We'd like to be able to identify netns from setsockopt hooks to be able to do the enforcement of some options only in the "initial" netns (to give users the ability to create clear/isolated sandboxes if needed without any enforcement by doing unshare(net)). Stanislav Fomichev (2): bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT selftests/bpf: verify bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT kernel/bpf/cgroup.c | 17 +++++++++++++++ tools/testing/selftests/bpf/verifier/ctx.c | 25 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) -- 2.33.0.rc1.237.g0d66db33f3-goog