[PATCH] BPF: helpers: New helper bpf_get_current_pidns_info to obtain namespace data from current task.

Home Messages Hashtags Subgroups

#1439

[PATCH] BPF: helpers: New helper bpf_get_current_pidns_info to obtain namespace data from current task.

Quentin Monnet #1439 2018-08-006 22:55 UTC-0400 ~ cnb <cneirabustos@...> This helper obtains the active namespace from current and returns pid, tgid, device major/minor and namespace id as seen from that ns, allowing to do pid filtering inside a container. Major and minor are obtained from /proc/self/pid, as in the future it's possible that different pid_ns files may belong to different devices, according to the discussion between Eric Biederman and Yonghong in 2017 linux plumbers conference. Currently bpf_get_current_pid_tgid() is used to do pid filtering in bcc's scripts but this helper returns the pid as seen by the root namespace, which is fine when a bcc script is not executed inside a container. When a bcc script is executed inside a container, pid filtering will not work if bpf_get_current_pid_tgid is used. This helper addresses this limitation returning the pid as it's seen by the current namespace where the script is executing. This helper has the same use cases as bpf_get_current_pid_tgid() as it can be used to do pid filtering inside a container. For example a bcc script using bpf_get_current_pid_tgid() (tools/funccount.py): u32 pid = bpf_get_current_pid_tgid() >> 32; if (pid != <pid_arg_passed_in>) { return 0; } Could be modified to use bpf_get_current_pidns_info() as follows: struct bpf_pidns_info pidns; bpf_get_current_pid_tgid(&pidns, sizeof(struct bpf_pidns_info)); u32 pid = pidns.tgid; if (pid != <pid_arg_passed_in>) { return 0; } --- include/linux/bpf.h \| 1 + include/uapi/linux/bpf.h \| 20 +++++++++- kernel/bpf/core.c \| 1 + kernel/bpf/helpers.c \| 64 +++++++++++++++++++++++++++++++ kernel/trace/bpf_trace.c \| 2 + samples/bpf/Makefile \| 3 ++ samples/bpf/trace_ns_info_user.c \| 35 +++++++++++++++++ samples/bpf/trace_ns_info_user_kern.c \| 45 ++++++++++++++++++++++ tools/include/uapi/linux/bpf.h \| 20 +++++++++- tools/testing/selftests/bpf/bpf_helpers.h \| 3 ++ 10 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 samples/bpf/trace_ns_info_user.c create mode 100644 samples/bpf/trace_ns_info_user_kern.c […] diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index dd5758dc35d3..b53e5c21805a 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -173,6 +173,16 @@ enum bpf_attach_type { __MAX_BPF_ATTACH_TYPE }; +/* helper bpf_get_current_pidns_info will store the following + * data, dev will contain major/minor from /proc/self/pid. + / +struct bpf_pidns_info { + __u32 dev; + __u32 nsid; + __u32 tgid; + __u32 pid; +}; + #define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE / cgroup-bpf attach flags used in BPF_PROG_ATTACH command @@ -2113,7 +2123,14 @@ union bpf_attr { * the shared data. * Return * Pointer to the local storage area. + * int bpf_get_current_pidns(struct bpf_pidns_info pidns, u32 size_of_pidns) + Description + * Obtains from current task values for pid, namespace, tgid and + * device major/minor from /proc/self/ns/pid + * Return + * 0 on success -EINVAL on error. Hi Carlos, I just gave a look at the helper documentation. The text is supposed to be turned into a man page for users not familiar with the helper, so we're trying to keep style consistent. Before you send your patch to netdev, could you please specify in the Description what the arguments for the helper are? And while doing so, emphasize their names between stars (have a look at the descriptions for the other helpers)? Additional nits: s/Obtains/Obtain/, and a period at the end of the sentence if you don't mind… Thanks a lot! / + No need for a new line here. #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ FN(map_lookup_elem), \ @@ -2196,7 +2213,8 @@ union bpf_attr { FN(rc_keydown), \ FN(skb_cgroup_id), \ FN(get_current_cgroup_id), \ - FN(get_local_storage), + FN(get_local_storage), \ + FN(get_current_pidns_info), / integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call […] diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index dd5758dc35d3..b53e5c21805a 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h (And please do not forget to report the changes to this file as well.) Thanks! Quentin
More All Messages By This Member

View All 8 Messages In Topic

#1439

Join {iovisor-dev@lists.iovisor.org to automatically receive all group messages.

Home Hashtags Subgroups Terms