On 9/5/23 12:02 PM, Martin KaFai Lau wrote:
@@ -1766,14 +1787,37 @@ static int unix_getname(struct socket *sock, struct
sockaddr *uaddr, int peer)
if (!addr) {
sunaddr->sun_family = AF_UNIX;
sunaddr->sun_path[0] = 0;
- err = offsetof(struct sockaddr_un, sun_path);
+ addr_len = offsetof(struct sockaddr_un, sun_path);
} else {
- err = addr->len;
+ addr_len = addr->len;
memcpy(sunaddr, addr->name, addr->len);
}
+
+ if (peer && cgroup_bpf_enabled(CGROUP_UNIX_GETPEERNAME)) {
+ err = BPF_CGROUP_RUN_SA_PROG(sk, uaddr, &addr_len,
+ CGROUP_UNIX_GETPEERNAME);
+ if (err)
UNIX_GETPEERNAME can only have return value 1 (OK), so no need to do err check
here.
+ goto out;
+
+ err = unix_validate_addr(sunaddr, addr_len);
Since the kfunc is specific to the unix address, how about doing the
unix_validate_addr check in the kfunc itself?
When reading patch 3 again, the kfunc has already checked the addrlen with the
UNIX_PATH_MAX. It should be as good as unix_validate_addr() check considering
the kfunc can only change the sunaddr->sun_path?
