bpf: introduce new program type for skbs on sockets
A class of programs, run from strparser and soon from a new map type called sock map, are used with skb as the context but on established sockets. By creating a specific program type for these we can use bpf helpers that expect full sockets and get the verifier to ensure these helpers are not used out of context. The new type is BPF_PROG_TYPE_SK_SKB. This patch introduces the infrastructure and type. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
db5980d804
commit
b005fd189c
|
@ -11,6 +11,7 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_IN, lwt_inout_prog_ops)
|
||||||
BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_OUT, lwt_inout_prog_ops)
|
BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_OUT, lwt_inout_prog_ops)
|
||||||
BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_XMIT, lwt_xmit_prog_ops)
|
BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_XMIT, lwt_xmit_prog_ops)
|
||||||
BPF_PROG_TYPE(BPF_PROG_TYPE_SOCK_OPS, sock_ops_prog_ops)
|
BPF_PROG_TYPE(BPF_PROG_TYPE_SOCK_OPS, sock_ops_prog_ops)
|
||||||
|
BPF_PROG_TYPE(BPF_PROG_TYPE_SK_SKB, sk_skb_prog_ops)
|
||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_BPF_EVENTS
|
#ifdef CONFIG_BPF_EVENTS
|
||||||
BPF_PROG_TYPE(BPF_PROG_TYPE_KPROBE, kprobe_prog_ops)
|
BPF_PROG_TYPE(BPF_PROG_TYPE_KPROBE, kprobe_prog_ops)
|
||||||
|
|
|
@ -127,6 +127,7 @@ enum bpf_prog_type {
|
||||||
BPF_PROG_TYPE_LWT_OUT,
|
BPF_PROG_TYPE_LWT_OUT,
|
||||||
BPF_PROG_TYPE_LWT_XMIT,
|
BPF_PROG_TYPE_LWT_XMIT,
|
||||||
BPF_PROG_TYPE_SOCK_OPS,
|
BPF_PROG_TYPE_SOCK_OPS,
|
||||||
|
BPF_PROG_TYPE_SK_SKB,
|
||||||
};
|
};
|
||||||
|
|
||||||
enum bpf_attach_type {
|
enum bpf_attach_type {
|
||||||
|
|
|
@ -3234,6 +3234,20 @@ static const struct bpf_func_proto *
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static const struct bpf_func_proto *sk_skb_func_proto(enum bpf_func_id func_id)
|
||||||
|
{
|
||||||
|
switch (func_id) {
|
||||||
|
case BPF_FUNC_skb_load_bytes:
|
||||||
|
return &bpf_skb_load_bytes_proto;
|
||||||
|
case BPF_FUNC_get_socket_cookie:
|
||||||
|
return &bpf_get_socket_cookie_proto;
|
||||||
|
case BPF_FUNC_get_socket_uid:
|
||||||
|
return &bpf_get_socket_uid_proto;
|
||||||
|
default:
|
||||||
|
return bpf_base_func_proto(func_id);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static const struct bpf_func_proto *
|
static const struct bpf_func_proto *
|
||||||
lwt_xmit_func_proto(enum bpf_func_id func_id)
|
lwt_xmit_func_proto(enum bpf_func_id func_id)
|
||||||
{
|
{
|
||||||
|
@ -3525,6 +3539,22 @@ static bool sock_ops_is_valid_access(int off, int size,
|
||||||
return __is_valid_sock_ops_access(off, size);
|
return __is_valid_sock_ops_access(off, size);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool sk_skb_is_valid_access(int off, int size,
|
||||||
|
enum bpf_access_type type,
|
||||||
|
struct bpf_insn_access_aux *info)
|
||||||
|
{
|
||||||
|
switch (off) {
|
||||||
|
case bpf_ctx_range(struct __sk_buff, data):
|
||||||
|
info->reg_type = PTR_TO_PACKET;
|
||||||
|
break;
|
||||||
|
case bpf_ctx_range(struct __sk_buff, data_end):
|
||||||
|
info->reg_type = PTR_TO_PACKET_END;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return bpf_skb_is_valid_access(off, size, type, info);
|
||||||
|
}
|
||||||
|
|
||||||
static u32 bpf_convert_ctx_access(enum bpf_access_type type,
|
static u32 bpf_convert_ctx_access(enum bpf_access_type type,
|
||||||
const struct bpf_insn *si,
|
const struct bpf_insn *si,
|
||||||
struct bpf_insn *insn_buf,
|
struct bpf_insn *insn_buf,
|
||||||
|
@ -3994,6 +4024,12 @@ const struct bpf_verifier_ops sock_ops_prog_ops = {
|
||||||
.convert_ctx_access = sock_ops_convert_ctx_access,
|
.convert_ctx_access = sock_ops_convert_ctx_access,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const struct bpf_verifier_ops sk_skb_prog_ops = {
|
||||||
|
.get_func_proto = sk_skb_func_proto,
|
||||||
|
.is_valid_access = sk_skb_is_valid_access,
|
||||||
|
.convert_ctx_access = bpf_convert_ctx_access,
|
||||||
|
};
|
||||||
|
|
||||||
int sk_detach_filter(struct sock *sk)
|
int sk_detach_filter(struct sock *sk)
|
||||||
{
|
{
|
||||||
int ret = -ENOENT;
|
int ret = -ENOENT;
|
||||||
|
|
Loading…
Reference in New Issue