On 02/07/2017 01:02 AM, Alexei Starovoitov wrote:
On 2/6/17 3:39 PM, Daniel Borkmann wrote:
On 02/04/2017 04:34 AM, Alexei Starovoitov wrote:
[...]
+BPF_CALL_1(bpf_skb_netns_id, struct sk_buff *, skb)
+{
+ struct net_device *dev = skb->dev;
+
+ if (!dev)
+ return 0;
+ return proc_get_ns_devid_inum(&dev_net(dev)->ns);
+}
+
+static const struct bpf_func_proto bpf_skb_netns_id_proto = {
+ .func = bpf_skb_netns_id,
+ .gpl_only = false,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+};
+
static const struct bpf_func_proto *
sk_filter_func_proto(enum bpf_func_id func_id)
{
@@ -2620,6 +2649,8 @@ sk_filter_func_proto(enum bpf_func_id func_id)
case BPF_FUNC_trace_printk:
if (capable(CAP_SYS_ADMIN))
return bpf_get_trace_printk_proto();
+ case BPF_FUNC_sk_netns_id:
+ return &bpf_skb_netns_id_proto;
default:
return NULL;
}
Btw, I think here's an oversight that would still need to be
fixed. Above would mean that trace printk from unprivileged would
fall through and use &bpf_skb_netns_id_proto as proto now instead
of NULL. So BPF_FUNC_sk_netns_id needs to be placed above the
BPF_FUNC_trace_printk case, not in its fall-through path. Looks
like Chenbo in his get_socket_cookie missed this, too. Other than
that BPF bits seem good to me.
Ahh, right. Good catch.
I'll add 'else return NULL;' otherwise somebody might step on it again.
Thanks Daniel!
I guess an explicit comment "/* fall-through */" would also be fine
and get noticed. Thanks!
Eric,
still waiting for your review of nsfs.c bits.
