Yes, you are right. I'll resubmit the patch with those corrections.
Thanks a lot for catching this.
Thu, Aug 09, 2018 at 03:46:53PM +0200, Jesper Dangaard Brouer wrote:
> On Thu, 9 Aug 2018 09:18:00 -0400
> Carlos Neira <cneirabus...@gmail.com> wrote:
>
> > From: cneira <cneirabus...@gmail.com>
> >
> > This helper obtains the active namespace from current and returns pid, tgid,
> > device and namespace id as seen from that namespace, allowing to instrument
> > a process inside a container.
> > Device is read from /proc/self/ns/pid, as in the future it's possible that
> > different pid_ns files may belong to different devices, according
> > to the discussion between Eric Biederman and Yonghong in 2017 linux plumbers
> > conference.
> >
> > Currently bpf_get_current_pid_tgid(), is used to do pid filtering in bcc's
> > scripts but this helper returns the pid as seen by the root namespace which
> > is
> > fine when a bcc script is not executed inside a container.
> > When the process of interest is inside a container, pid filtering will not
> > work
> > if bpf_get_current_pid_tgid() is used. This helper addresses this limitation
> > returning the pid as it's seen by the current namespace where the script is
> > executing.
> >
> > This helper has the same use cases as bpf_get_current_pid_tgid() as it can
> > be
> > used to do pid filtering even inside a container.
> >
> > For example a bcc script using bpf_get_current_pid_tgid()
> > (tools/funccount.py):
> >
> > u32 pid = bpf_get_current_pid_tgid() >> 32;
> > if (pid != <pid_arg_passed_in>)
> > return 0;
> >
> > Could be modified to use bpf_get_current_pidns_info() as follows:
> >
> > struct bpf_pidns pidns;
> > bpf_get_current_pid_tgid(&pidns, sizeof(struct bpf_pidns));
> ^^^^^^^^^^^^^^^^^^^^^^^^
>
> Shouldn't this be:
> bpf_get_current_pidns_info(...)
>
> > u32 pid = pidns.tgid;
> > u32 nsid = pidns.nsid;
> > if ((pid != <pid_arg_passed_in>) && (nsid != <nsid_arg_passed_in>))
> > return 0;
> >
>
> [...]
>
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index dd5758dc35d3..031e7d9dba09 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -2113,6 +2113,18 @@ union bpf_attr {
> > * the shared data.
> > * Return
> > * Pointer to the local storage area.
> > + *
> > + * int bpf_get_current_pidns(struct bpf_pidns_info *pidns, u32
> > size_of_pidns)
>
> Should this be:
> bpf_get_current_pidns_info(...)
>
> > + * Description
> > + * Copies into *pidns* pid, namespace id and tgid as seen by the
> > + * current namespace and also device from /proc/self/ns/pid.
> > + * *size_of_pidns* must be the size of *pidns*
> > + *
> > + * This helper is used when pid filtering is needed inside a
> > + * container as bpf_get_current_tgid() helper returns always the
> > + * pid id as seen by the root namespace.
> > + * Return
> > + * 0 on success -EINVAL on error.
> > */
> > #define __BPF_FUNC_MAPPER(FN) \
> > FN(unspec), \
> > @@ -2196,7 +2208,8 @@ union bpf_attr {
> > FN(rc_keydown), \
> > FN(skb_cgroup_id), \
> > FN(get_current_cgroup_id), \
> > - FN(get_local_storage),
> > + FN(get_local_storage), \
> > + FN(get_current_pidns_info),
>
> --
> Best regards,
> Jesper Dangaard Brouer
> MSc.CS, Principal Kernel Engineer at Red Hat
> LinkedIn: http://www.linkedin.com/in/brouer
