From patchwork Tue Sep 6 23:48:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12968293 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E011C38145 for ; Tue, 6 Sep 2022 23:49:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbiIFXtH (ORCPT ); Tue, 6 Sep 2022 19:49:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229585AbiIFXtG (ORCPT ); Tue, 6 Sep 2022 19:49:06 -0400 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B311C91D10 for ; Tue, 6 Sep 2022 16:49:05 -0700 (PDT) Received: by mail-pj1-x1049.google.com with SMTP id j11-20020a17090a738b00b001faeb619f6eso5073490pjg.5 for ; Tue, 06 Sep 2022 16:49:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=7JzQvNuV+huKghBCFvtgwncICdsG5n37tZbHNby+uDE=; b=WU0UMCmLS4x7J61ksfqfKoWXC3BOaZt4Y5CgTNYVMKXElCctNMLESkwSdPLyaCROmr IXYaLJm3LUB/fSWfsV9/PFFlJO+jruPLRWXzhqeOZ5mi6/0grRilfx/zyBzI4QodiZk/ GjBxzND7xQYP0lq8/4B69HhXCNigb50JyFvmcbahCG5Z6kqBpr/Cw0NCzdSDhKf4Usyu J1zkesQcE/UEjvHregH7D+r7SKxfkSfDZmM4A1S1jSXB7AXyrt49bytpncUZhdqmLsf1 RgnQnCoQ+aJk1QHC3KApB1IZyNgTC3qk0l2G/xdr0zJrnaGb7RMMo290f9j+b/X7jHbr Qsgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=7JzQvNuV+huKghBCFvtgwncICdsG5n37tZbHNby+uDE=; b=qIDlkDRWZPUgIINpvNKqnuGVDbNLFPLeJVNzxfxKvxwdWPLalIMQ6j92N9bk+MSH5l cTd/Y6pG4GCIn4XsiLaEV7a9hLVwidzwxnKMhOCkGE5Xds4KRKLJjncL59PFLlGsaXC+ Ko5tSIc9SlX2T5l+61ILD/FKmlaSPZ5rGcIIlEZwyppTJgy9n0ciDZe6j9vHwI2LE0vC oT0fj/1oU30bCuIEQqGxrg+WjtwUkhDbA71HWMqM1Pi3CC0mUYld+mtThavGVmZ1DG+Y Wa7ZbmfJJvcgiQQUzaV9Hxfr5B4Jwhbk9H/2UOA1tCMtVPTxP8y/69EN+LwEhADsogQq HoLA== X-Gm-Message-State: ACgBeo0yLXTb4cjawRRHoBkTTFeDZGt6qHxgpvzVqUYkGKBJfu8UBZk5 l0IFKf4dkk5xVVFixUp3vXmuqat9z8suWA== X-Google-Smtp-Source: AA6agR55HEQjmmYWCPvG3/qUHg1aZBC7igJn7rR4+GV444AfD4YiwMNvPXYL0z2BvgZOv85Yp/tYqivULZranQ== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:a05:6a00:2906:b0:52a:bc7f:f801 with SMTP id cg6-20020a056a00290600b0052abc7ff801mr1138985pfb.49.1662508145304; Tue, 06 Sep 2022 16:49:05 -0700 (PDT) Date: Tue, 6 Sep 2022 23:48:46 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Message-ID: <5764914c252fad4cd134fb6664c6ede95f409412.1662507638.git.zhuyifei@google.com> Subject: [PATCH v2 bpf-next 1/3] bpf: Invoke cgroup/connect{4,6} programs for unprivileged ICMP ping From: YiFei Zhu To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Stanislav Fomichev , Martin KaFai Lau , John Fastabend , Jiri Olsa , "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Usually when a TCP/UDP connection is initiated, we can bind the socket to a specific IP attached to an interface in a cgroup/connect hook. But for pings, this is impossible, as the hook is not being called. This adds the hook invocation to unprivileged ICMP ping (i.e. ping sockets created with SOCK_DGRAM IPPROTO_ICMP(V6) as opposed to SOCK_RAW. Logic is mirrored from UDP sockets where the hook is invoked during pre_connect, after a check for suficiently sized addr_len. Signed-off-by: YiFei Zhu --- net/ipv4/ping.c | 15 +++++++++++++++ net/ipv6/ping.c | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index b83c2bd9d7223..517042caf6dc1 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -295,6 +296,19 @@ void ping_close(struct sock *sk, long timeout) } EXPORT_SYMBOL_GPL(ping_close); +static int ping_pre_connect(struct sock *sk, struct sockaddr *uaddr, + int addr_len) +{ + /* This check is replicated from __ip4_datagram_connect() and + * intended to prevent BPF program called below from accessing bytes + * that are out of the bound specified by user in addr_len. + */ + if (addr_len < sizeof(struct sockaddr_in)) + return -EINVAL; + + return BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr); +} + /* Checks the bind address and possibly modifies sk->sk_bound_dev_if. */ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, struct sockaddr *uaddr, int addr_len) @@ -1009,6 +1023,7 @@ struct proto ping_prot = { .owner = THIS_MODULE, .init = ping_init_sock, .close = ping_close, + .pre_connect = ping_pre_connect, .connect = ip4_datagram_connect, .disconnect = __udp_disconnect, .setsockopt = ip_setsockopt, diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index 91b8405146569..5f2ef84937142 100644 --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c @@ -20,6 +20,7 @@ #include #include #include +#include #include static void ping_v6_destroy(struct sock *sk) @@ -49,6 +50,20 @@ static int dummy_ipv6_chk_addr(struct net *net, const struct in6_addr *addr, return 0; } +static int ping_v6_pre_connect(struct sock *sk, struct sockaddr *uaddr, + int addr_len) +{ + /* This check is replicated from __ip6_datagram_connect() and + * intended to prevent BPF program called below from accessing + * bytes that are out of the bound specified by user in addr_len. + */ + + if (addr_len < SIN6_LEN_RFC2133) + return -EINVAL; + + return BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr); +} + static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) { struct inet_sock *inet = inet_sk(sk); @@ -191,6 +206,7 @@ struct proto pingv6_prot = { .init = ping_init_sock, .close = ping_close, .destroy = ping_v6_destroy, + .pre_connect = ping_v6_pre_connect, .connect = ip6_datagram_connect_v6_only, .disconnect = __udp_disconnect, .setsockopt = ipv6_setsockopt,