| commit | e37485f56800ced80b05ba90be850c258af386ac | [log] [tgz] |
|---|---|---|
| author | Andrii Nakryiko <andrii@kernel.org> | Mon May 15 16:48:06 2023 -0700 |
| committer | Quentin Monnet <qmonnet+github@qoba.lt> | Fri May 26 11:31:50 2023 +0100 |
| tree | a078d738dbe403626c0f75301fb80e5b7758336c | |
| parent | 3270b21dd4f5ea58f58bf5e2d85572703d1db5f9 [diff] |
bpf: Support O_PATH FDs in BPF_OBJ_PIN and BPF_OBJ_GET commands Current UAPI of BPF_OBJ_PIN and BPF_OBJ_GET commands of bpf() syscall forces users to specify pinning location as a string-based absolute or relative (to current working directory) path. This has various implications related to security (e.g., symlink-based attacks), forces BPF FS to be exposed in the file system, which can cause races with other applications. One of the feedbacks we got from folks working with containers heavily was that inability to use purely FD-based location specification was an unfortunate limitation and hindrance for BPF_OBJ_PIN and BPF_OBJ_GET commands. This patch closes this oversight, adding path_fd field to BPF_OBJ_PIN and BPF_OBJ_GET UAPI, following conventions established by *at() syscalls for dirfd + pathname combinations. This now allows interesting possibilities like working with detached BPF FS mount (e.g., to perform multiple pinnings without running a risk of someone interfering with them), and generally making pinning/getting more secure and not prone to any races and/or security attacks. This is demonstrated by a selftest added in subsequent patch that takes advantage of new mount APIs (fsopen, fsconfig, fsmount) to demonstrate creating detached BPF FS mount, pinning, and then getting BPF map out of it, all while never exposing this private instance of BPF FS to outside worlds. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Christian Brauner <brauner@kernel.org> Link: https://lore.kernel.org/bpf/20230523170013.728457-4-andrii@kernel.org
This is a mirror of bpf-next Linux source tree's tools/bpf/bpftool directory, plus its few dependencies from under kernel/bpf/, and its supporting header files.
All the gory details of syncing can be found in scripts/sync-kernel.sh script.
Some header files in this repo (include/linux/*.h) are reduced versions of their counterpart files at bpf-next's tools/include/linux/*.h to make compilation successful.
Please check out the manual pages for documentation about bpftool. A number of example invocations are also displayed in this blog post.
All general BPF questions, including kernel functionality, bpftool features and usage, should be sent to bpf@vger.kernel.org mailing list. You can subscribe to it here and search its archive here. Please search the archive before asking new questions. It very well might be that this was already addressed or answered before.
bpf@vger.kernel.org is monitored by many more people and they will happily try to help you with whatever issue you have. This repository's PRs and issues should be opened only for dealing with issues pertaining to specific way this bpftool mirror repo is set up and organized.
Required:
Optional:
This repository uses libbpf as a submodule. You can initialize it when cloning bpftool:
$ git clone --recurse-submodules https://github.com/libbpf/bpftool.git
Alternatively, if you have already cloned the repository, you can initialize the submodule by running the following command from within the repository:
$ git submodule update --init
To build bpftool:
$ cd src
$ make
To build and install bpftool on the system:
$ cd src # make install
Building bpftool in a separate directory is supported via the OUTPUT variable:
$ mkdir /tmp/bpftool $ cd src $ OUTPUT=/tmp/bpftool make
Most of the output is suppressed by default, but detailed building logs can be displayed by passing V=1:
$ cd src $ make V=1
Additional compilation flags can be passed to the command line if required. For example, we can create a static build with the following commands:
$ cd src $ EXTRA_CFLAGS=--static make
Note that to use the LLVM disassembler with static builds, we need a static version of the LLVM library installed on the system:
Download a precompiled LLVM release or build it locally.
Download the appropriate release of LLVM for your platform, for example on x86_64 with LLVM 15.0.0:
$ curl -LO https://github.com/llvm/llvm-project/releases/download/llvmorg-15.0.0/clang+llvm-15.0.0-x86_64-linux-gnu-rhel-8.4.tar.xz $ tar xvf clang+llvm-15.0.0-x86_64-linux-gnu-rhel-8.4.tar.xz $ mv clang+llvm-15.0.0-x86_64-linux-gnu-rhel-8.4 llvm_build
Alternatively, clone and build the LLVM libraries locally.
$ git clone https://github.com/llvm/llvm-project.git $ mkdir llvm_build $ cmake -S llvm-project/llvm -B llvm_build -DCMAKE_BUILD_TYPE=Release $ make -j -C llvm_build llvm-config llvm-libraries
Build bpftool with EXTRA_CFLAGS set to --static, and by passing the path to the relevant llvm-config.
$ cd bpftool $ LLVM_CONFIG=../../llvm_build/bin/llvm-config EXTRA_CFLAGS=--static make -j -C src
The man pages for bpftool can be built with:
$ cd docs
$ make
They can be installed on the system with:
$ cd docs # make install
This work is dual-licensed under the GNU GPL v2.0 (only) license and the BSD 2-clause license. You can choose between one of them if you use this work.
SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)