From patchwork Fri Jun 30 14:58:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 114761 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp10446832vqr; Fri, 30 Jun 2023 08:17:01 -0700 (PDT) X-Google-Smtp-Source: APBJJlHs9JXzWgghuB8teTU+pEUOIJHpfgF6N1lJNbPzPYySGaywWtdOFJEA4+pGU+ZemDL3dMs+ X-Received: by 2002:a05:6a00:22d1:b0:668:83b7:fd02 with SMTP id f17-20020a056a0022d100b0066883b7fd02mr3194888pfj.31.1688138221282; Fri, 30 Jun 2023 08:17:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688138221; cv=none; d=google.com; s=arc-20160816; b=bcZJVTzFN6OmGT8QarhEWHRLjs7Itfq7iscdLepUkTk6aOaACYTKEyYyC1JGccObBT N+Swvg5MQL02f2OSpDZV2QBPh5HcE1TJ03DsDBGkmYFFFMERfFWiimTnXykjvyFdqpPr lMO2TwLV9UAsSICg7b72b5nESOuXq7l2WEG8LPG+Ir0UakWXSAe7ojhGaWnQyLgq3wEi BprwIhJ4PnZpW7wPwA/h/+qblknKbPPFHeJa3Dq/QJdheI/lm8cgrpeXwUuDEmGoc+Bc zotM1WsMgCv7PZ448rSYQFQPlrWUbGhPMXIJlQUpoMEF1VTqUwov4mHk6Yb4zK1QYKn0 b9wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=a/Feyl5nZWMwvYvJi19y6OD7QEAxmOH3sPGTzEMHdVY=; fh=h7ZvB0NJhZqMrmdk7wvWm7vOy+SnJthbx1KvMfLl36k=; b=H2K8Dkc/EeORjJ/+VRik0tYic4RiazwlIa6YZk4ce76gVlH5AO07toJ1V8b5eyGiMV JmiZF7UuRS8qNe8be9OgscZTJGl+75LP5kw86UW+vQtOMnGfIW2k5om6tzwGwSS7Ia6X 6aggkffX+n+18iJ6Ds7S5b+I9lPEpSQeTNie+PKPtyLIvUqZ4XXftWXukerHi0a8GQaS KeGlLBnih7wPb83sssxbvkfTaYXp2qbXeSCxktCXHBoxQhhLT+Jju/cg2T1UcSwNq/1u GNbsTQPV/2VUJg7MlhOSSU0rt9Nx1O9moQPQlkcjacklmEnd+lSDWrGk94GQgCPaSBZL H2kg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z3-20020a056a001d8300b00653c0edfd34si2841325pfw.139.2023.06.30.08.16.48; Fri, 30 Jun 2023 08:17:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232813AbjF3O6Q (ORCPT + 99 others); Fri, 30 Jun 2023 10:58:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231849AbjF3O6P (ORCPT ); Fri, 30 Jun 2023 10:58:15 -0400 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::225]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5BEC19B5; Fri, 30 Jun 2023 07:58:12 -0700 (PDT) X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org X-GND-Sasl: i.maximets@ovn.org Received: by mail.gandi.net (Postfix) with ESMTPSA id E6CF81C0002; Fri, 30 Jun 2023 14:58:07 +0000 (UTC) From: Ilya Maximets To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= , Magnus Karlsson , Maciej Fijalkowski , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Jason Wang , Stefan Hajnoczi , Ilya Maximets Subject: [RFC bpf-next] xsk: honor SO_BINDTODEVICE on bind Date: Fri, 30 Jun 2023 16:58:31 +0200 Message-Id: <20230630145831.2988845-1-i.maximets@ovn.org> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_NEUTRAL,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1770141223588220500?= X-GMAIL-MSGID: =?utf-8?q?1770141223588220500?= Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A privileged process might create the socket and pass it to a non-privileged process for later use. However, that process will be able to bind the socket to any network interface. Even though it will not be able to receive any traffic without modification of the BPF map, the situation is not ideal. Sockets already have a mechanism that can be used to restrict what interface they can be attached to. That is SO_BINDTODEVICE. To change the binding the process will need CAP_NET_RAW. Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow when non-privileged process is using AF_XDP. Signed-off-by: Ilya Maximets --- Posting as an RFC for now to probably get some feedback. Will re-post once the tree is open. Documentation/networking/af_xdp.rst | 9 +++++++++ net/xdp/xsk.c | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/Documentation/networking/af_xdp.rst b/Documentation/networking/af_xdp.rst index 247c6c4127e9..1cc35de336a4 100644 --- a/Documentation/networking/af_xdp.rst +++ b/Documentation/networking/af_xdp.rst @@ -433,6 +433,15 @@ start N bytes into the buffer leaving the first N bytes for the application to use. The final option is the flags field, but it will be dealt with in separate sections for each UMEM flag. +SO_BINDTODEVICE setsockopt +-------------------------- + +This is a generic SOL_SOCKET option that can be used to tie AF_XDP +socket to a particular network interface. It is useful when a socket +is created by a privileged process and passed to a non-privileged one. +Once the option is set, kernel will refuse attempts to bind that socket +to a different interface. Updating the value requires CAP_NET_RAW. + XDP_STATISTICS getsockopt ------------------------- diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index 5a8c0dd250af..386ff641db0f 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -886,6 +886,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) struct sock *sk = sock->sk; struct xdp_sock *xs = xdp_sk(sk); struct net_device *dev; + int bound_dev_if; u32 flags, qid; int err = 0; @@ -899,6 +900,11 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) XDP_USE_NEED_WAKEUP)) return -EINVAL; + bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); + + if (bound_dev_if && bound_dev_if != sxdp->sxdp_ifindex) + return -EINVAL; + rtnl_lock(); mutex_lock(&xs->mutex); if (xs->state != XSK_READY) {