Re: [PATCH v7 net-next 0/6] net: Add bpf support for sockets

[PATCH v7 net-next 0/6] net: Add bpf support for sockets · David Ahern <hidden> · 2016-12-01
[PATCH v7 net-next 1/6] bpf: Refactor cgroups code in prep for new type · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 1/6] bpf: Refactor cgroups code in prep for new type · Alexei Starovoitov <hidden> · 2016-12-01
[PATCH v7 net-next 2/6] bpf: Add new cgroup attach type to enable sock modifications · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 2/6] bpf: Add new cgroup attach type to enable sock modifications · Alexei Starovoitov <hidden> · 2016-12-01
[PATCH v7 net-next 3/6] samples: bpf: add userspace example for modifying sk_bound_dev_if · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 3/6] samples: bpf: add userspace example for modifying sk_bound_dev_if · Alexei Starovoitov <hidden> · 2016-12-01
[PATCH v7 net-next 4/6] bpf: Add support for reading socket family, type, protocol · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 4/6] bpf: Add support for reading socket family, type, protocol · Alexei Starovoitov <hidden> · 2016-12-01
[PATCH v7 net-next 6/6] samples/bpf: add userspace example for prohibiting sockets · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 6/6] samples/bpf: add userspace example for prohibiting sockets · Alexei Starovoitov <hidden> · 2016-12-01
[PATCH v7 net-next 5/6] samples/bpf: Update bpf loader for cgroup section names · David Ahern <hidden> · 2016-12-01
Re: [PATCH v7 net-next 5/6] samples/bpf: Update bpf loader for cgroup section names · Alexei Starovoitov <hidden> · 2016-12-01
Re: [PATCH v7 net-next 0/6] net: Add bpf support for sockets · Alexei Starovoitov <hidden> · 2016-12-01
Re: [PATCH v7 net-next 0/6] net: Add bpf support for sockets · David Miller <davem@davemloft.net> · 2016-12-02

From: David Miller <davem@davemloft.net>
Date: 2016-12-02 18:46:59

From: David Ahern <redacted>
Date: Thu,  1 Dec 2016 08:48:02 -0800

The recently added VRF support in Linux leverages the bind-to-device
API for programs to specify an L3 domain for a socket. While
SO_BINDTODEVICE has been around for ages, not every ipv4/ipv6 capable
program has support for it. Even for those programs that do support it,
the API requires processes to be started as root (CAP_NET_RAW) which
is not desirable from a general security perspective.

This patch set leverages Daniel Mack's work to attach bpf programs to
a cgroup to provide a capability to set sk_bound_dev_if for all
AF_INET{6} sockets opened by a process in a cgroup when the sockets
are allocated.

 ...

Series applied, thanks David.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help