Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8814833rwr; Thu, 11 May 2023 06:38:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6pM+v/4zCfeir+JS5vNII8BjR24s1uXOMGZQakCNg1S0ErR2mS0C+3QSpUdyiRcMurwF5H X-Received: by 2002:a17:903:32c6:b0:1ad:d935:a29d with SMTP id i6-20020a17090332c600b001add935a29dmr379738plr.39.1683812328888; Thu, 11 May 2023 06:38:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683812328; cv=none; d=google.com; s=arc-20160816; b=NMouC0yXLmnltcTZTd5ybGHEygbcSyDsqLssTQ+wfmg8A+tYVVl1w20JzFwQ82qL1d kgZrG7H/xsZUGnnWiMRk2RxzaKR1D7QjS5Zq/OdljvS8bbZeddL9Q8NZ5SYVTczcwTr9 iR82TrOtpCNj1tRiGVR+c8YHszfBuYEF6VUfheoo5ieNStmGUu9HTKTE/shUX3z4Jd+h 4TwliA/JDWAyAkM0qXROwnjJEiUpl7lKA9M8aR9d3kTXaoKKEmLjk1CM8u7wnUkevb6H WZkmoFtRjKXfXsgMGZ1YBwjxp6f1k76VpPU3foumDD869AHrvSPkK3nnnxIutSpc/3SO 2hAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=+QWvTZLqx3wPEiv2RyOeDyceRNHlm4uLw1mA+o8yT0I=; b=T/GoxdPxHdRxQjf74fd2H8xH/RmshMDtJFDZNBogsiwT7T9mb95Ynj+ufAamCjLhiO d3kQDC9+lIGfAmZY26sWBEeelh3wBtjAsq+x5yCdxC5YpI0A2/qg72bV1p7HFdecFSWk C66vk2PizpLjHWbcg01/LJq8/HyLnxykTw0QB6/gpzv9s+/uzL2urSnETvaQ1ugulPrf nOgQLrc38mum7xtarJOYN1cUxtcGWRQvygC8dH3vnSD+1keXrc0ZfWMBNVNv2ZV9XquP II+1uFNaglN9wtFMliepqJIWgovLvLm2hORKhacNF0Y9PAcyYxrf677ZRQMszkP3fm3g 4REQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=L5usF1D6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z15-20020a170903018f00b001a922d1f4c7si7079245plg.60.2023.05.11.06.38.36; Thu, 11 May 2023 06:38:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=L5usF1D6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238198AbjEKN31 (ORCPT + 99 others); Thu, 11 May 2023 09:29:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238127AbjEKN2u (ORCPT ); Thu, 11 May 2023 09:28:50 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E696A240 for ; Thu, 11 May 2023 06:27:33 -0700 (PDT) Received: from mail-yb1-f197.google.com (mail-yb1-f197.google.com [209.85.219.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8FE393F4A5 for ; Thu, 11 May 2023 13:26:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683811603; bh=+QWvTZLqx3wPEiv2RyOeDyceRNHlm4uLw1mA+o8yT0I=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=L5usF1D6+MPuqlZUo/Img/wx7PXaopT0aD6IleJi8f0mEoeNRjnFP0r/yFZjd2Xd1 hFE6jTr6Pwz5FYfX3wLfsxMpBLI0kV9IF/PqZeyesct95cGKq5su62n2suolNB5Ins gzjNA4EBB0mn/2lLRgdN2bylDi+LUqCxYgCkokrnQEWGETK2Zs6YA2DNUwZGIm45zb iDFJi961jsSLVFcwFLreODh7mdH1cmPtDh9OtFZh781TkyAgasFrKJVK3k6kTVk33w 6OAmat5O55obd13vAoOD7fjq7FICfInTAcNI4+mSXoJxUyKVA5Z93KBDqa1/+ACgA2 yoX62404sSg4Q== Received: by mail-yb1-f197.google.com with SMTP id 3f1490d57ef6-ba2b9ecfadaso9504545276.2 for ; Thu, 11 May 2023 06:26:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683811602; x=1686403602; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+QWvTZLqx3wPEiv2RyOeDyceRNHlm4uLw1mA+o8yT0I=; b=ekgshwflGCHK6DmsrzHJtyxOvZJuDWbVtLcbiz/EzG6TDrZ1dUzlw4rR4WwzPiuKFP k9RU3P/BUZB6s9Y3yay4YaCWKvUhUxyEE+TYhLI1ZZk9FXWdHMn5jydgWr7q2af/CedC u9mrL+CCns1BVQVBMieoMdYQFwVULpjoZ21Wo7Z7RtLOSL9QJfRc2NId/S3Hube+2G6R A1+PzmhoIl51RHcpfDpLW5KU2LD7COuCAeIJ8cz1CusLEDXcvF2phk5swmGqEmvHai+a CgbvZviqQ+ao6ogz2JhLsD2ElrNDuw79XLd22r57EjSJXcdgXIwOLlTh/XohQXd+50WZ xzrA== X-Gm-Message-State: AC+VfDxcnZKbq/JSTXRbCwuSwcAPOwjt5P6JK0ykFs1M/qEpZ75nTOib z0FZphAEgJjJxIAi9sBGLXLPyABwAE9dkWwfqJeMlztmHyebtFGXA2a2c3fTs8CJVAFDifkIPLL F5Hsq1CEN9qj0eBNeXKTGtW76MI/yprZ4LlSCigmkvVjVUb8iGaoC8PI/yA== X-Received: by 2002:a25:d308:0:b0:b92:3ed2:1cae with SMTP id e8-20020a25d308000000b00b923ed21caemr22265686ybf.12.1683811602511; Thu, 11 May 2023 06:26:42 -0700 (PDT) X-Received: by 2002:a25:d308:0:b0:b92:3ed2:1cae with SMTP id e8-20020a25d308000000b00b923ed21caemr22265681ybf.12.1683811602311; Thu, 11 May 2023 06:26:42 -0700 (PDT) MIME-Version: 1.0 References: <20230511123148.332043-1-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: From: Aleksandr Mikhalitsyn Date: Thu, 11 May 2023 15:26:31 +0200 Message-ID: Subject: Re: [PATCH net-next v2] sctp: add bpf_bypass_getsockopt proto callback To: Marcelo Ricardo Leitner Cc: nhorman@tuxdriver.com, davem@davemloft.net, Daniel Borkmann , Christian Brauner , Stanislav Fomichev , Xin Long , linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 11, 2023 at 3:12=E2=80=AFPM Marcelo Ricardo Leitner wrote: > > Hi, Hi Marcelo, thanks! Fixed in -v3. Kind regards, Alex > > Two things: > > On Thu, May 11, 2023 at 02:31:48PM +0200, Alexander Mikhalitsyn wrote: > > Add bpf_bypass_getsockopt proto callback and filter out > > SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS socket options > > from running eBPF hook on them. > > > > These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT > > hook returns an error after success of the original handler > > sctp_getsockopt(...), userspace will receive an error from getsockopt > > syscall and will be not aware that fd was successfully installed into f= dtable. > > > > This patch was born as a result of discussion around a new SCM_PIDFD in= terface: > > https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalits= yn@canonical.com/ > > Cool, but the description is mentioning the CONNECTX3 sockopt. > > > > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") > > Cc: Daniel Borkmann > > Cc: Christian Brauner > > Cc: Stanislav Fomichev > > Cc: Neil Horman > > Cc: Marcelo Ricardo Leitner > > Cc: Xin Long > > Cc: linux-sctp@vger.kernel.org > > Cc: linux-kernel@vger.kernel.org > > Cc: netdev@vger.kernel.org > > Suggested-by: Stanislav Fomichev > > Acked-by: Stanislav Fomichev > > Signed-off-by: Alexander Mikhalitsyn > > --- > > net/sctp/socket.c | 31 +++++++++++++++++++++++++++++++ > > 1 file changed, 31 insertions(+) > > > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > > index cda8c2874691..a211a203003c 100644 > > --- a/net/sctp/socket.c > > +++ b/net/sctp/socket.c > > @@ -8281,6 +8281,35 @@ static int sctp_getsockopt(struct sock *sk, int = level, int optname, > > return retval; > > } > > > > +static bool sctp_bpf_bypass_getsockopt(int level, int optname) > > +{ > > + if (level =3D=3D SOL_SCTP) { > > + switch (optname) { > > + /* > > + * These options do fd_install(), and if BPF_CGROUP_RUN_P= ROG_GETSOCKOPT > > + * hook returns an error after success of the original ha= ndler > > + * sctp_getsockopt(...), userspace will receive an error = from getsockopt > > + * syscall and will be not aware that fd was successfully= installed into fdtable. > > + * > > + * Let's prevent bpf cgroup hook from running on them. > > + */ > > This and.. > > > + case SCTP_SOCKOPT_PEELOFF: > > + case SCTP_SOCKOPT_PEELOFF_FLAGS: > > + /* > > + * As pointed by Marcelo Ricardo Leitner it seems reasona= ble to skip > > + * bpf getsockopt hook for this sockopt too. Because inte= rnaly, it > > + * triggers connect() and if error will be masked userspa= ce can be confused. > > + */ > > ..this comments can be removed, as they are easily visible on the > description later on for who is interested on why such lines were > added. > > Thanks, > Marcelo > > > + case SCTP_SOCKOPT_CONNECTX3: > > + return true; > > + default: > > + return false; > > + } > > + } > > + > > + return false; > > +} > > + > > static int sctp_hash(struct sock *sk) > > { > > /* STUB */ > > @@ -9650,6 +9679,7 @@ struct proto sctp_prot =3D { > > .shutdown =3D sctp_shutdown, > > .setsockopt =3D sctp_setsockopt, > > .getsockopt =3D sctp_getsockopt, > > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > > .sendmsg =3D sctp_sendmsg, > > .recvmsg =3D sctp_recvmsg, > > .bind =3D sctp_bind, > > @@ -9705,6 +9735,7 @@ struct proto sctpv6_prot =3D { > > .shutdown =3D sctp_shutdown, > > .setsockopt =3D sctp_setsockopt, > > .getsockopt =3D sctp_getsockopt, > > + .bpf_bypass_getsockopt =3D sctp_bpf_bypass_getsockopt, > > .sendmsg =3D sctp_sendmsg, > > .recvmsg =3D sctp_recvmsg, > > .bind =3D sctp_bind, > > -- > > 2.34.1 > >