mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 02:50:43 +00:00
Code Issues Releases Wiki Activity
linux-stable/include
History
Andrey Ignatov 5e43f899b0 bpf: Check attach type at prog load time 
== The problem ==

There are use-cases when a program of some type can be attached to
multiple attach points and those attach points must have different
permissions to access context or to call helpers.

E.g. context structure may have fields for both IPv4 and IPv6 but it
doesn't make sense to read from / write to IPv6 field when attach point
is somewhere in IPv4 stack.

Same applies to BPF-helpers: it may make sense to call some helper from
some attach point, but not from other for same prog type.

== The solution ==

Introduce `expected_attach_type` field in in `struct bpf_attr` for
`BPF_PROG_LOAD` command. If scenario described in "The problem" section
is the case for some prog type, the field will be checked twice:

1) At load time prog type is checked to see if attach type for it must
   be known to validate program permissions correctly. Prog will be
   rejected with EINVAL if it's the case and `expected_attach_type` is
   not specified or has invalid value.

2) At attach time `attach_type` is compared with `expected_attach_type`,
   if prog type requires to have one, and, if they differ, attach will
   be rejected with EINVAL.

The `expected_attach_type` is now available as part of `struct bpf_prog`
in both `bpf_verifier_ops->is_valid_access()` and
`bpf_verifier_ops->get_func_proto()` () and can be used to check context
accesses and calls to helpers correspondingly.

Initially the idea was discussed by Alexei Starovoitov <ast@fb.com> and
Daniel Borkmann <daniel@iogearbox.net> here:
https://marc.info/?l=linux-netdev&m=152107378717201&w=2

Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-03-31 02:14:44 +02:00
..
acpi ACPICA: Update version to 20180105 2018-02-06 10:32:13 +01:00
asm-generic bpf: introduce BPF_RAW_TRACEPOINT 2018-03-28 22:55:19 +02:00
clocksource
crypto
drm drm/nouveau: prefer XBGR2101010 for addfb ioctl 2018-02-23 13:51:42 +01:00
dt-bindings net: phy: dp83867: Add binding for the CLK_OUT pin muxing option 2018-02-14 15:33:43 -05:00
keys
kvm KVM: arm/arm64: Reset mapped IRQs on VM reset 2018-03-14 18:29:14 +00:00
linux bpf: Check attach type at prog load time 2018-03-31 02:14:44 +02:00
math-emu
media media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
memory
misc powerpc updates for 4.16 2018-02-02 10:01:04 -08:00
net bpf: sockmap redirect ingress support 2018-03-30 00:09:43 +02:00
pcmcia
ras
rdma RDMA/verbs: Remove restrack entry from XRCD structure 2018-03-19 14:10:30 -06:00
scsi SCSI fixes on 20180306 2018-03-07 10:50:15 -08:00
soc ARC fixes for 4.16-rc4 2018-03-01 14:32:23 -08:00
sound Merge branch 'topic/fixes' into for-linus 2018-02-12 09:36:26 +01:00
target
trace bpf: introduce BPF_RAW_TRACEPOINT 2018-03-28 22:55:19 +02:00
uapi bpf: Check attach type at prog load time 2018-03-31 02:14:44 +02:00
video fbdev changes for v4.16: 2018-02-07 13:10:43 -08:00
xen