From: Alexei Starovoitov <ast@kernel.org>
Date: Tue, 8 Oct 2019 03:16:34 +0000 (-0700)
Subject: Merge branch 'enforce-global-flow-dissector'
X-Git-Tag: baikal/mips/sdk5.9~14899^2~365^2~15
X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=146ed3146eba52674a3ae8da428dcbd6c7ce4b76;p=kernel.git

Merge branch 'enforce-global-flow-dissector'

Stanislav Fomichev says:

====================
While having a per-net-ns flow dissector programs is convenient for
testing, security-wise it's better to have only one vetted global
flow dissector implementation.

Let's have a convention that when BPF flow dissector is installed
in the root namespace, child namespaces can't override it.

The intended use-case is to attach global BPF flow dissector
early from the init scripts/systemd. Attaching global dissector
is prohibited if some non-root namespace already has flow dissector
attached. Also, attaching to non-root namespace is prohibited
when there is flow dissector attached to the root namespace.

v3:
* drop extra check and empty line (Andrii Nakryiko)

v2:
* EPERM -> EEXIST (Song Liu)
* Make sure we don't have dissector attached to non-root namespaces
  when attaching the global one (Andrii Nakryiko)
====================

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---

146ed3146eba52674a3ae8da428dcbd6c7ce4b76