Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2446103rwl; Thu, 13 Apr 2023 06:38:55 -0700 (PDT) X-Google-Smtp-Source: AKy350ZS4hMxwLQf1fKx5p5j/0wgs/L1rxca49b2V3Rc4BssIqNs9oBE5oVE14UJe6GzjCTYBwBa X-Received: by 2002:a17:903:230f:b0:1a2:85f0:e73f with SMTP id d15-20020a170903230f00b001a285f0e73fmr2767595plh.35.1681393135323; Thu, 13 Apr 2023 06:38:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681393135; cv=none; d=google.com; s=arc-20160816; b=nY2UjEagxJ6lHBKXOE6P2nlzltc4GASSHgCHoBzMjkdemO37BmhDBBL+ZKYYW9NMJW 8AMxRep/BUCoC4a+AV83VqLd9wyfIStuJeRozc5JPwdCxC1W6s3avo3j1b8nXw8ZB745 zdrK70C1jyoyiSCUouwZeWmxJdRp62p0tw/USGR7tTaQLuezkwgYZV6Hz//a/2q363qz ddhMBkmTxYfiopZJqEUeYLNi4dV+afgyE0w2q0H36nmz4h2h18jL5STn6+oTuFBoc94K HxVH/89mAQMqFlWnwZe6t2Su1raeJXB+shzHLFPqw90jT+qvXhv2uM1lQfElYdXQN/Rr UBYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; b=FLgbWj1R6zz9PpVAKgtgWjZiEPlb8lbpDuqRkUukHyzPhcYaYKF2EtUIEbCCB2IBE8 10dA2W8ss8RJdBzz4juoE5KCtqlZ2F0vsm/++LABN61vqnjQeJ61gCL9gJ9UcL1LL9zy I82jO9v4Sfs7Zi+bhQwDrL+cQBtktOxHMsmraHoIZWKqw2BP+ZEy/o6fFHDZKKVPr97X gLwMpo7XvzC4rQ9b/FT/nBqOZMlo3xnsvWTMuwwLc6kDKeD13A41Qqe8TZOnQ2Vbt7wN ddT2lT0keBZLX3ygG8wfAyAwqwgLrtqhlx9i3MFPVmGPN7aQ3USfzG9eZFNpXQLStj1S g+KA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=fSdLFv6+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x11-20020a170902ec8b00b001960fd737b6si2301171plg.330.2023.04.13.06.38.44; Thu, 13 Apr 2023 06:38:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=fSdLFv6+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231620AbjDMNhi (ORCPT + 99 others); Thu, 13 Apr 2023 09:37:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230502AbjDMNhS (ORCPT ); Thu, 13 Apr 2023 09:37:18 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99916B779 for ; Thu, 13 Apr 2023 06:35:05 -0700 (PDT) Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id BC7793F43B for ; Thu, 13 Apr 2023 13:34:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1681392880; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fSdLFv6+6AwtL1xo8lr+sbRcMDlnQOpxNFbKF1loIK3JtPIuU6Cd255RADbyUjM1e mApLFFd90uIHUgVuW0iLpUUg0YJEPEjXR6k8cjHWN4co1VfoY1Or5iMisiYttIBwTb A9KQuRa67zJnpLR+BvXFa3ATy0doBYvADt595MduF11TQAmkNZDRm9YGr11p0oENXX J8wyW0JjBZh0ZHpc+qqDyJRF2496so/351JVfa3VVrQetQRY/KQrOuGMCwtEESczD7 KXpMmrZXfgsj7YWYlODOiv+8VH4XTKPC6cFmLhO8bF+KjH05nB+EfDcx4wVJIzOMny H/pLsAFXSbvCA== Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-505149e1a4eso3102652a12.1 for ; Thu, 13 Apr 2023 06:34:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681392877; x=1683984877; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; b=WWs3p7TZSj6AZDvpabfZHP3K0OxgLmiy5K3FdG3Ljg52wtv2B6UTHE4rr5p7drPECg GoJpfA2CpIrwx7Q3a6K1IybkCyF2J5LaI0Huv1Xfr7fTtSWArJkornOV8r9KInA5U3k2 RR0dLoKg80QnMbU23vGeq8sunqYzgbtNXr+NvCZJCwIq4QtuzBzyjvW7NgcOG0vci0MB AdB1KtJnQXTPugSzijxu0mBSO9MKbSzAhROZumC6WpdFbKEN/DNB6KKEpeVTg5ai0DSp PpwVd4GGf5uUHdEbbySAVyPHqpg/1vXce9sEKJikRjFvXTjLdeBazQpjXhLZaUWb4vgN mAzg== X-Gm-Message-State: AAQBX9fmDXO40ciQz6U1PS71wnvBBfCRvP+0objQ1iuo1FhR0OwX1MhD nGVZ/jVdM/Y8cWqZeaSepBaKxefuhGobT9UvQ9SMOVpgSMzXMI07SLFP6ZMtcHXgXnoygXv+hMJ y00Ip0zKW783xrpbqMFQO8QxRY7k41IH0jAUvrbX0rjkY8tzzqQ== X-Received: by 2002:a05:6402:49:b0:504:8a0f:13ca with SMTP id f9-20020a056402004900b005048a0f13camr1932415edu.10.1681392877052; Thu, 13 Apr 2023 06:34:37 -0700 (PDT) X-Received: by 2002:a05:6402:49:b0:504:8a0f:13ca with SMTP id f9-20020a056402004900b005048a0f13camr1932387edu.10.1681392876801; Thu, 13 Apr 2023 06:34:36 -0700 (PDT) Received: from amikhalitsyn.. ([95.91.208.118]) by smtp.gmail.com with ESMTPSA id et22-20020a170907295600b0094a966330fdsm976806ejc.211.2023.04.13.06.34.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Apr 2023 06:34:36 -0700 (PDT) From: Alexander Mikhalitsyn To: davem@davemloft.net Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, daniel@iogearbox.net, Alexander Mikhalitsyn , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Leon Romanovsky , David Ahern , Arnd Bergmann , Kees Cook , Christian Brauner , Kuniyuki Iwashima , Lennart Poettering , linux-arch@vger.kernel.org Subject: [PATCH net-next v4 2/4] net: socket: add sockopts blacklist for BPF cgroup hook Date: Thu, 13 Apr 2023 15:33:53 +0200 Message-Id: <20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230413133355.350571-1-aleksandr.mikhalitsyn@canonical.com> References: <20230413133355.350571-1-aleksandr.mikhalitsyn@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org During work on SO_PEERPIDFD, it was discovered (thanks to Christian), that bpf cgroup hook can cause FD leaks when used with sockopts which install FDs into the process fdtable. After some offlist discussion it was proposed to add a blacklist of socket options those can cause troubles when BPF cgroup hook is enabled. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Leon Romanovsky Cc: David Ahern Cc: Arnd Bergmann Cc: Kees Cook Cc: Christian Brauner Cc: Kuniyuki Iwashima Cc: Lennart Poettering Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-arch@vger.kernel.org Suggested-by: Daniel Borkmann Suggested-by: Christian Brauner Signed-off-by: Alexander Mikhalitsyn --- net/socket.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/net/socket.c b/net/socket.c index 73e493da4589..9c1ef11de23f 100644 --- a/net/socket.c +++ b/net/socket.c @@ -108,6 +108,8 @@ #include #include +#include + #ifdef CONFIG_NET_RX_BUSY_POLL unsigned int sysctl_net_busy_read __read_mostly; unsigned int sysctl_net_busy_poll __read_mostly; @@ -2227,6 +2229,36 @@ static bool sock_use_custom_sol_socket(const struct socket *sock) return test_bit(SOCK_CUSTOM_SOCKOPT, &sock->flags); } +#ifdef CONFIG_CGROUP_BPF +static bool sockopt_installs_fd(int level, int optname) +{ + /* + * These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT + * hook returns an error after success of the original handler + * sctp_getsockopt(...), userspace will receive an error from getsockopt + * syscall and will be not aware that fd was successfully installed into fdtable. + * + * Let's prevent bpf cgroup hook from running on them. + */ + if (level == SOL_SCTP) { + switch (optname) { + case SCTP_SOCKOPT_PEELOFF: + case SCTP_SOCKOPT_PEELOFF_FLAGS: + return true; + default: + return false; + } + } + + return false; +} +#else /* CONFIG_CGROUP_BPF */ +static inline bool sockopt_installs_fd(int level, int optname) +{ + return false; +} +#endif /* CONFIG_CGROUP_BPF */ + /* * Set a socket option. Because we don't know the option lengths we have * to pass the user mode parameter for the protocols to sort out. @@ -2250,7 +2282,7 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval, if (err) goto out_put; - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) err = BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock->sk, &level, &optname, user_optval, &optlen, &kernel_optval); @@ -2304,7 +2336,7 @@ int __sys_getsockopt(int fd, int level, int optname, char __user *optval, if (err) goto out_put; - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) max_optlen = BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen); if (level == SOL_SOCKET) @@ -2315,7 +2347,7 @@ int __sys_getsockopt(int fd, int level, int optname, char __user *optval, err = sock->ops->getsockopt(sock, level, optname, optval, optlen); - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) err = BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock->sk, level, optname, optval, optlen, max_optlen, err); -- 2.34.1