On 1/29/21 1:59 AM, Stanislav Fomichev wrote:
On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
a locked socket.
Signed-off-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
---
net/core/filter.c | 4 ++++
tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
3 files changed, 14 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index ba436b1d70c2..e15d4741719a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_RECVMSG:
+ case BPF_CGROUP_UDP6_RECVMSG:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
case BPF_CGROUP_INET4_GETPEERNAME:
@@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_RECVMSG:
+ case BPF_CGROUP_UDP6_RECVMSG:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
case BPF_CGROUP_INET4_GETPEERNAME:
Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
small nit that would be good to get resolved before that. Above you now list all the attach hooks
for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
altogether in this last commit.
Sure, I can resend tomorrow.
But do you think it's safe and there won't ever be another sock_addr
hook that runs with an unlocked socket?
Ok, that rationale seems reasonable to keep the series as is. It probably makes sense to add a
small comment at least to the commit log to explain the reasoning, I can do so while applying.
So no need for v3, thanks!
