Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7395626rwr; Wed, 10 May 2023 07:46:00 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4HY40Gu6RBdrxNczrWb3qbZpHuPOIjefSuI0HQ8/nfipnzmxFXFvl5DxAzQSG7tWgzZij4 X-Received: by 2002:a05:6a00:2e27:b0:63f:1c78:4049 with SMTP id fc39-20020a056a002e2700b0063f1c784049mr24542063pfb.31.1683729960271; Wed, 10 May 2023 07:46:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683729960; cv=none; d=google.com; s=arc-20160816; b=0x7tYQwt6zZTbbM5PHe4yG94MEOt6O6iFfMlbN6Yb3Yea4Q3hTswabh9xU2GPd2pq4 g8Em8sje6r3IehKenLJn43rCk9hdxcOtEWeBF+WE5MblNy+K0ItHO+icVgUCa18mHHIU 4a95J/+62W/xp+nGSBwycUKEmD5AbcM3FyGuEn1+r/hwYvyneRmAX2CI4lV9BTu2315g jqMASAslzbISrYfJGkjQk6gMVeJZof+xzb6Lk4qhfpNtedExc/sHRofbIAyaq8uE1bgP n2YoqtY/l/BTxUsKtE7C8CB4Xa2zPfBHAoWGhoCm92jAXp3NiIcmn/D9hx0TeU3ZwOZZ fY6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=NDPoO9iS4YMdxTYw/7S57ZbKNNVUGyiS2mNuYLdO99Q=; b=AGCPtwH3E21LfEcOpokuD1N/a4vUOUVadqvLpsKCehqExGl6SZiPFVpHDJw3wsRar5 lzGGpFiKdNX5/HKvUMpPLLY1fatL5CnACav9kfqyfxO+Lm1mLbGJgkLtDFshDPGZGDmX q4zT2xMfic2e7fSVpWhiD0IfHBZDE+osT/TcrPY0cEjn4HaVj7RzfUVnZ3ADXVoG37Hb k+m80PEAkQ/33QH7hrIgSH4XLRfCUmTmxbTcu60jKnw1AzC//q9AMlUXPZ//U1TQoPoA B+TL8afi/Bc2AOk+8qhnFI8q+hW9da3lu8LHgpQVJ2a/wjcYhKmMWh12VP/6LMy8dkGi eb+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="WVOQZQj/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e26-20020aa7981a000000b00648019bae38si2014619pfl.277.2023.05.10.07.45.46; Wed, 10 May 2023 07:46:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="WVOQZQj/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237489AbjEJOcK (ORCPT + 99 others); Wed, 10 May 2023 10:32:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237457AbjEJOcI (ORCPT ); Wed, 10 May 2023 10:32:08 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFD2659D4 for ; Wed, 10 May 2023 07:32:06 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1a516fb6523so68612525ad.3 for ; Wed, 10 May 2023 07:32:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1683729126; x=1686321126; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NDPoO9iS4YMdxTYw/7S57ZbKNNVUGyiS2mNuYLdO99Q=; b=WVOQZQj/jIEeoLxcpBmdx2rS3teY4rZ5OcD/qBDLQdUd/szQ3BOq2Qmx+FMS0GjWFu b5w5sES/fpll4EmbKNsz9KEY6JFIf9cTz4IH9vjBJp5LMwYK93Bnvw1oFDsCeBLWSFtx vaC8yJkbMthAbDhM0JuQDFGbDqjduMx/rBUPRODtb8DFdrYky8S3w6Pk26QErLGiPn2E YMwAEIFW67muE+9mNAOCHcoax/0DaGTEYFul9mNEq0J/9OFPyLgkfirLlqx+Gmsbka+G x+ir9BM4j8Jm4FqAZWPNnonNiTc54pKMtcIsjqwu/T8q653CsCOZd5JcTGxFiFDb2LvB cnrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683729126; x=1686321126; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NDPoO9iS4YMdxTYw/7S57ZbKNNVUGyiS2mNuYLdO99Q=; b=PAHF/7/O8/OgnVxyFc2NvB5IieblkRUTQrvNEVA4vGZDuhlA/v0jIVrZpiUrZHR0Yg gJBNcjIxUhn/BJ2TRIqbBuSkdDNG4PJZwDFpUc0AFL1gNyuReiUwJc3A0G9zTtHe7sKC xE95z55SE5fCQoOAuG4ia94+YmjoqPb7urw9NluKtIn3rSUnRLM6SAzvG0BFO0Sv+S/S CbYfElHJzIFz/hyQQb6hl++7jI0LYT7rVfUOrevMbHU8etwleqZU6k/k5Vkjw5I/H2L4 5XPb712Vj2EZhP6VvLfvlMrG8AmIhf92+FeAy6Bbg7TPFcSZuyhrVU2P8NryO4pEqC5C zegA== X-Gm-Message-State: AC+VfDz2tlqXsBFxHCHGy+UwQbfU7M7ZwYXSbwWt8cz2xNBkkhHdYYQU PDSY8DQEW9c2MqEJWwIV9IhtubhGUciLAf81yLOb3A== X-Received: by 2002:a17:90b:1d87:b0:24d:fb82:71ab with SMTP id pf7-20020a17090b1d8700b0024dfb8271abmr18213899pjb.26.1683729126170; Wed, 10 May 2023 07:32:06 -0700 (PDT) MIME-Version: 1.0 References: <20230510131527.1244929-1-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: <20230510131527.1244929-1-aleksandr.mikhalitsyn@canonical.com> From: Stanislav Fomichev Date: Wed, 10 May 2023 07:31:55 -0700 Message-ID: Subject: Re: [PATCH net-next] sctp: add bpf_bypass_getsockopt proto callback To: Alexander Mikhalitsyn Cc: nhorman@tuxdriver.com, davem@davemloft.net, Daniel Borkmann , Christian Brauner , Marcelo Ricardo Leitner , Xin Long , linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 10, 2023 at 6:15=E2=80=AFAM Alexander Mikhalitsyn wrote: > > Add bpf_bypass_getsockopt proto callback and filter out > SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS socket options > from running eBPF hook on them. > > These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT > hook returns an error after success of the original handler > sctp_getsockopt(...), userspace will receive an error from getsockopt > syscall and will be not aware that fd was successfully installed into fdt= able. > > This patch was born as a result of discussion around a new SCM_PIDFD inte= rface: > https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalitsyn= @canonical.com/ > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") > Cc: Daniel Borkmann > Cc: Christian Brauner > Cc: Stanislav Fomichev > Cc: Neil Horman > Cc: Marcelo Ricardo Leitner > Cc: Xin Long > Cc: linux-sctp@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Alexander Mikhalitsyn Acked-by: Stanislav Fomichev with a small nit below > --- > net/sctp/socket.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index cda8c2874691..a9a0ababea90 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -8281,6 +8281,29 @@ static int sctp_getsockopt(struct sock *sk, int le= vel, int optname, > return retval; > } > [...] > +bool sctp_bpf_bypass_getsockopt(int level, int optname) static bool ... ? You're not making it indirect-callable, so seems fine to keep private to this compilation unit? > +{ > + /* > + * These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETS= OCKOPT > + * hook returns an error after success of the original handler > + * sctp_getsockopt(...), userspace will receive an error from get= sockopt > + * syscall and will be not aware that fd was successfully install= ed into fdtable. > + * > + * Let's prevent bpf cgroup hook from running on them. > + */ > + if (level =3D=3D SOL_SCTP) { > + switch (optname) { > + case SCTP_SOCKOPT_PEELOFF: > + case SCTP_SOCKOPT_PEELOFF_FLAGS: > + return true; > + default: > + return false; > + } > + } > + > + return false; > +} > + > static int sctp_hash(struct sock *sk) > { > /* STUB */ > @@ -9650,6 +9673,7 @@ struct proto sctp_prot =3D { > .shutdown =3D sctp_shutdown, > .setsockopt =3D sctp_setsockopt, > .getsockopt =3D sctp_getsockopt, > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > .sendmsg =3D sctp_sendmsg, > .recvmsg =3D sctp_recvmsg, > .bind =3D sctp_bind, > @@ -9705,6 +9729,7 @@ struct proto sctpv6_prot =3D { > .shutdown =3D sctp_shutdown, > .setsockopt =3D sctp_setsockopt, > .getsockopt =3D sctp_getsockopt, > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > .sendmsg =3D sctp_sendmsg, > .recvmsg =3D sctp_recvmsg, > .bind =3D sctp_bind, > -- > 2.34.1 >