提交 2ee7fba0 编写于 作者: S Stanislav Fomichev 提交者: Daniel Borkmann

flow_dissector: allow access only to a subset of __sk_buff fields

Use whitelist instead of a blacklist and allow only a small set of
fields that might be relevant in the context of flow dissector:
  * data
  * data_end
  * flow_keys

This is required for the eth_get_headlen case where we have only a
chunk of data to dissect (i.e. trying to read the other skb fields
doesn't make sense).

Note, that it is a breaking API change! However, we've provided
flow_keys->n_proto as a substitute for skb->protocol; and there is
no need to manually handle skb->vlan_present. So even if we
break somebody, the migration is trivial. Unfortunately, we can't
support eth_get_headlen use-case without those breaking changes.
Signed-off-by: NStanislav Fomichev <sdf@google.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
上级 b9e9c859
...@@ -6613,14 +6613,8 @@ static bool flow_dissector_is_valid_access(int off, int size, ...@@ -6613,14 +6613,8 @@ static bool flow_dissector_is_valid_access(int off, int size,
const struct bpf_prog *prog, const struct bpf_prog *prog,
struct bpf_insn_access_aux *info) struct bpf_insn_access_aux *info)
{ {
if (type == BPF_WRITE) { if (type == BPF_WRITE)
switch (off) { return false;
case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
break;
default:
return false;
}
}
switch (off) { switch (off) {
case bpf_ctx_range(struct __sk_buff, data): case bpf_ctx_range(struct __sk_buff, data):
...@@ -6632,11 +6626,7 @@ static bool flow_dissector_is_valid_access(int off, int size, ...@@ -6632,11 +6626,7 @@ static bool flow_dissector_is_valid_access(int off, int size,
case bpf_ctx_range_ptr(struct __sk_buff, flow_keys): case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
info->reg_type = PTR_TO_FLOW_KEYS; info->reg_type = PTR_TO_FLOW_KEYS;
break; break;
case bpf_ctx_range(struct __sk_buff, tc_classid): default:
case bpf_ctx_range(struct __sk_buff, data_meta):
case bpf_ctx_range_till(struct __sk_buff, family, local_port):
case bpf_ctx_range(struct __sk_buff, tstamp):
case bpf_ctx_range(struct __sk_buff, wire_len):
return false; return false;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册