d200cf62 | 23-Jul-2020 |
Christoph Hellwig <hch@lst.de> |
bpfilter: reject kernel addresses
The bpfilter user mode helper processes the optval address using process_vm_readv. Don't send it kernel addresses fed under set_fs(KERNEL_DS) as that won't work.
bpfilter: reject kernel addresses
The bpfilter user mode helper processes the optval address using process_vm_readv. Don't send it kernel addresses fed under set_fs(KERNEL_DS) as that won't work.
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
c9ffebdd | 23-Jul-2020 |
Christoph Hellwig <hch@lst.de> |
net/bpfilter: split __bpfilter_process_sockopt
Split __bpfilter_process_sockopt into a low-level send request routine and the actual setsockopt hook to split the init time ping from the actual setso
net/bpfilter: split __bpfilter_process_sockopt
Split __bpfilter_process_sockopt into a low-level send request routine and the actual setsockopt hook to split the init time ping from the actual setsockopt processing.
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
9326e0f8 | 01-Jul-2020 |
Masahiro Yamada <masahiroy@kernel.org> |
bpfilter: Allow to build bpfilter_umh as a module without static library
Originally, bpfilter_umh was linked with -static only when CONFIG_BPFILTER_UMH=y.
Commit 8a2cc0505cc4 ("bpfilter: use 'userp
bpfilter: Allow to build bpfilter_umh as a module without static library
Originally, bpfilter_umh was linked with -static only when CONFIG_BPFILTER_UMH=y.
Commit 8a2cc0505cc4 ("bpfilter: use 'userprogs' syntax to build bpfilter_umh") silently, accidentally dropped the CONFIG_BPFILTER_UMH=y test in the Makefile. Revive it in order to link it dynamically when CONFIG_BPFILTER_UMH=m.
Since commit b1183b6dca3e ("bpfilter: check if $(CC) can link static libc in Kconfig"), the compiler must be capable of static linking to enable CONFIG_BPFILTER_UMH, but it requires more than needed.
To loosen the compiler requirement, I changed the dependency as follows:
depends on CC_CAN_LINK depends on m || CC_CAN_LINK_STATIC
If CONFIG_CC_CAN_LINK_STATIC in unset, CONFIG_BPFILTER_UMH is restricted to 'm' or 'n'.
In theory, CONFIG_CC_CAN_LINK is not required for CONFIG_BPFILTER_UMH=y, but I did not come up with a good way to describe it.
Fixes: 8a2cc0505cc4 ("bpfilter: use 'userprogs' syntax to build bpfilter_umh") Reported-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Michal Kubecek <mkubecek@suse.cz> Link: https://lore.kernel.org/bpf/20200701092644.762234-1-masahiroy@kernel.org
show more ...
|
a4fa4589 | 14-Jul-2020 |
Alexei Starovoitov <ast@kernel.org> |
bpfilter: Initialize pos variable
Make sure 'pos' is initialized to zero before calling kernel_write().
Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") Signed-off-by: Alexei Sta
bpfilter: Initialize pos variable
Make sure 'pos' is initialized to zero before calling kernel_write().
Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") Signed-off-by: Alexei Starovoitov <ast@kernel.org>
show more ...
|
e80eb1dc | 25-Jun-2020 |
Eric W. Biederman <ebiederm@xmission.com> |
bpfilter: Take advantage of the facilities of struct pid
Instead of relying on the exit_umh cleanup callback use the fact a struct pid can be tested to see if a process still exists, and that struct
bpfilter: Take advantage of the facilities of struct pid
Instead of relying on the exit_umh cleanup callback use the fact a struct pid can be tested to see if a process still exists, and that struct pid has a wait queue that notifies when the process dies.
v1: https://lkml.kernel.org/r/87h7uydlu9.fsf_-_@x220.int.ebiederm.org v2: https://lkml.kernel.org/r/874kqt4owu.fsf_-_@x220.int.ebiederm.org Link: https://lkml.kernel.org/r/20200702164140.4468-14-ebiederm@xmission.com Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
1c340ead | 25-Jun-2020 |
Eric W. Biederman <ebiederm@xmission.com> |
umd: Track user space drivers with struct pid
Use struct pid instead of user space pid values that are prone to wrap araound.
In addition track the entire thread group instead of just the first thr
umd: Track user space drivers with struct pid
Use struct pid instead of user space pid values that are prone to wrap araound.
In addition track the entire thread group instead of just the first thread that is started by exec. There are no multi-threaded user mode drivers today but there is nothing preclucing user drivers from being multi-threaded, so it is just a good idea to track the entire process.
Take a reference count on the tgid's in question to make it possible to remove exit_umh in a future change.
As a struct pid is available directly use kill_pid_info.
The prior process signalling code was iffy in using a userspace pid known to be in the initial pid namespace and then looking up it's task in whatever the current pid namespace is. It worked only because kernel threads always run in the initial pid namespace.
As the tgid is now refcounted verify the tgid is NULL at the start of fork_usermode_driver to avoid the possibility of silent pid leaks.
v1: https://lkml.kernel.org/r/87mu4qdlv2.fsf_-_@x220.int.ebiederm.org v2: https://lkml.kernel.org/r/a70l4oy8.fsf_-_@x220.int.ebiederm.org Link: https://lkml.kernel.org/r/20200702164140.4468-12-ebiederm@xmission.com Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
0fe3c631 | 25-Jun-2020 |
Eric W. Biederman <ebiederm@xmission.com> |
bpfilter: Move bpfilter_umh back into init data
To allow for restarts 61fbf5933d42 ("net: bpfilter: restart bpfilter_umh when error occurred") moved the blob holding the userspace binary out of the
bpfilter: Move bpfilter_umh back into init data
To allow for restarts 61fbf5933d42 ("net: bpfilter: restart bpfilter_umh when error occurred") moved the blob holding the userspace binary out of the init sections.
Now that loading the blob into a filesystem is separate from executing the blob the blob no longer needs to live .rodata to allow for restarting. So move the blob back to .init.rodata.
v1: https://lkml.kernel.org/r/87sgeidlvq.fsf_-_@x220.int.ebiederm.org v2: https://lkml.kernel.org/r/87ftad4ozc.fsf_-_@x220.int.ebiederm.org Link: https://lkml.kernel.org/r/20200702164140.4468-11-ebiederm@xmission.com Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
b1183b6d | 09-May-2020 |
Masahiro Yamada <masahiroy@kernel.org> |
bpfilter: check if $(CC) can link static libc in Kconfig
On Fedora, linking static glibc requires the glibc-static RPM package, which is not part of the glibc-devel package.
CONFIG_CC_CAN_LINK does
bpfilter: check if $(CC) can link static libc in Kconfig
On Fedora, linking static glibc requires the glibc-static RPM package, which is not part of the glibc-devel package.
CONFIG_CC_CAN_LINK does not check the capability of static linking, so you can enable CONFIG_BPFILTER_UMH, then fail to build:
HOSTLD net/bpfilter/bpfilter_umh /usr/bin/ld: cannot find -lc collect2: error: ld returned 1 exit status
Add CONFIG_CC_CAN_LINK_STATIC, and make CONFIG_BPFILTER_UMH depend on it.
Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Acked-by: Alexei Starovoitov <ast@kernel.org>
show more ...
|