Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230510152216.1392682-1-aleksandr.mikhalitsyn@canonical.com>
In-Reply-To: <20230510152216.1392682-1-aleksandr.mikhalitsyn@canonical.com>
From:   Stanislav Fomichev <sdf@google.com>
Date:   Wed, 10 May 2023 14:31:24 -0700
Message-ID: <CAKH8qBuAoobsVP2Q5KN06fZ2NM3_aMwT7Y2OoKwS4Cf=cv3ZGg@mail.gmail.com>
Subject: Re: [PATCH net-next] net: core: add SOL_SOCKET filter for bpf
 getsockopt hook
To:     Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Cc:     davem@davemloft.net, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Christian Brauner <brauner@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Kuniyuki Iwashima <kuniyu@amazon.com>,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        bpf@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Wed, May 10, 2023 at 8:23=E2=80=AFAM Alexander Mikhalitsyn
<aleksandr.mikhalitsyn@canonical.com> wrote:
>
> We have per struct proto ->bpf_bypass_getsockopt callback
> to filter out bpf socket cgroup getsockopt hook from being called.
>
> It seems worthwhile to add analogical helper for SOL_SOCKET
> level socket options. First user will be SO_PEERPIDFD.
>
> This patch was born as a result of discussion around a new SCM_PIDFD inte=
rface:
> https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalitsyn=
@canonical.com/
>
> Cc: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Stanislav Fomichev <sdf@google.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
> Cc: linux-kernel@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: bpf@vger.kernel.org
> Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com=
>
> ---
>  include/linux/bpf-cgroup.h | 8 +++++---
>  include/net/sock.h         | 1 +
>  net/core/sock.c            | 5 +++++
>  3 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
> index 57e9e109257e..97d8a49b35bf 100644
> --- a/include/linux/bpf-cgroup.h
> +++ b/include/linux/bpf-cgroup.h
> @@ -387,10 +387,12 @@ static inline bool cgroup_bpf_sock_enabled(struct s=
ock *sk,
>         int __ret =3D retval;                                            =
        \
>         if (cgroup_bpf_enabled(CGROUP_GETSOCKOPT) &&                     =
      \
>             cgroup_bpf_sock_enabled(sock, CGROUP_GETSOCKOPT))            =
      \
> -               if (!(sock)->sk_prot->bpf_bypass_getsockopt ||           =
      \
> -                   !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_get=
sockopt, \
> +               if (((level !=3D SOL_SOCKET) ||                          =
        \
> +                    !sock_bpf_bypass_getsockopt(level, optname)) &&     =
      \
> +                   (!(sock)->sk_prot->bpf_bypass_getsockopt ||          =
      \

Any reason we are not putting this into bpf_bypass_getsockopt for
af_unix struct proto? SO_PEERPIDFD seems relevant only for af_unix?

> +                    !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_ge=
tsockopt, \
>                                         tcp_bpf_bypass_getsockopt,       =
      \
> -                                       level, optname))                 =
      \
> +                                       level, optname)))                =
      \
>                         __ret =3D __cgroup_bpf_run_filter_getsockopt(    =
        \
>                                 sock, level, optname, optval, optlen,    =
      \
>                                 max_optlen, retval);                     =
      \
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 8b7ed7167243..530d6d22f42d 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1847,6 +1847,7 @@ int sk_getsockopt(struct sock *sk, int level, int o=
ptname,
>                   sockptr_t optval, sockptr_t optlen);
>  int sock_getsockopt(struct socket *sock, int level, int op,
>                     char __user *optval, int __user *optlen);
> +bool sock_bpf_bypass_getsockopt(int level, int optname);
>  int sock_gettstamp(struct socket *sock, void __user *userstamp,
>                    bool timeval, bool time32);
>  struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long head=
er_len,
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 5440e67bcfe3..194a423eb6e5 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1963,6 +1963,11 @@ int sock_getsockopt(struct socket *sock, int level=
, int optname,
>                              USER_SOCKPTR(optlen));
>  }
>
> +bool sock_bpf_bypass_getsockopt(int level, int optname)
> +{
> +       return false;
> +}
> +
>  /*
>   * Initialize an sk_lock.
>   *
> --
> 2.34.1
>