Commit faff1cca authored by Andrii Nakryiko's avatar Andrii Nakryiko

Merge branch 'bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT'

Stanislav Fomichev says:

====================

We'd like to be able to identify netns from setsockopt hooks
to be able to do the enforcement of some options only in the
"initial" netns (to give users the ability to create clear/isolated
sandboxes if needed without any enforcement by doing unshare(net)).

v3:
- remove extra 'ctx->skb == NULL' check (Martin KaFai Lau)
- rework test to make sure the helper is really called, not just
  verified

v2:
- add missing CONFIG_NET
====================
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parents d164dd9a 6a3a3dcc
...@@ -1846,11 +1846,29 @@ const struct bpf_verifier_ops cg_sysctl_verifier_ops = { ...@@ -1846,11 +1846,29 @@ const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
const struct bpf_prog_ops cg_sysctl_prog_ops = { const struct bpf_prog_ops cg_sysctl_prog_ops = {
}; };
#ifdef CONFIG_NET
BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, ctx)
{
const struct net *net = ctx ? sock_net(ctx->sk) : &init_net;
return net->net_cookie;
}
static const struct bpf_func_proto bpf_get_netns_cookie_sockopt_proto = {
.func = bpf_get_netns_cookie_sockopt,
.gpl_only = false,
.ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX_OR_NULL,
};
#endif
static const struct bpf_func_proto * static const struct bpf_func_proto *
cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{ {
switch (func_id) { switch (func_id) {
#ifdef CONFIG_NET #ifdef CONFIG_NET
case BPF_FUNC_get_netns_cookie:
return &bpf_get_netns_cookie_sockopt_proto;
case BPF_FUNC_sk_storage_get: case BPF_FUNC_sk_storage_get:
return &bpf_sk_storage_get_proto; return &bpf_sk_storage_get_proto;
case BPF_FUNC_sk_storage_delete: case BPF_FUNC_sk_storage_delete:
......
...@@ -33,6 +33,14 @@ int _getsockopt(struct bpf_sockopt *ctx) ...@@ -33,6 +33,14 @@ int _getsockopt(struct bpf_sockopt *ctx)
__u8 *optval = ctx->optval; __u8 *optval = ctx->optval;
struct sockopt_sk *storage; struct sockopt_sk *storage;
/* Make sure bpf_get_netns_cookie is callable.
*/
if (bpf_get_netns_cookie(NULL) == 0)
return 0;
if (bpf_get_netns_cookie(ctx) == 0)
return 0;
if (ctx->level == SOL_IP && ctx->optname == IP_TOS) { if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
/* Not interested in SOL_IP:IP_TOS; /* Not interested in SOL_IP:IP_TOS;
* let next BPF program in the cgroup chain or kernel * let next BPF program in the cgroup chain or kernel
...@@ -123,6 +131,14 @@ int _setsockopt(struct bpf_sockopt *ctx) ...@@ -123,6 +131,14 @@ int _setsockopt(struct bpf_sockopt *ctx)
__u8 *optval = ctx->optval; __u8 *optval = ctx->optval;
struct sockopt_sk *storage; struct sockopt_sk *storage;
/* Make sure bpf_get_netns_cookie is callable.
*/
if (bpf_get_netns_cookie(NULL) == 0)
return 0;
if (bpf_get_netns_cookie(ctx) == 0)
return 0;
if (ctx->level == SOL_IP && ctx->optname == IP_TOS) { if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
/* Not interested in SOL_IP:IP_TOS; /* Not interested in SOL_IP:IP_TOS;
* let next BPF program in the cgroup chain or kernel * let next BPF program in the cgroup chain or kernel
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment