skops->netns_ino;
+	bpf_printk("bpf_sockmap: netns_dev = %lu netns_ino = %lu\n",
+		   netns_dev, netns_ino);
+
+	// Only allow sockmap connection on the configured network namespace
+	allowed = bpf_map_lookup_elem(&sock_netns, &netns_ino);
+	if (allowed == NULL || *allowed == 0) {
+		bpf_printk("not binding connection on netns_ino %lu\n",
+			   netns_ino);
+		return 0;
+	}
 
 	switch (op) {
 	case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB:

From patchwork Thu Apr 18 15:56:52 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alban Crequy <alban.crequy@gmail.com>
X-Patchwork-Id: 1087704
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="uwQ/UH7h"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44lNzl03cHz9s3Z
	for <incoming-bpf@patchwork.ozlabs.org>;
	Fri, 19 Apr 2019 01:57:55 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2388901AbfDRP5y (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Thu, 18 Apr 2019 11:57:54 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:46631 "EHLO
	mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731317AbfDRP5y (ORCPT <rfc822; bpf@vger.kernel.org>);
	Thu, 18 Apr 2019 11:57:54 -0400
Received: by mail-ed1-f68.google.com with SMTP id d1so2186712edd.13;
	Thu, 18 Apr 2019 08:57:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=Fz/33z2pmcQnZT8fZhBZ5rsQpuocNULIoiNU7dc5uD4=;
	b=uwQ/UH7hrcuhIB+dgbXMGF8uNPOK7R94BS0+9Rm+/FTTGzs4xgRCaHdW9L/JIfguoP
	SEVEST8nfmmzpGMUYqZZtNVS/tQi5HKYoqYaKH/7NSib8vx7ltoNPJTs0/j1m8t8Ckmm
	+/ZbXSy0f+a1GuxqqK14cHnm+n+LluYsrUXzGstGaAbe1CigCmUjWd8eUO/2v9Bjf5QK
	V4iPhopceZVgVfPRFv83s19XU36KPS+C79pnBjsYi07NTar43ybLCVukm5KG9crTu/8C
	3o7wj0jtppxtN1+6yYmzziRV7vNqclaiD2Fk61yNwmLMbQVD3Gix0QKHGlTNIoHC+8Ip
	v9fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references:mime-version:content-transfer-encoding;
	bh=Fz/33z2pmcQnZT8fZhBZ5rsQpuocNULIoiNU7dc5uD4=;
	b=RD7PP2dA7bAZAJZXgp12F2t86vUroTtIcPXnPSmgyZIwsVQ/HtRgwz2YehNjNDVXxv
	HV2tyrjRWrBib8m2S5W9rkQcOWPOnE/jKdXSjHT6CFTmXhrjrl0h6pIvS0X1fgVlZ/Uy
	hVDQmDIGUzGtbOoSHR/AU5LFJgnD4Nh7+xt5gFJ6R3axE4R9J2KlTEmC8FtXxPeu9Ft6
	0qmu/1k7CnWtzy74mwRbuvOzX8gcGh7JaCDiUK0Ch3XInVfDoDLudIwDYxuGwBr/e5uy
	2QEPPWec6odNLmzKkIKZW6cvXt8j3XUdFrmnTTtCNfRqFg7n8k78xg8UWAFae8vwffZ+
	BOGw==
X-Gm-Message-State: APjAAAW45c177I/ETkcECogNg0JbjLjq1YXOGX82hPxboez62HIdSzgX
	QSVwB8vVddEqdMqkceL2EII=
X-Google-Smtp-Source: 
 APXvYqyAgDB7g9NPKLyZXKMkrz8LXK3A01hATaxLnE7KWqeDW+LmUxcUzvJ8z4Zf5vU+tzj5rCgipg==
X-Received: by 2002:a17:906:29c1:: with SMTP id
	y1mr49962271eje.251.1555603072521;
	Thu, 18 Apr 2019 08:57:52 -0700 (PDT)
Received: from neptune.fritz.box ([178.19.216.175])
	by smtp.gmail.com with ESMTPSA id
	31sm591274edf.18.2019.04.18.08.57.50
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 18 Apr 2019 08:57:51 -0700 (PDT)
From: Alban Crequy <alban.crequy@gmail.com>
X-Google-Original-From: Alban Crequy <alban@kinvolk.io>
To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io
Subject: [PATCH bpf-next v2 3/3] selftests: bpf: verifier: read netns_dev and
	netns_ino from struct bpf_sock_ops
Date: Thu, 18 Apr 2019 17:56:52 +0200
Message-Id: <20190418155652.22181-3-alban@kinvolk.io>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190418155652.22181-1-alban@kinvolk.io>
References: <20190418155652.22181-1-alban@kinvolk.io>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-Id: netdev.vger.kernel.org

From: Alban Crequy <alban@kinvolk.io>

Tested with:
> $ sudo ./test_verifier
> ...
> #905/p sockops accessing bpf_sock_ops->netns_dev and netns_ino, ok OK
> ...
> Summary: 1420 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Alban Crequy <alban@kinvolk.io>
---

Changes since v1:
- This is a new selftest (review from Song)
---
 tools/testing/selftests/bpf/verifier/var_off.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/testing/selftests/bpf/verifier/var_off.c b/tools/testing/selftests/bpf/verifier/var_off.c
index 8504ac937809..1ad3f64145ba 100644
--- a/tools/testing/selftests/bpf/verifier/var_off.c
+++ b/tools/testing/selftests/bpf/verifier/var_off.c
@@ -246,3 +246,16 @@
 	.result = ACCEPT,
 	.prog_type = BPF_PROG_TYPE_LWT_IN,
 },
+{
+	"sockops accessing bpf_sock_ops->netns_dev and netns_ino, ok",
+	.insns = {
+	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops,
+							   netns_dev)),
+	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops,
+							   netns_ino)),
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_EXIT_INSN(),
+	},
+	.result = ACCEPT,
+	.prog_type = BPF_PROG_TYPE_SOCK_OPS,
+},