Add O_PATH-based BPF_OBJ_PIN and BPF_OBJ_GET support #5076
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 108598c |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e35e124
to
4d9941c
Compare
|
Upstream branch: 108598c |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
4661cc1
to
55671e3
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
4d9941c
to
73bb5bc
Compare
|
Upstream branch: 108598c |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
55671e3
to
244702c
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
73bb5bc
to
5ef086f
Compare
|
Upstream branch: 3879122 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
244702c
to
d1eb2a7
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
5ef086f
to
380f2de
Compare
|
Upstream branch: de58ef4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
d1eb2a7
to
857ca4f
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
380f2de
to
ecc5371
Compare
|
Upstream branch: 0697e43 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
857ca4f
to
3e3ebd0
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ecc5371
to
95cf174
Compare
|
Upstream branch: cff3639 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
3e3ebd0
to
8e50d5e
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
95cf174
to
bf42de8
Compare
|
Upstream branch: 2a36c26 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
8e50d5e
to
0794742
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
bf42de8
to
528fccf
Compare
|
Upstream branch: 8819495 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
0794742
to
880e104
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=747804 expired. Closing PR. |
Current UAPI of BPF_OBJ_PIN and BPF_OBJ_GET commands of bpf() syscall forces users to specify pinning location as a string-based absolute or relative (to current working directory) path. This has various implications related to security (e.g., symlink-based attacks), forces BPF FS to be exposed in the file system, which can cause races with other applications. One of the feedbacks we got from folks working with containers heavily was that inability to use purely FD-based location specification was an unfortunate limitation and hindrance for BPF_OBJ_PIN and BPF_OBJ_GET commands. This patch closes this oversight, adding path_fd field to BPF_OBJ_PIN and BPF_OBJ_GET UAPI, following conventions established by *at() syscalls for dirfd + pathname combinations. This now allows interesting possibilities like working with detached BPF FS mount (e.g., to perform multiple pinnings without running a risk of someone interfering with them), and generally making pinning/getting more secure and not prone to any races and/or security attacks. This is demonstrated by a selftest added in subsequent patch that takes advantage of new mount APIs (fsopen, fsconfig, fsmount) to demonstrate creating detached BPF FS mount, pinning, and then getting BPF map out of it, all while never exposing this private instance of BPF FS to outside worlds. Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Add path_fd support for bpf_obj_pin() and bpf_obj_get() operations (through their opts-based variants). This allows to take advantage of new kernel-side support for O_PATH-based pin/get location specification. Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Add a selftest demonstrating using detach-mounted BPF FS using new mount APIs, and pinning and getting BPF map using such mount. This demonstrates how something like container manager could setup BPF FS, pin and adjust all the necessary objects in it, all before exposing BPF FS to a particular mount namespace. Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
|
Upstream branch: effcf62 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/747804=>bpf-next
branch
from
880e104
to
7ddad94
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=749044 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Add O_PATH-based BPF_OBJ_PIN and BPF_OBJ_GET support
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=747804