Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7466059rwr; Wed, 10 May 2023 08:33:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4Qpbup+n8m58U3manikViOd94zrMhC+AMqsikucHYsf8dOCEchWN1spRJH2AHs+xVNT6kN X-Received: by 2002:a17:90b:1c86:b0:250:461:ae65 with SMTP id oo6-20020a17090b1c8600b002500461ae65mr18395290pjb.5.1683732796363; Wed, 10 May 2023 08:33:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683732796; cv=none; d=google.com; s=arc-20160816; b=cVR6LhnL+GyJ0OrWRF1GQH1LpueskDF/SBtx7iho0hWzt40QpqIg0ucPvRTQBIDldi A878cnBrbQR46WtlRoh9pRLMxIIFgEw8WpImFWtxKX58fcvJdBZzMaQwqQ62fNzAS3cX fufBbBUlyMTWym6dlbJ+I1n0P4FnYzWGPQei1a8fCZJoVCIvEpP7LQdGmIkqRcWCAKuW 1HArv6UviO130mhBX+iKUo8+0ZLcIt+N4glh+stIDg1wGyPTotHHfDxljSfUTOPXqVEn 0czDmbKGbO2Qg+D6warqQRBtKLh0XjHCY0ifCUG7zsbz/4ItiSQXlPd8HsdE1pWHx/Oq bMvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=JjIUi7jBNspmRga1n5cvGl2/nqkm6+K5dZzGhpmb1Bo=; b=XlPxQKHGX4xQvEaza1LCZz+nwHLsqQyLlka7ilw57rBRAxk4360pTH274dOw6N2Hu0 PCRlW5VwROuRE+CoENiegveK9/6CWUeSFPyfEwf8rbtQFRAi19h43aNWfsH8+LvL1zga zekFAUFAhBLcCtYgqirSEK52h0DOSm6DZuDJ9AoTEkZNA/LPLyLKMgMi1MfHFmA8xdkp HxpCr6o1NFhXkLdZmP/2Lqu1tkJ9mt65OPS8aQF5yMGl0JfxemwPX3pUk9UEfxOYdHti kS4E5Q32rijbE/z8DaW7rGbf1xsu/awMtIu5d+wrwUgQP6vpDF3jmZgbc3OqKuQ1N+gU N+3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=rn1hoDkn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d2-20020a170902aa8200b001a9b2c782ddsi4181685plr.176.2023.05.10.08.33.00; Wed, 10 May 2023 08:33:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=rn1hoDkn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237416AbjEJOri (ORCPT + 99 others); Wed, 10 May 2023 10:47:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230058AbjEJOrh (ORCPT ); Wed, 10 May 2023 10:47:37 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB5F1E7E for ; Wed, 10 May 2023 07:47:35 -0700 (PDT) Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 2FE643F202 for ; Wed, 10 May 2023 14:47:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683730054; bh=JjIUi7jBNspmRga1n5cvGl2/nqkm6+K5dZzGhpmb1Bo=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=rn1hoDknTtm4pd/7y7lo6ZLsllSBkEcd8GZdXuPTRuUOQfLXtk0EBXoU2BBgxyeM9 YdNvIdDXyKwtnpD1Ay7FruaokDVT5LRZ9gVXKGr0zG3pZMZ1LORBbDgD0jl6eMkZ8/ HQf7XcikrDz53Uf2IlR6rSBQ2hUjBQ95lzIU52of8wQCNbF4yk80zaR68ylWjplDym 4krBKHAp+fnCUKqWZQT3W0VdnRdKEHlACcUiloKA8rBb2gEOCFKljscgtrF/LKxgZT FfhFwUa347O62Xipt/AlyL1ILuW08b21pwLQO85SFBsGeOmxV1So1/jFVvwyKWGENh vtg7VZDQSrihQ== Received: by mail-yb1-f200.google.com with SMTP id 3f1490d57ef6-b9a7e65b34aso13260883276.0 for ; Wed, 10 May 2023 07:47:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683730053; x=1686322053; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JjIUi7jBNspmRga1n5cvGl2/nqkm6+K5dZzGhpmb1Bo=; b=HqKNYYcsw6wDVDaY+t+6r0x0H+ATYCXuiQjSP/Bv+ujeUV7ZWDtepGeSFIJsh5mmj+ nMODrQx9pLcLUxN4g1IjZQhOb+cAWn72mv3Vuco3+xSfEfnJ2/yXbWEVANPSI/gS7rQ4 UiTmzdgWnnukRDMvzlx5jB0lR5agVVhT3ryCKvH3g0F6ZhhT8fE3GF30yDMn/vBHZmKH VLSsVlE6WyWhYw1FxxKiqHaJ3hLClIrxBnm/ny4aRHbidQ3Xl7mOFTfoeY6wALau0FI8 VaN6h5lHb6sEomdGGvpCGOsCdMV6AT1cPyB0vUO/SDrdPJD431Ix/rzccMZ7JplQiLtU wNXA== X-Gm-Message-State: AC+VfDwi+5okRw1xHKeMGwt4rSSH9CeLkECcYEpg41B5wvhIfae7UU51 1sMMd6ipPd47QWAVeSnMNaF6XcLoK4D3X5P5g7whY3//lnq9juClljcgI3dzhm5Yykmc1k7L1Zq IX92gAJlb8ZoPRxPtvm+3HD9DS66qrbEYwopQiHuPThbpz0bkJJya6ujLNg== X-Received: by 2002:a25:50c1:0:b0:ba1:b7e4:e0dd with SMTP id e184-20020a2550c1000000b00ba1b7e4e0ddmr18740726ybb.56.1683730053269; Wed, 10 May 2023 07:47:33 -0700 (PDT) X-Received: by 2002:a25:50c1:0:b0:ba1:b7e4:e0dd with SMTP id e184-20020a2550c1000000b00ba1b7e4e0ddmr18740710ybb.56.1683730053000; Wed, 10 May 2023 07:47:33 -0700 (PDT) MIME-Version: 1.0 References: <20230510131527.1244929-1-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: From: Aleksandr Mikhalitsyn Date: Wed, 10 May 2023 16:47:21 +0200 Message-ID: Subject: Re: [PATCH net-next] sctp: add bpf_bypass_getsockopt proto callback To: Stanislav Fomichev Cc: nhorman@tuxdriver.com, davem@davemloft.net, Daniel Borkmann , Christian Brauner , Marcelo Ricardo Leitner , Xin Long , linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 10, 2023 at 4:32=E2=80=AFPM Stanislav Fomichev = wrote: > > On Wed, May 10, 2023 at 6:15=E2=80=AFAM Alexander Mikhalitsyn > wrote: > > > > Add bpf_bypass_getsockopt proto callback and filter out > > SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS socket options > > from running eBPF hook on them. > > > > These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT > > hook returns an error after success of the original handler > > sctp_getsockopt(...), userspace will receive an error from getsockopt > > syscall and will be not aware that fd was successfully installed into f= dtable. > > > > This patch was born as a result of discussion around a new SCM_PIDFD in= terface: > > https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalits= yn@canonical.com/ > > > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") > > Cc: Daniel Borkmann > > Cc: Christian Brauner > > Cc: Stanislav Fomichev > > Cc: Neil Horman > > Cc: Marcelo Ricardo Leitner > > Cc: Xin Long > > Cc: linux-sctp@vger.kernel.org > > Cc: linux-kernel@vger.kernel.org > > Cc: netdev@vger.kernel.org > > Signed-off-by: Alexander Mikhalitsyn > > Acked-by: Stanislav Fomichev > > with a small nit below Hi Stanislav! Thanks for your review. I've also added a Suggested-by tag with your name in -v2, because you've given me this idea to use bpf_bypass_getsockopt. Hope that you are comfortable with it. > > > --- > > net/sctp/socket.c | 25 +++++++++++++++++++++++++ > > 1 file changed, 25 insertions(+) > > > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > > index cda8c2874691..a9a0ababea90 100644 > > --- a/net/sctp/socket.c > > +++ b/net/sctp/socket.c > > @@ -8281,6 +8281,29 @@ static int sctp_getsockopt(struct sock *sk, int = level, int optname, > > return retval; > > } > > > > [...] > > > +bool sctp_bpf_bypass_getsockopt(int level, int optname) > > static bool ... ? You're not making it indirect-callable, so seems > fine to keep private to this compilation unit? Sure, my bad. Fixed in v2. Kind regards, Alex > > > +{ > > + /* > > + * These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GE= TSOCKOPT > > + * hook returns an error after success of the original handler > > + * sctp_getsockopt(...), userspace will receive an error from g= etsockopt > > + * syscall and will be not aware that fd was successfully insta= lled into fdtable. > > + * > > + * Let's prevent bpf cgroup hook from running on them. > > + */ > > + if (level =3D=3D SOL_SCTP) { > > + switch (optname) { > > + case SCTP_SOCKOPT_PEELOFF: > > + case SCTP_SOCKOPT_PEELOFF_FLAGS: > > + return true; > > + default: > > + return false; > > + } > > + } > > + > > + return false; > > +} > > + > > static int sctp_hash(struct sock *sk) > > { > > /* STUB */ > > @@ -9650,6 +9673,7 @@ struct proto sctp_prot =3D { > > .shutdown =3D sctp_shutdown, > > .setsockopt =3D sctp_setsockopt, > > .getsockopt =3D sctp_getsockopt, > > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > > .sendmsg =3D sctp_sendmsg, > > .recvmsg =3D sctp_recvmsg, > > .bind =3D sctp_bind, > > @@ -9705,6 +9729,7 @@ struct proto sctpv6_prot =3D { > > .shutdown =3D sctp_shutdown, > > .setsockopt =3D sctp_setsockopt, > > .getsockopt =3D sctp_getsockopt, > > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > > .sendmsg =3D sctp_sendmsg, > > .recvmsg =3D sctp_recvmsg, > > .bind =3D sctp_bind, > > -- > > 2.34.1 > >