• A
    bpf: Check attach type at prog load time · 5e43f899
    Andrey Ignatov 提交于
    == The problem ==
    
    There are use-cases when a program of some type can be attached to
    multiple attach points and those attach points must have different
    permissions to access context or to call helpers.
    
    E.g. context structure may have fields for both IPv4 and IPv6 but it
    doesn't make sense to read from / write to IPv6 field when attach point
    is somewhere in IPv4 stack.
    
    Same applies to BPF-helpers: it may make sense to call some helper from
    some attach point, but not from other for same prog type.
    
    == The solution ==
    
    Introduce `expected_attach_type` field in in `struct bpf_attr` for
    `BPF_PROG_LOAD` command. If scenario described in "The problem" section
    is the case for some prog type, the field will be checked twice:
    
    1) At load time prog type is checked to see if attach type for it must
       be known to validate program permissions correctly. Prog will be
       rejected with EINVAL if it's the case and `expected_attach_type` is
       not specified or has invalid value.
    
    2) At attach time `attach_type` is compared with `expected_attach_type`,
       if prog type requires to have one, and, if they differ, attach will
       be rejected with EINVAL.
    
    The `expected_attach_type` is now available as part of `struct bpf_prog`
    in both `bpf_verifier_ops->is_valid_access()` and
    `bpf_verifier_ops->get_func_proto()` () and can be used to check context
    accesses and calls to helpers correspondingly.
    
    Initially the idea was discussed by Alexei Starovoitov <ast@fb.com> and
    Daniel Borkmann <daniel@iogearbox.net> here:
    https://marc.info/?l=linux-netdev&m=152107378717201&w=2Signed-off-by: NAndrey Ignatov <rdna@fb.com>
    Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
    5e43f899
bpf.h 20.8 KB