Re: New bcc helpers

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

#1047

Re: New bcc helpers

neirac #1047 Hi, I have implemented helper bpf_get_current_ns_info(void* buf, int size) as was proposed. Let me know if something else is needed or if any other change in the code is required, I'm currently testing this change on bcc tools. Here are the diffs against Kernel 4.13 diff -uN linux/linux-4.13/kernel/bpf/core.c ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/core.c --- linux/linux-4.13/kernel/bpf/core.c 2017-09-03 13:56:17.000000000 -0700 +++ ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/core.c 2017-09-11 04:25:04.200417393 -0700 @@ -1379,6 +1379,9 @@ const struct bpf_func_proto bpf_get_current_uid_gid_proto __weak; const struct bpf_func_proto bpf_get_current_comm_proto __weak; +const struct bpf_func_proto bpf_get_current_ns_info __weak; + + const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void) { return NULL; diff -uN linux/linux-4.13/kernel/bpf/helpers.c ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/helpers.c --- linux/linux-4.13/kernel/bpf/helpers.c 2017-09-03 13:56:17.000000000 -0700 +++ ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/helpers.c 2017-09-11 06:23:55.329880482 -0700 @@ -18,6 +18,7 @@ #include <linux/sched.h> #include <linux/uidgid.h> #include <linux/filter.h> +#include <linux/pid_namespace.h> /* If kernel subsystem is allowing eBPF programs to call this function, * inside its own verifier_ops->get_func_proto() callback it should return @@ -177,5 +178,51 @@ .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_PTR_TO_UNINIT_MEM, + .arg2_type = ARG_CONST_SIZE, +}; + +BPF_CALL_2(bpf_get_current_ns_info, void , buf, u32, size) +{ + struct task_struct ts = current; + struct task_struct ns_task = NULL; + const struct cred cred = NULL; + pid_t pid; + + if (unlikely(!ts)) + goto err_clear; + + ((struct bpf_current_ns_info)buf)->ns_id = + ts->nsproxy->pid_ns_for_children->ns.inum; + + pid = task_pid_nr_ns(ts, + ts->nsproxy->pid_ns_for_children); + + ns_task = find_task_by_pid_ns(pid, + ts->nsproxy->pid_ns_for_children); + + if (unlikely(!ns_task)) + goto err_clear; + + ((struct bpf_current_ns_info)buf)->tgid = ns_task->tgid; + + cred = get_task_cred(ns_task); + + if (unlikely(!cred)) + goto err_clear; + + ((struct bpf_current_ns_info)buf)->gid = cred->gid.val; + + return 0; + +err_clear: + memset(buf, 0, size); + return -EINVAL; +} + +const struct bpf_func_proto bpf_get_current_ns_info_proto = { + .func = bpf_get_current_ns_info, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_UNINIT_MEM, .arg2_type = ARG_CONST_SIZE, }; --- linux/linux-4.13/include/linux/bpf.h 2017-09-03 13:56:17.000000000 -0700 +++ ebpf-backports/new-bcc-helpers/linux-4.13/include/linux/bpf.h 2017-09-11 04:36:30.460969799 -0700 @@ -226,6 +226,12 @@ struct file map_file; struct rcu_head rcu; }; +/* struct used by helper bpf_get_current_ns_info / +struct bpf_current_ns_info { + u64 ns_id; /namespace id/ + u32 tgid; /tgid inside namespace/ + u32 gid; /gid inside namespace/ +}; u64 bpf_tail_call(u64 ctx, u64 r2, u64 index, u64 r4, u64 r5); u64 bpf_get_stackid(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); @@ -375,6 +381,9 @@ extern const struct bpf_func_proto bpf_skb_vlan_pop_proto; extern const struct bpf_func_proto bpf_get_stackid_proto; + +extern const struct bpf_func_proto bpf_get_current_ns_info_proto; + / Shared helpers among cBPF and eBPF. / void bpf_user_rnd_init_once(void); u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); --- linux/linux-4.13/include/uapi/linux/bpf.h 2017-09-03 13:56:17.000000000 -0700 +++ ebpf-backports/new-bcc-helpers/linux-4.13/include/uapi/linux/bpf.h 2017-09-11 04:32:08.127055536 -0700 @@ -539,6 +539,15 @@ @mode: operation mode (enum bpf_adj_room_mode) * @flags: reserved for future use * Return: 0 on success or negative error code + * + * int bpf_get_current_ns_info(void buf, int size_of_buf) + stores the following namespace data into + * bpf_current_ns_info struct: + * namespace id + * tgid inside namespace + * gid inside namespace + * Return: 0 on success or negative error + * / #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -591,7 +600,9 @@ FN(get_socket_uid), \ FN(set_hash), \ FN(setsockopt), \ - FN(skb_adjust_room), + FN(skb_adjust_room), \ + FN(get_current_ns_info), + / integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call toggle quoted message Show quoted text On Sat, Sep 9, 2017 at 2:55 PM, carlos antonio neira bustos <cneirabustos@...> wrote: Thank you very much for your comments, after reading them, I realized that my change just added too much unneeded code, when we could just return the values of interest in one call. I'll delete the unneeded helpers and work on this proposed helper : struct bpf_current_ns_info { u64 ns_id; /* namespace id / u32 tgid; / tgid inside namespace / u32 gid; / gid inside namespace / } int bpf_get_current_ns_info(void buf, int size) Thanks again for your help. I'm just starting to dig in the ebpf and bcc code and it's really awesome the tools you could build with it. Bests On Sat, Sep 9, 2017 at 10:12 AM, Y Song <ys114321@...> wrote: Hi, Carlos, Thanks for the prototyping. See comments below. On Sat, Sep 9, 2017 at 6:47 AM, carlos antonio neira bustos via iovisor-dev <iovisor-dev@...> wrote: > Hi All, > > I was working on this bcc issue https://github.com/iovisor/bcc/issues/1329 > (PID filtering issues when running bpf script inside container). The current > issue is that bpf_get_current_pid_tgid() gets the pid outside the container. > I have created a couple of helpers that could help on this issue, I have add > them to bcc but currently I'm testing them. > I would like to know if my current approach is correct. > > These are the helpers implemented in this patch. > > int bpf_get_current_ns_id(void) > Return namespace id associated with current task > Return: ts->nsproxy->pid_ns_for_children->ns.inum We already have helper to get current task structure. From there, bpf_probe_read should get you to read namespace ID. > > u64 bpf_get_current_pid_ns(void) > Return pid_namespace struct > Return: struct pid_namespace Do you have a use case for this? > > u64 bpf_get_current_pid(void) > Returns pid of current task as seen from pid namespace > Return: (u64) ts->tgid << 32 \| task_pid_vnr(current); This is useful, but need extension. But in typical use case, a helper to get nsid, ns_tgid and ns_pid should be good enough. Maybe something like: struct bpf_current_ns_info { u64 ns_id; /* namespace id / u32 tgid; / tgid inside namespace / u32 gid; / gid inside namespace / } int bpf_get_current_ns_info(void buf, int size) (1). In filter case, user can call this helper to get ns_nsid and ns_tgid/ns_pid. user can already get its own from getpid() and /proc/<pid>/ns/pid. They can compare the values returned from the helper to the value currently in the container (or even the host), for filtering purpose. (2). For map key purpose, the helper returned values can be a key in the map to differentiate between different process instances. > > > cnb@Debian9:~/ebpf-backports/new-bcc-helpers/linux-4.13$ cat > new-helpers.patch > diff -uN /home/cnb/linux/linux-4.13/kernel/bpf/core.c > /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/core.c > --- /home/cnb/linux/linux-4.13/kernel/bpf/core.c 2017-09-03 > 13:56:17.000000000 -0700 > +++ /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/core.c > 2017-09-07 18:50:13.956874952 -0700 > @@ -1379,6 +1379,10 @@ > const struct bpf_func_proto bpf_get_current_uid_gid_proto __weak; > const struct bpf_func_proto bpf_get_current_comm_proto __weak; > +const struct bpf_func_proto bpf_get_current_pid_ns_proto __weak; > +const struct bpf_func_proto bpf_get_current_ns_id_proto __weak; > +const struct bpf_func_proto bpf_get_current_pid_proto __weak; > + > const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void) > { > return NULL; > diff -uN /home/cnb/linux/linux-4.13/kernel/bpf/helpers.c > /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/helpers.c > --- /home/cnb/linux/linux-4.13/kernel/bpf/helpers.c 2017-09-03 > 13:56:17.000000000 -0700 > +++ /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/helpers.c > 2017-09-09 05:57:27.970448102 -0700 > @@ -18,6 +18,7 @@ > #include <linux/sched.h> > #include <linux/uidgid.h> > #include <linux/filter.h> > +#include <linux/pid_namespace.h> > /* If kernel subsystem is allowing eBPF programs to call this function, > * inside its own verifier_ops->get_func_proto() callback it should return > @@ -179,3 +180,64 @@ > .arg1_type = ARG_PTR_TO_UNINIT_MEM, > .arg2_type = ARG_CONST_SIZE, > }; > + > +BPF_CALL_0(bpf_get_current_pid_ns) > +{ > +#ifdef CONFIG_PID_NS > + struct pid_namespace current_ns = > + task_active_pid_ns(current); > + > + if (unlikely(!current_ns)) > + return -EINVAL; > + > + return (u64) current_ns; > +#else > + > + return 0; > +#endif > + > +} > + > +const struct bpf_func_proto bpf_get_current_pid_ns_proto = { > + .func = bpf_get_current_pid_ns, > + .gpl_only = false, > + .ret_type = RET_INTEGER, > +}; > + > +BPF_CALL_0(bpf_get_current_ns_id) > +{ > + struct task_struct ts = current; > + > + if (unlikely(!ts)) > + return -EINVAL; > + > + return (unsigned int) > + ts->nsproxy->pid_ns_for_children->ns.inum; > + > +} > + > +const struct bpf_func_proto bpf_get_current_ns_id_proto = { > + .func = bpf_get_current_ns_id, > + .gpl_only = false, > + .ret_type = RET_INTEGER, > +}; > + > +BPF_CALL_0(bpf_get_current_pid) > +{ > + struct task_struct ts = current; > + pid_t pid; > + if (unlikely(!ts)) > + return -EINVAL; > + > + pid = task_pid_vnr(ts); > + > + return (u64) ts->tgid << 32 \| pid; > +} > + > +const struct bpf_func_proto bpf_get_current_pid_proto = { > + .func = bpf_get_current_pid, > + .gpl_only = false, > + .ret_type = RET_INTEGER, > +}; > + > + > --- /home/cnb/linux/linux-4.13/include/uapi/linux/bpf.h 2017-09-03 > 13:56:17.000000000 -0700 > +++ > /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/include/uapi/linux/bpf.h > 2017-09-09 06:22:46.763652066 -0700 > @@ -539,6 +539,19 @@ > @mode: operation mode (enum bpf_adj_room_mode) > * @flags: reserved for future use > * Return: 0 on success or negative error code > + * > + * int bpf_get_current_ns_id(void) > + * Return namespace id associated with current task > + * Return: ts->nsproxy->pid_ns_for_children->ns.inum > + * > + * u64 bpf_get_current_pid_ns(void) > + * Return pid_namespace struct > + * Return: struct pid_namespace > + * > + * u64 bpf_get_current_pid(void) > + * Returns pid of current task as seen from pid namespace > + * return (u64) ts->tgid << 32 \| task_pid_vnr(current); > + * > / > #define __BPF_FUNC_MAPPER(FN) \ > FN(unspec), \ > @@ -591,7 +604,11 @@ > FN(get_socket_uid), \ > FN(set_hash), \ > FN(setsockopt), \ > - FN(skb_adjust_room), > + FN(skb_adjust_room), \ > + FN(get_current_pid_ns), \ > + FN(get_current_ns_id), \ > + FN(get_current_pid), > + > / integer value in 'imm' field of BPF_CALL instruction selects which > helper > * function eBPF program intends to call > > > > > Bests > > On Fri, Sep 8, 2017 at 2:39 PM, carlos antonio neira bustos > <cneirabustos@...> wrote: >> >> Thank you very much. >> >> On Sep 8, 2017 6:35 PM, "Y Song" <ys114321@...> wrote: >>> >>> >>> >>> On Fri, Sep 8, 2017 at 12:21 PM, carlos antonio neira bustos via >>> iovisor-dev <iovisor-dev@...> wrote: >>>> >>>> Hi, >>>> >>>> I'm trying to add new helpers to obtain a pid namespace, I'm working on >>>> kernel 4.13 >>>> >>>> --- linux/linux-4.13/kernel/bpf/helpers.c 2017-09-03 13:56:17.000000000 >>>> -0700 >>>> +++ >>>> /home/cnb/ebpf-backports/new-bcc-helpers/linux-4.13/kernel/bpf/helpers.c >>>> 2017-09-07 18:52:40.839525862 -0700 >>>> @@ -18,6 +18,7 @@ >>>> #include <linux/sched.h> >>>> #include <linux/uidgid.h> >>>> #include <linux/filter.h> >>>> +#include <linux/pid_namespace.h> >>>> >>>> /* If kernel subsystem is allowing eBPF programs to call this function, >>>> * inside its own verifier_ops->get_func_proto() callback it should >>>> return >>>> @@ -179,3 +180,64 @@ >>>> .arg1_type = ARG_PTR_TO_UNINIT_MEM, >>>> .arg2_type = ARG_CONST_SIZE, >>>> }; >>>> + >>>> +BPF_CALL_0(bpf_get_current_pid_ns) >>>> +{ >>>> +#ifdef CONFIG_PID_NS >>>> + struct pid_namespace current_ns = >>>> + task_active_pid_ns(current); >>>> + >>>> + if (unlikely(!current_ns)) >>>> + return -EINVAL; >>>> + >>>> + return (long) current_ns; >>>> +#else >>>> + >>>> + return 0; >>>> +#endif >>>> + >>>> +} >>>> + >>>> +const struct bpf_func_proto bpf_get_current_pid_ns_proto = { >>>> + .func = bpf_get_current_pid_ns, >>>> + .gpl_only = false, >>>> + .ret_type = RET_INTEGER, >>>> +}; >>>> + >>>> +BPF_CALL_0(bpf_get_current_ns_id) >>>> +{ >>>> + struct task_struct ts = current; >>>> + >>>> + if (unlikely(!ts)) >>>> + return -EINVAL; >>>> + >>>> + return (unsigned int) >>>> + ts->nsproxy->pid_ns_for_children->ns.inum; >>>> + >>>> +} >>>> + >>>> +const struct bpf_func_proto bpf_get_current_ns_id_proto = { >>>> + .func = bpf_get_current_ns_id, >>>> + .gpl_only = false, >>>> + .ret_type = RET_INTEGER, >>>> +}; >>>> + >>>> +BPF_CALL_0(bpf_get_current_pid) >>>> +{ >>>> + struct task_struct *ts = current; >>>> + >>>> + if (unlikely(!ts)) >>>> + return -EINVAL; >>>> + >>>> + pid_t pid = task_pid_vnr(ts); >>>> + >>>> + return (u64) ts->tgid << 32 \| pid; >>>> +} >>>> + >>>> +const struct bpf_func_proto bpf_get_current_pid_proto = { >>>> + .func = bpf_get_current_pid, >>>> + .gpl_only = false, >>>> + .ret_type = RET_INTEGER, >>>> +}; >>>> + >>>> + >>>> I wanted to integrate this on bcc tools, so I added these helpers on >>>> bcc/src/cc/compat/linux/virtual_bpf.h >>>> bcc/src/cc/compat/linux/bpf.h >>>> bcc/src/cc/export/helpers.h >>>> bcc/src/cc/export/helpers.h >>>> >>>> then just to test one of them I modified bcc/tools/funccount.py >>>> >>>> --- funccount.py 2017-09-08 12:14:57.601604654 -0700 >>>> +++ /home/cnb/bcc-new-helpers/bcc/tools/funccount.py 2017-09-07 >>>> 20:27:32.982815146 -0700 >>>> @@ -185,7 +185,7 @@ >>>> # the top 32 bits of bpf_get_current_pid_tgid(). >>>> if self.pid: >>>> trace_count_text = trace_count_text.replace('FILTER', >>>> - """u32 pid = bpf_get_current_pid_tgid() >> 32; >>>> + """u32 pid = bpf_get_current_pid() >> 32; >>>> if (pid != %d) { return 0; }""" % self.pid) >>>> else: >>>> trace_count_text = trace_count_text.replace('FILTER', '') >>>> >>>> >>>> but I'm getting this error >>>> >>>> cnb@Debian9:~/bcc/tools$ sudo /usr/share/bcc/tools/funccount -p 385 >>>> c:malloc >>>> bpf: Invalid argument >>>> 0: (85) call unknown#51 >>>> invalid func unknown#51 >>>> Failed to load BPF program trace_count_0: Invalid argument >>>> >>>> >>>> Is something that I'm missing on the bcc side or on bpf side ? >>> >>> >>> In kernel, you need to add your function proto to kprobe_prog_func_proto >>> in kernel/trace/bpf_trace.c >>> >>>> >>>> >>>> Bests >>>> >>>> >>>> _______________________________________________ >>>> iovisor-dev mailing list >>>> iovisor-dev@... >>>> https://lists.iovisor.org/mailman/listinfo/iovisor-dev >>>> >>> > > > _______________________________________________ > iovisor-dev mailing list > iovisor-dev@... > https://lists.iovisor.org/mailman/listinfo/iovisor-dev >

View All 7 Messages In Topic

#1047

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.

Home Hashtags Subgroups Terms