Use inode / dentry hash in sb_mount LSM hook #114
Assignees
Comments
|
Some additional context: This would probably involve hunting for a function whose signature includes the superblock struct for the mount source somewhere along the mount(2) codepath. Then we simply store it as intermediary state in a percpu map and look it up inside the sb_mount hook program. The first step is finding such a function (if one exists). |
8 tasks
|
We discussed this issue in details yesterday and we have a solid plan how to proceed 💪 |
|
I tried to implement that, but the PATH_TO_INODE map was getting too large. I will keep this issue closed and open an another one for the other option - using LPM_TRIE map for string matching - #134 If we ever feel like we should tink about this solution again, let's repoen. |
|
Opened also #141 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently in our
sb_mountLSM hook program we do expensive string matching:https://github.com/rancher-sandbox/lockc/blob/main/lockc/src/bpf/lockc.bpf.c#L236-L281
That's because the
sb_mountLSM hook provides the mount source of bind mounts as a string, not as an inode/path/dentry. See:Fpr bind mounts, the source mount is provided as
const char *dev_name. Don't be confused by*pathargument - it's a destination.Because of that, our BPF maps related to mounting have strings as map keys. That's not a good solution in terms of performance.
A good solution would be getting the inode/dentry somehow before
sb_mount. And then use inode ID or dentry hash as map keys and use it in sb_mount.The text was updated successfully, but these errors were encountered: