Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use cgroup_skb programs for payload inspection #226

Merged
merged 7 commits into from Dec 11, 2023
Merged

fix: Use cgroup_skb programs for payload inspection #226

merged 7 commits into from Dec 11, 2023

Conversation

vadorovsky
Copy link
Member

@vadorovsky vadorovsky commented Nov 13, 2023
edited

Before this change, we were using LSM programs attached to sock_recvmsg and sock_sendmsg hooks for this purpose. We were using iov_iter to read the payload.

Unfortunately, torvalds/linux@747b1f6 (which landed in kernel 6.4) broke the iov_iter API in completely backwards-incompatible way, which can't be handled by any of CO-RE helpers while using an iov_iter definition from any kernel.

Initially, we aimed to handle this incompatibility by introducing a pre-6.4 compat header and trying to cast the types (#198). That seemed to work, but unfortunately, verifiers in 5.x kernels are unhappy about this solution.

Therefore, this change drops the idea of intercepting payloads with LSM all together and instead uses cgroup_skb for the same
purpose. There is no way __sk_buff is going to introduce any breaking changes in regards to accessing the packet data.

@vadorovsky vadorovsky marked this pull request as draft November 13, 2023 12:20
@vadorovsky vadorovsky changed the title chore: Update Aya fix: Use cgroup_skb programs for payload inspection Nov 15, 2023
@vadorovsky
fix: Use cgroup_skb programs for payload inspection
21e196d 
Before this change, we were using LSM programs attached to
`sock_recvmsg` and `sock_sendmsg` hooks for this purpose. We were
using `iov_iter` to read the payload.

Unfortunately, torvalds/linux@747b1f6 (which landed in kernel
6.4) broke the `iov_iter` API in completely backwards-incompatible
way, which can't be handled by any of CO-RE helpers while using
an `iov_iter` definition from any kernel.

Initially, we aimed to handle this incompatibility by
introducing a pre-6.4 compat header and trying to cast the types
(exein-io#198). That seemed to work, but unfortunately, verifiers in 5.x
kernels are unhappy about this solution.

Therefore, this change drops the idea of intercepting payloads
with LSM all together and instead uses cgroup_skb for the same
purpose. There is no way `__sk_buff` is going to introduce
any breaking changes in regards to accessing the packet data.
@vadorovsky vadorovsky marked this pull request as ready for review December 7, 2023 22:53
@banditopazzo banditopazzo merged commit fd5b862 into exein-io:main Dec 11, 2023
17 checks passed
@vadorovsky vadorovsky deleted the update-aya branch December 11, 2023 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banditopazzo banditopazzo banditopazzo approved these changes

@krsh krsh Awaiting requested review from krsh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vadorovsky @banditopazzo