diff options
author | Alexei Starovoitov <ast@kernel.org> | 2019-10-08 05:16:34 +0200 |
---|---|---|
committer | Alexei Starovoitov <ast@kernel.org> | 2019-10-08 05:16:34 +0200 |
commit | 72ccd9200f218a7eb2933a93e69a79a1ac984d83 (patch) | |
tree | a20d775996eee47d44f32888ab7cece80a115885 /samples | |
parent | samples/bpf: Trivial - fix spelling mistake in usage (diff) | |
parent | selftests/bpf: add test for BPF flow dissector in the root namespace (diff) | |
download | linux-72ccd9200f218a7eb2933a93e69a79a1ac984d83.tar.xz linux-72ccd9200f218a7eb2933a93e69a79a1ac984d83.zip |
Merge branch 'enforce-global-flow-dissector'
Stanislav Fomichev says:
====================
While having a per-net-ns flow dissector programs is convenient for
testing, security-wise it's better to have only one vetted global
flow dissector implementation.
Let's have a convention that when BPF flow dissector is installed
in the root namespace, child namespaces can't override it.
The intended use-case is to attach global BPF flow dissector
early from the init scripts/systemd. Attaching global dissector
is prohibited if some non-root namespace already has flow dissector
attached. Also, attaching to non-root namespace is prohibited
when there is flow dissector attached to the root namespace.
v3:
* drop extra check and empty line (Andrii Nakryiko)
v2:
* EPERM -> EEXIST (Song Liu)
* Make sure we don't have dissector attached to non-root namespaces
when attaching the global one (Andrii Nakryiko)
====================
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'samples')
0 files changed, 0 insertions, 0 deletions