Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2510700rwl; Thu, 13 Apr 2023 07:24:28 -0700 (PDT) X-Google-Smtp-Source: AKy350bNZI9p6bv3TWOX4tTp9sRJ6ZABqANBBVmL9REgMQCEPxIDoxZFiY4sbPvtZwK3pdOApDUc X-Received: by 2002:a17:906:6096:b0:94e:b717:5e3d with SMTP id t22-20020a170906609600b0094eb7175e3dmr1204199ejj.60.1681395868480; Thu, 13 Apr 2023 07:24:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681395868; cv=none; d=google.com; s=arc-20160816; b=X6vlkzJ9sjBQOCJohsmfSP1B1GaDMSTVB4HI5jUY1AWiji4+dybiH42AoNUEZbXmji gU0H5AsmyRA9slKAwgvZc2alFRdOk8wHUXwEffQKq73bfrgCqqg5ewLOBzmjl8ddAhkj qWqpqR8JYufCPLT7YIwLFg9NXXd8UxtZZz3s04uSC4RIxuEUck1geQO9b6HhK8sYM6D6 FZlgAb20AeUqTdZx80ze1ycRgRc0uZ0CKR+0gQcg7oT/hmiLZlg9e9s39iUI67AqmtJN OXcL2/1bs3wGWBtChlTCWXB09Ni/DF4wyeT0X9LXR57ONgNLWHkxy733aLbEb+aQ+kk2 I3Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=8VkXx3MwA5LRGwzJIwL5RFqYfkVgM3VjyEag+q2YqrU=; b=D++RQXtDJ+E1uNELaT6sVstfD3aI1pNvKnSBlumcbyZaxlSqWdqxpNGG8yQN54ZFdE dF+FTqd40rBx+gnBD6pfMXTJ9+7grB1u0v2J0aH3GKD07uZ/Pc7n2vTrZj2ijFCNquG2 9B3KhwGuMMIkoGRGU4CzoJn0qMocMcnDgkyFrjdFp8IuFUbCUU2GHdqJgSPdmbyn5yzY TVCCtnEn+wyPNrgNvrJWaar8J9QDcSBvP+HlYmSDyAsDFPgYJyJXL3ZyHPNmTsP5gIl5 GCgvOj0MVPpuIA1skoXvzXpXY4p25oSV9c5XHstFpI3pO2pYRGX76h2DlVjluw37yMp2 y0Lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="p/rPO5OT"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id up4-20020a170907cc8400b0092bde9d2ed7si1686188ejc.988.2023.04.13.07.24.03; Thu, 13 Apr 2023 07:24:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="p/rPO5OT"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230445AbjDMOWD (ORCPT + 99 others); Thu, 13 Apr 2023 10:22:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230210AbjDMOWB (ORCPT ); Thu, 13 Apr 2023 10:22:01 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06B7493D2 for ; Thu, 13 Apr 2023 07:22:00 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5491fa028adso608378327b3.10 for ; Thu, 13 Apr 2023 07:21:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681395719; x=1683987719; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8VkXx3MwA5LRGwzJIwL5RFqYfkVgM3VjyEag+q2YqrU=; b=p/rPO5OT9jf0z5yXRSmrTLDoSIUepPZb11UDvDwuXp0EPGmz+QZuALKz8izmoVHVYS /rMDYmIJLs4IQHTnFkUSyK0v6X7bIr5NPle7P8+EDsN/RNdVSRNzVDDaVUkJ9S3lf6YD kTqa9QCLHGwTI9/fiDcuUmY99CapyntFhF4wgEOid05HBPSs6KmXYyYrOsA6x7fxXQND adyVYw/VeCPd8L8P29K+AEk9c82liGqfoLWi7l3fRH/yQtCNVduKPYRb6fgqig1bRLbc hNLGBr3hJUQbrR6cHpeqyuBlzBXXK+cVNxpFEIlcj+wY1NJbxum3s0lTm+Q3HxbBZRQo fyAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681395719; x=1683987719; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8VkXx3MwA5LRGwzJIwL5RFqYfkVgM3VjyEag+q2YqrU=; b=AQCRkTS48n/EzfulQhijtFVJrhW4Ck9TvaZ70yzNI99W5kQdqqRgwfg8Jekz50xoKn L7VPu5tySrH6l//GwGg4zNHQRsq1sE6pZtypuama0ChOZ/wKpFI4ZbDC+QbXw2yF2l7U hybfgyqnd9fmotr44Au3oey5PUlXUrNe2tcLpSWyckZfVaPbq2pULdZTa+qdOwnNjNMH l9ooUOnPkKEdrIABBJxiC4D6fahkXgSnvT+4AztdqO17cAz2H//kBLXmfZQmnGLX+2NY izkUScTw7AJgmjz5Z/1vFf3ZXKH3UZZYTQwlR4WeUEUhaCBwzu1vP9qxC3uPmEVilZ37 Mbng== X-Gm-Message-State: AAQBX9cK8AG1dOgArKCdnY/fNNGRs8jtjMOLH3qCGo87bl5+B1WT+mnh mmUfoX3668N0GR79YNbIdMIY3zj1Cx/DrwOqD808zAds6tmcy/Ar4yemxg== X-Received: by 2002:a81:4323:0:b0:549:1e80:41f9 with SMTP id q35-20020a814323000000b005491e8041f9mr1492277ywa.10.1681395718858; Thu, 13 Apr 2023 07:21:58 -0700 (PDT) MIME-Version: 1.0 References: <20230413133355.350571-1-aleksandr.mikhalitsyn@canonical.com> <20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: <20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com> From: Eric Dumazet Date: Thu, 13 Apr 2023 16:21:47 +0200 Message-ID: Subject: Re: [PATCH net-next v4 2/4] net: socket: add sockopts blacklist for BPF cgroup hook To: Alexander Mikhalitsyn Cc: davem@davemloft.net, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, daniel@iogearbox.net, Jakub Kicinski , Paolo Abeni , Leon Romanovsky , David Ahern , Arnd Bergmann , Kees Cook , Christian Brauner , Kuniyuki Iwashima , Lennart Poettering , linux-arch@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 13, 2023 at 3:35=E2=80=AFPM Alexander Mikhalitsyn wrote: > > During work on SO_PEERPIDFD, it was discovered (thanks to Christian), > that bpf cgroup hook can cause FD leaks when used with sockopts which > install FDs into the process fdtable. > > After some offlist discussion it was proposed to add a blacklist of We try to replace this word by either denylist or blocklist, even in change= logs. > socket options those can cause troubles when BPF cgroup hook is enabled. > Can we find the appropriate Fixes: tag to help stable teams ? > Cc: "David S. Miller" > Cc: Eric Dumazet > Cc: Jakub Kicinski > Cc: Paolo Abeni > Cc: Leon Romanovsky > Cc: David Ahern > Cc: Arnd Bergmann > Cc: Kees Cook > Cc: Christian Brauner > Cc: Kuniyuki Iwashima > Cc: Lennart Poettering > Cc: linux-kernel@vger.kernel.org > Cc: netdev@vger.kernel.org > Cc: linux-arch@vger.kernel.org > Suggested-by: Daniel Borkmann > Suggested-by: Christian Brauner > Signed-off-by: Alexander Mikhalitsyn Thanks.