On Sun, Mar 09, 2025 at 02:28:11PM +0100, Alexander Mikhalitsyn wrote: > 1. Add socket cgroup id and socket's peer cgroup id in socket's fdinfo > 2. Add SO_PEERCGROUPID which allows to retrieve socket's peer cgroup id > 3. Add SO_PEERCGROUPID kselftest > > Generally speaking, this API allows race-free resolution of socket's peer cgroup id. > Currently, to do that SCM_CREDENTIALS/SCM_PIDFD -> pid -> /proc/<pid>/cgroup sequence > is used which is racy. > > As we don't add any new state to the socket itself there is no potential locking issues > or performance problems. We use already existing sk->sk_cgrp_data. > > We already have analogical interfaces to retrieve this > information: > - inet_diag: INET_DIAG_CGROUP_ID > - eBPF: bpf_sk_cgroup_id > > Having getsockopt() interface makes sense for many applications, because using eBPF is > not always an option, while inet_diag has obvious complexety and performance drawbacks > if we only want to get this specific info for one specific socket. > > Idea comes from UAPI kernel group: > https://uapi-group.org/kernel-features/ > > Huge thanks to Christian Brauner, Lennart Poettering and Luca Boccassi for proposing > and exchanging ideas about this. Seems fine to me, Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
