On Wed, Jun 22, 2022 at 09:03:41AM -0700, Stanislav Fomichev wrote: > I don't see how to make it nice without introducing btf id lists > for the hooks where these helpers are allowed. Some LSM hooks > work on the locked sockets, some are triggering early and > don't grab any locks, so have two lists for now: > > 1. LSM hooks which trigger under socket lock - minority of the hooks, > but ideal case for us, we can expose existing BTF-based helpers > 2. LSM hooks which trigger without socket lock, but they trigger > early in the socket creation path where it should be safe to > do setsockopt without any locks > 3. The rest are prohibited. I'm thinking that this use-case might > be a good gateway to sleeping lsm cgroup hooks in the future. > We can either expose lock/unlock operations (and add tracking > to the verifier) or have another set of bpf_setsockopt > wrapper that grab the locks and might sleep. Reviewed-by: Martin KaFai Lau <kafai@xxxxxx>
