Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230510152216.1392682-1-aleksandr.mikhalitsyn@canonical.com> <CAKH8qBuAoobsVP2Q5KN06fZ2NM3_aMwT7Y2OoKwS4Cf=cv3ZGg@mail.gmail.com>
In-Reply-To: <CAKH8qBuAoobsVP2Q5KN06fZ2NM3_aMwT7Y2OoKwS4Cf=cv3ZGg@mail.gmail.com>
From:   Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date:   Wed, 10 May 2023 23:40:45 +0200
Message-ID: <CAEivzxc3hzqMROfCgshD6qW3=NErpF6LWXFGjoBhPNNzEZ3kDg@mail.gmail.com>
Subject: Re: [PATCH net-next] net: core: add SOL_SOCKET filter for bpf
 getsockopt hook
To:     Stanislav Fomichev <sdf@google.com>
Cc:     davem@davemloft.net, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Christian Brauner <brauner@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Kuniyuki Iwashima <kuniyu@amazon.com>,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        bpf@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Wed, May 10, 2023 at 11:31=E2=80=AFPM Stanislav Fomichev <sdf@google.com=
> wrote:
>
> On Wed, May 10, 2023 at 8:23=E2=80=AFAM Alexander Mikhalitsyn
> <aleksandr.mikhalitsyn@canonical.com> wrote:
> >
> > We have per struct proto ->bpf_bypass_getsockopt callback
> > to filter out bpf socket cgroup getsockopt hook from being called.
> >
> > It seems worthwhile to add analogical helper for SOL_SOCKET
> > level socket options. First user will be SO_PEERPIDFD.
> >
> > This patch was born as a result of discussion around a new SCM_PIDFD in=
terface:
> > https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalits=
yn@canonical.com/
> >
> > Cc: Alexei Starovoitov <ast@kernel.org>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Stanislav Fomichev <sdf@google.com>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Paolo Abeni <pabeni@redhat.com>
> > Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
> > Cc: linux-kernel@vger.kernel.org
> > Cc: netdev@vger.kernel.org
> > Cc: bpf@vger.kernel.org
> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.c=
om>
> > ---
> >  include/linux/bpf-cgroup.h | 8 +++++---
> >  include/net/sock.h         | 1 +
> >  net/core/sock.c            | 5 +++++
> >  3 files changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
> > index 57e9e109257e..97d8a49b35bf 100644
> > --- a/include/linux/bpf-cgroup.h
> > +++ b/include/linux/bpf-cgroup.h
> > @@ -387,10 +387,12 @@ static inline bool cgroup_bpf_sock_enabled(struct=
 sock *sk,
> >         int __ret =3D retval;                                          =
          \
> >         if (cgroup_bpf_enabled(CGROUP_GETSOCKOPT) &&                   =
        \
> >             cgroup_bpf_sock_enabled(sock, CGROUP_GETSOCKOPT))          =
        \
> > -               if (!(sock)->sk_prot->bpf_bypass_getsockopt ||         =
        \
> > -                   !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_g=
etsockopt, \
> > +               if (((level !=3D SOL_SOCKET) ||                        =
          \
> > +                    !sock_bpf_bypass_getsockopt(level, optname)) &&   =
        \
> > +                   (!(sock)->sk_prot->bpf_bypass_getsockopt ||        =
        \
>
> Any reason we are not putting this into bpf_bypass_getsockopt for
> af_unix struct proto? SO_PEERPIDFD seems relevant only for af_unix?

Yes, that should work perfectly well. The reason why I'm going this
way is that we are
declaring all SOL_SOCKET-level options in the net/core/sock.c which is
not specific to any address family.
It seems reasonable to have a way to filter out getsockopt for these
options too.

But I'm not insisting on that way.

Kind regards,
Alex

>
> > +                    !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_=
getsockopt, \
> >                                         tcp_bpf_bypass_getsockopt,     =
        \
> > -                                       level, optname))               =
        \
> > +                                       level, optname)))              =
        \
> >                         __ret =3D __cgroup_bpf_run_filter_getsockopt(  =
          \
> >                                 sock, level, optname, optval, optlen,  =
        \
> >                                 max_optlen, retval);                   =
        \
> > diff --git a/include/net/sock.h b/include/net/sock.h
> > index 8b7ed7167243..530d6d22f42d 100644
> > --- a/include/net/sock.h
> > +++ b/include/net/sock.h
> > @@ -1847,6 +1847,7 @@ int sk_getsockopt(struct sock *sk, int level, int=
 optname,
> >                   sockptr_t optval, sockptr_t optlen);
> >  int sock_getsockopt(struct socket *sock, int level, int op,
> >                     char __user *optval, int __user *optlen);
> > +bool sock_bpf_bypass_getsockopt(int level, int optname);
> >  int sock_gettstamp(struct socket *sock, void __user *userstamp,
> >                    bool timeval, bool time32);
> >  struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long he=
ader_len,
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index 5440e67bcfe3..194a423eb6e5 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -1963,6 +1963,11 @@ int sock_getsockopt(struct socket *sock, int lev=
el, int optname,
> >                              USER_SOCKPTR(optlen));
> >  }
> >
> > +bool sock_bpf_bypass_getsockopt(int level, int optname)
> > +{
> > +       return false;
> > +}
> > +
> >  /*
> >   * Initialize an sk_lock.
> >   *
> > --
> > 2.34.1
> >