On 06/13, Stanislav Fomichev wrote: > > > My canonical example when reasoning about multiple progs was that each one > > > of them would implement handling for a particular level+optname. So only > > > a single one form the chain would return 2 or 0, the rest would return 1 > > > without touching the buffer. I can't come up with a good use-case where > > > two programs in the chain can both return 2 and fill out the buffer. > > > The majority of the sockopts would still be handled by the kernel, > > > we'd have only a handful of bpf progs that handle a tiny subset > > > and delegate the rest to the kernel. > > > > > > How about we stop further processing as soon as some program in the chain > > > returned 2? I think that would address most of the concerns? > > > > What about a case of passive "auditing" BPF programs, that are not > > modifying anything, but want to capture every single > > getsockopt/setsockopt call? This premature stop would render that > > whole approach broken. > In that case you'd attach that program to the root of a cgroup > (sub)tree what you want to audit (and it would be always executed and > would return 1)? And you'd have to attach it first. On a second thought, that's not true. BPF progs are executed from the bottom up, so attaching to the root cgroup wouldn't work for that auditing case :-/
