Re: [PATCH net-next] sctp: add bpf_bypass_getsockopt proto callback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, May 10, 2023 at 03:15:27PM +0200, Alexander Mikhalitsyn wrote:
> Add bpf_bypass_getsockopt proto callback and filter out
> from running eBPF hook on them.
> These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT
> hook returns an error after success of the original handler
> sctp_getsockopt(...), userspace will receive an error from getsockopt
> syscall and will be not aware that fd was successfully installed into fdtable.
> This patch was born as a result of discussion around a new SCM_PIDFD interface:

I read some of the emails in there but I don't get why the fd leak is
special here. I mean, I get that it leaks, but masking the error
return like this can lead to several other problems in the application
as well.

For example, SCTP_SOCKOPT_CONNECTX3 will trigger a connect(). If it
failed, and the hook returns success, the user app will at least log a
wrong "connection successful".

If the hook can't be responsible for cleaning up before returning a
different value, then maybe we want to extend the list of sockopts in
here. AFAICT these would be the 3 most critical sockopts.

[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     SCTP

  Powered by Linux