Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2536035rwl; Thu, 13 Apr 2023 07:44:13 -0700 (PDT) X-Google-Smtp-Source: AKy350aSm7o/HZdgmSuFcOCQjc7xpf2inuHm1j2gObr+AGPtlPUDqjGUqzfWObI6vAmJpSlx3hYn X-Received: by 2002:a05:6a00:1a87:b0:63b:2348:e91e with SMTP id e7-20020a056a001a8700b0063b2348e91emr4645497pfv.4.1681397053565; Thu, 13 Apr 2023 07:44:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681397053; cv=none; d=google.com; s=arc-20160816; b=QsczuOVkyzY7iv1NwJ8WBQiZeOVwDBwWNzz4fEKWoahRbY58b11O5jFxgyfhQZABjX 5/IE9120TQPGOZ/Xac02FfgFHFks0ppRj0bNa9fBLTsU696ERXH4uFy6ZLHonygRVIe9 aCOc77dFFLtVIzYoSi24xSZ4omfgrs7CjF9diNiTN5by//Y+Zfl3KDSX8Qp74KGHAIgF /h+6+0BP2s7YkmOxL0dofmHFg1pjcgwbw634jVxgLsr4AJChuRe9zsViNGXUvnWp9kvo UQiRHGz0VPTRVqNw5nzRHJmyUKZZuUbQoRoccPWA2M4yGfQXVGsMqA2CJuh/L9nmotXI m5BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=X4kAT0rL5ThCmBYSbgh/zubXsP0GX7YEMqUvRhK1pXI=; b=o7jwGSImRd+8jBBZGiWS0qcFRH7iekqF/7R7Zqmt3UkZd+ltZtppSIbjwgd1ilACrx FTj2XAqlKiWnTpOmc4OBZLWz5MzZhh28Hu76Gi5f2NViRb4rlQrMy6k0zmJgXcLc8kyn 8glcrZ/i/1a6tjySfEamVy/ea5vaFRQN8FEkQ6YhahJWkSeDiilYLObrQSON9o+klPgM fZ0a+8NXh6Gw25E7VJyjbnOjOvhAT41kv3atl5wMRcozz0w6etYWxKWQ0EtKBfkbopqP Budcp4IH5YCkl0TZvXAjgHBQCaQWlz8Tm63mgGgaKn4oqdzb1ptq8SOdBACRo6jRSh8y G+/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b="op8Z3Gk/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d9-20020a63bd49000000b00517a6547355si2213162pgp.235.2023.04.13.07.44.00; Thu, 13 Apr 2023 07:44:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b="op8Z3Gk/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229738AbjDMOiy (ORCPT + 99 others); Thu, 13 Apr 2023 10:38:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229564AbjDMOiw (ORCPT ); Thu, 13 Apr 2023 10:38:52 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48F184C3C for ; Thu, 13 Apr 2023 07:38:51 -0700 (PDT) Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 1B7963F438 for ; Thu, 13 Apr 2023 14:38:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1681396729; bh=X4kAT0rL5ThCmBYSbgh/zubXsP0GX7YEMqUvRhK1pXI=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=op8Z3Gk/1fztbo6lt5Og3YG0BTREUoB7il9QQS3Zh7jdtHhKvyigxZWJfyuHkdAl+ R2BHmff7y21cRhSgziv2mkHYZ6FJ3DW4641Z403HHW1sZ9m3bz/azz8rkfD/REcK9n u78BLi3v5NRU4q7iVbjWvEO9UHF+vwLPazrEJKdtQaBWnWvjVa8c2qMAaWg3kQtq5I et7+ZV5H7S61DPGpjJWzrODZJUPena8vhU25owjLjTYsfO/9IonmHiz61KMWv+gaLB vywTayFffaW6w1HO7KT8TUjwj9CEw//7mwvjcVkaXbLUwQeEU/d9/YFeu04My5uDNO jkwFbMkVJ/Guw== Received: by mail-yb1-f200.google.com with SMTP id v200-20020a252fd1000000b00b8f548a72bbso3054317ybv.9 for ; Thu, 13 Apr 2023 07:38:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681396727; x=1683988727; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=X4kAT0rL5ThCmBYSbgh/zubXsP0GX7YEMqUvRhK1pXI=; b=c+BYWyoe52jMntX768Y9xWmY9NTik0XwUALUYtugXIvZbR2+SYxbrZz2cfZ7lc3lrA GYtr18nxj/QNa6rJWd8Hd41cmHpr1/NsTFxkQjPgJYwcXk2q6Sz0cEIOQLGjzk8PBBAl IF2wiM+60cXTl3TD7pMjTX2XtxzZNGWNjU767tRPHLuVSkVD2rd/w8Wlf8aMUBu/gifx qEhVI0RBZ27Uj7RbhdQSKl6tKOoMdWaJehl7PoY02Yoy8qsJH8220IG7XsyA00iJOHLK AxW2KBL16ozZzuTkL0HJA8b5huTD/Xd8oeCNAF07ndMyBfTC4TfaiIB9kWFiLW1Apyv+ qMuQ== X-Gm-Message-State: AAQBX9eApZvgVRVVLi6nygouiKOCDT43hE1OBj11drgQFDtb2wxLvqsH bTXEqjjYViP3F7IPw73BdN0nJ6lZyc+WdQpAI9mFdqFVysg7qZogQp9wfk/AvWNevzYM+w1/EZk 3+OTj81VFZhkBKvXjBvwlVlLxvqQwuQilAFavxniR3rHm8oOvP5+NBBmglQ== X-Received: by 2002:a81:4415:0:b0:54f:9e1b:971c with SMTP id r21-20020a814415000000b0054f9e1b971cmr1543615ywa.1.1681396727127; Thu, 13 Apr 2023 07:38:47 -0700 (PDT) X-Received: by 2002:a81:4415:0:b0:54f:9e1b:971c with SMTP id r21-20020a814415000000b0054f9e1b971cmr1543599ywa.1.1681396726922; Thu, 13 Apr 2023 07:38:46 -0700 (PDT) MIME-Version: 1.0 References: <20230413133355.350571-1-aleksandr.mikhalitsyn@canonical.com> <20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: From: Aleksandr Mikhalitsyn Date: Thu, 13 Apr 2023 16:38:35 +0200 Message-ID: Subject: Re: [PATCH net-next v4 2/4] net: socket: add sockopts blacklist for BPF cgroup hook To: Eric Dumazet Cc: davem@davemloft.net, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, daniel@iogearbox.net, Jakub Kicinski , Paolo Abeni , Leon Romanovsky , David Ahern , Arnd Bergmann , Kees Cook , Christian Brauner , Kuniyuki Iwashima , Lennart Poettering , linux-arch@vger.kernel.org, sdf@google.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 13, 2023 at 4:22=E2=80=AFPM Eric Dumazet = wrote: > > On Thu, Apr 13, 2023 at 3:35=E2=80=AFPM Alexander Mikhalitsyn > wrote: > > > > During work on SO_PEERPIDFD, it was discovered (thanks to Christian), > > that bpf cgroup hook can cause FD leaks when used with sockopts which > > install FDs into the process fdtable. > > > > After some offlist discussion it was proposed to add a blacklist of > > We try to replace this word by either denylist or blocklist, even in chan= gelogs. Hi Eric, Oh, I'm sorry about that. :( Sure. > > > socket options those can cause troubles when BPF cgroup hook is enabled= . > > > > Can we find the appropriate Fixes: tag to help stable teams ? Sure, I will add next time. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") I think it's better to add Stanislav Fomichev to CC. Kind regards, Alex > > > Cc: "David S. Miller" > > Cc: Eric Dumazet > > Cc: Jakub Kicinski > > Cc: Paolo Abeni > > Cc: Leon Romanovsky > > Cc: David Ahern > > Cc: Arnd Bergmann > > Cc: Kees Cook > > Cc: Christian Brauner > > Cc: Kuniyuki Iwashima > > Cc: Lennart Poettering > > Cc: linux-kernel@vger.kernel.org > > Cc: netdev@vger.kernel.org > > Cc: linux-arch@vger.kernel.org > > Suggested-by: Daniel Borkmann > > Suggested-by: Christian Brauner > > Signed-off-by: Alexander Mikhalitsyn > > Thanks.