Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp4346908rwe; Mon, 17 Apr 2023 11:11:05 -0700 (PDT) X-Google-Smtp-Source: AKy350brBG5HNQw9Bp/3RAUbHWblVdw0g6mf46uNIunpO8tGsil6om5kGvB0jy/HxWJ21j7dMg1a X-Received: by 2002:a17:90b:3909:b0:246:fd44:eb6f with SMTP id ob9-20020a17090b390900b00246fd44eb6fmr15743098pjb.39.1681755064873; Mon, 17 Apr 2023 11:11:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681755064; cv=none; d=google.com; s=arc-20160816; b=gdCpHKFKb3xCG+TuolsNWfuL/ijxD9PWhYW1aKDzH31hvl4RtrqWl8hYBZkNuTPBPq RHyt0hOrZ8D+uWUCALVVOgta3/P49EsJkoFfc4XB5a9rkUPwlnqSGnLzkF67kbKY9mpm +x3PQIL1dD1foU57Y/qLJQy9Nk1rf2fLlnZBiVp1+7Cma56mWXY+LsDnuZgC+WST9NLF nCbTcm0exe7euX1CPEPUuxTAXUydLge90yxQruTExrlqL5D5/QYRrrMIQ8Qp3AQjXM75 FEPqNQAkBAmsN6f7NlCMi5boX2ZDU4pvCQQcJ6/H7a3sQW0zAVC9D4W2M2DXVDKa47Wh Y/9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=4sl9ziKyZqPoy8aLo+Gl92oC/7FehXmT2AIhyqndHBY=; b=VxcJjku4EtXdOgNpSNpatJP3iodyb4skf9AFFDdM56EQJAncIkELNe1dREXO8RMV5T yGxFf9qaWgDriXuWC/eN5/nMzpBeKgDhrZLJamgRCSwddg0u1lYG3Elr3dqrXgXFjJ6a RzVeNaItrHVlfJeTyDgkVbDclIplJov3T59xSVpazm6UW/gH91RPoOEk55M+qxgkW9HI d2MOot0DBy+yMWPHkdhZYAgkI4t/QNZBR+Izcph+Dfao6+WN9Rd032/mBLICY8TM+CFZ jQqKhljtOA/98wjLZnapPCk/l9iNuI3m+9wDiggPvF61exvztEsT+KrgOES8tL2J8LW6 7zUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=nJVr4FIL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my7-20020a17090b4c8700b00246d164fd7asi11221804pjb.159.2023.04.17.11.10.53; Mon, 17 Apr 2023 11:11:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=nJVr4FIL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229800AbjDQSKd (ORCPT + 99 others); Mon, 17 Apr 2023 14:10:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229602AbjDQSKb (ORCPT ); Mon, 17 Apr 2023 14:10:31 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9AD061BCB for ; Mon, 17 Apr 2023 11:10:29 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-63b60366047so1045892b3a.1 for ; Mon, 17 Apr 2023 11:10:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681755029; x=1684347029; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=4sl9ziKyZqPoy8aLo+Gl92oC/7FehXmT2AIhyqndHBY=; b=nJVr4FILdu5bU4E72aAnZSynAvymUqegXgB59klqsogKC7WJxtqSYGYUybck5xKIH8 FYb5pFzFqkrQKBvl0P66732MQeRjhzSHNoNRtH37Ux2NmgsVxlSiENHCrExCzd+Q/0DR P82BdWDMQ50B64/Fc5K+e6vFzUY2y4oCaiEmdabrVXF1FvQ0qlwDMuEjqHcDN7nlGtLd 58Di7uv/E/K9O6RuLskhxGsDbekYPJZZMQdoDqUfR08+O8D5PYUCEBiYV+RGHRbCcIGH bYphFSe5O4b/Hc3hl9lI8jUMn0LhPWi2SeLRu6Tb4So5ZljeCMNqhtLGOvfpjjTLGz/j W/7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681755029; x=1684347029; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4sl9ziKyZqPoy8aLo+Gl92oC/7FehXmT2AIhyqndHBY=; b=C0TMBVi9UvHQWAumwiGi8AWEdWtaq9d2mOo8AmPcPElRjdIN9hd3YmlU/i/NwmlcOX NreydrrFpgaBGL/bQsf+8GaX27dTtKjNZ+QS/V6uLozHsoQnQybrUlRURfS7TjdNAQ0N 35/Now8jJUyGW/R4t68hXwkFro1YGw7HkAHYAm95u3FwtxZI5/d5nxD4uir5uG513KhE Uwlx6fJ0nMgISawZNVxSfx4HZCWCgAUrETPuFAlqOcy3nxGRO40Uqf4HxvVy/ff2qFR9 UCrPgCzCjscU+YIw/51ngY3cp7IEmwa/HGrR2ZvNiGbzEWbQHWb0s00AA0q+4YplPhzL L5Mg== X-Gm-Message-State: AAQBX9fpYZWCKonXD9bPROR9ahGhAE2WyCXIcmcA50sNe81AS2TZLPDp spLrt0DhbJEYfh4jLjjJqq9liZnhgg2dG5OWNLk4xA== X-Received: by 2002:a05:6a00:1a43:b0:62e:154e:d6be with SMTP id h3-20020a056a001a4300b0062e154ed6bemr7839056pfv.5.1681755028758; Mon, 17 Apr 2023 11:10:28 -0700 (PDT) MIME-Version: 1.0 References: <20230413133355.350571-1-aleksandr.mikhalitsyn@canonical.com> <20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com> <20230417-wellblech-zoodirektor-76a80f7763ab@brauner> In-Reply-To: <20230417-wellblech-zoodirektor-76a80f7763ab@brauner> From: Stanislav Fomichev Date: Mon, 17 Apr 2023 11:10:17 -0700 Message-ID: Subject: Re: [PATCH net-next v4 2/4] net: socket: add sockopts blacklist for BPF cgroup hook To: Christian Brauner Cc: Aleksandr Mikhalitsyn , Eric Dumazet , davem@davemloft.net, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, daniel@iogearbox.net, Jakub Kicinski , Paolo Abeni , Leon Romanovsky , David Ahern , Arnd Bergmann , Kees Cook , Kuniyuki Iwashima , Lennart Poettering , linux-arch@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 17, 2023 at 7:42=E2=80=AFAM Christian Brauner wrote: > > On Fri, Apr 14, 2023 at 06:55:39PM -0700, Stanislav Fomichev wrote: > > On 04/13, Stanislav Fomichev wrote: > > > On Thu, Apr 13, 2023 at 7:38=E2=80=AFAM Aleksandr Mikhalitsyn > > > wrote: > > > > > > > > On Thu, Apr 13, 2023 at 4:22=E2=80=AFPM Eric Dumazet wrote: > > > > > > > > > > On Thu, Apr 13, 2023 at 3:35=E2=80=AFPM Alexander Mikhalitsyn > > > > > wrote: > > > > > > > > > > > > During work on SO_PEERPIDFD, it was discovered (thanks to Chris= tian), > > > > > > that bpf cgroup hook can cause FD leaks when used with sockopts= which > > > > > > install FDs into the process fdtable. > > > > > > > > > > > > After some offlist discussion it was proposed to add a blacklis= t of > > > > > > > > > > We try to replace this word by either denylist or blocklist, even= in changelogs. > > > > > > > > Hi Eric, > > > > > > > > Oh, I'm sorry about that. :( Sure. > > > > > > > > > > > > > > > socket options those can cause troubles when BPF cgroup hook is= enabled. > > > > > > > > > > > > > > > > Can we find the appropriate Fixes: tag to help stable teams ? > > > > > > > > Sure, I will add next time. > > > > > > > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hook= s") > > > > > > > > I think it's better to add Stanislav Fomichev to CC. > > > > > > Can we use 'struct proto' bpf_bypass_getsockopt instead? We already > > > use it for tcp zerocopy, I'm assuming it should work in this case as > > > well? > > > > Jakub reminded me of the other things I wanted to ask here bug forgot: > > > > - setsockopt is probably not needed, right? setsockopt hook triggers > > before the kernel and shouldn't leak anything > > - for getsockopt, instead of bypassing bpf completely, should we instea= d > > ignore the error from the bpf program? that would still preserve > > That's fine by me as well. > > It'd be great if the net folks could tell Alex how they would want this > handled. Doing the bypass seems fine with me for now. If we ever decide that fd-based optvals are worth inspecting in bpf, we can lift that bypass. > > the observability aspect > > Please see for more details > https://lore.kernel.org/lkml/20230411-nudelsalat-spreu-3038458f25c4@braun= er Thanks for the context. Yeah, sockopts are being used for a lot of interesting things :-( > > - or maybe we can even have a per-proto bpf_getsockopt_cleanup call tha= t > > gets called whenever bpf returns an error to make sure protocols have > > a chance to handle that condition (and free the fd) > > Installing an fd into an fdtable makes it visible to userspace at which > point calling close_fd() is doable but an absolute last resort and > generally a good indicator of misdesign. If the bpf hook wants to make > decisions based on the file then it should receive a struct > file, not an fd. SG! Then let's not over-complicate it for now and do a simple bypass.