We'd like to be able to identify netns from setsockopt hooks
to be able to do the enforcement of some options only in the
"initial" netns (to give users the ability to create clear/isolated
sandboxes if needed without any enforcement by doing unshare(net)).
Stanislav Fomichev (2):
bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
selftests/bpf: verify bpf_get_netns_cookie in
BPF_PROG_TYPE_CGROUP_SOCKOPT
kernel/bpf/cgroup.c | 17 +++++++++++++++
tools/testing/selftests/bpf/verifier/ctx.c | 25 ++++++++++++++++++++++
2 files changed, 42 insertions(+)
--
2.33.0.rc1.237.g0d66db33f3-goog
