From patchwork Tue Apr 11 10:42:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksandr Mikhalitsyn X-Patchwork-Id: 81879 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2480757vqo; Tue, 11 Apr 2023 04:00:10 -0700 (PDT) X-Google-Smtp-Source: AKy350bT7PbofFCpwyeuennlMVtf7TgzbLokOEaPhGs5LHR2smP9SW274Thk6pktHk4ipvkejK0w X-Received: by 2002:a17:903:2312:b0:1a6:39f7:eb2b with SMTP id d18-20020a170903231200b001a639f7eb2bmr3213041plh.2.1681210810544; Tue, 11 Apr 2023 04:00:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681210810; cv=none; d=google.com; s=arc-20160816; b=m7Phrb2DW2Uz/vb5pRird2fUvuhtJdS09vxx5CD+bhoc1Z4p2euC8TLv/BnDzSv/2F ymlZNri1/hIw/itrfIQ61sXyU8/CzO8mctjey6iX7eoWdFbHeeK38kqWkk8tu2+5Nl09 ctjI/R506WWNk5JwOwhB8Vy5QeuPm+5j68yfWzpxRzEscRq3BE4JXfUwRHdiQZWc4DBQ 8BmdpsS0yVrsNvCIFLfZ6uNn8TU5lS9ySZjm8RVn5203UYTtMDY/nb6/0a6RDQhO6Vgr KqEQtYKWdFjhmHKiw7XBbxoBbCGTOOK5zhyD5a6loQfDUDHgR7F4fNJB1RUCBQ8u6H0B bw8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; b=St316h3r194NbQUgS9ICzHvfSRFsnw49Rx9L2aR3WNjbRZfejCH3bsDuFG2LY1lQEI ZBohRIhjrbn5n6ULU4+GvkMicfsA3cv3HFt1hzgGhOeKWUJFdpRk0aXz57gNEd8r5tTM mHkMv0EcDTuJvDDjbF9eRjXu6fW0jeLI/3wzjg4r73J3UGYcIB852RL/1bA2hMVL0Msp Mbh0w5w+vbJK6JL1bigWCajhz02lWu9iNuZ+DOwE9MtucZWMmrrdHWPfuYDatx8VcuV7 S/jpTnPlucbTKfLGnJAxy+PM57YkoxGkr3GU4bFdnalqTG/kbIonIwpWxoDURq+q9vGv YBTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=Z06CA+Jc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lh8-20020a170903290800b001a642057764si4144042plb.180.2023.04.11.03.59.58; Tue, 11 Apr 2023 04:00:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=Z06CA+Jc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229862AbjDKKnx (ORCPT + 99 others); Tue, 11 Apr 2023 06:43:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34634 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229532AbjDKKnp (ORCPT ); Tue, 11 Apr 2023 06:43:45 -0400 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B4CF3C1F for ; Tue, 11 Apr 2023 03:43:32 -0700 (PDT) Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CBCBF3F237 for ; Tue, 11 Apr 2023 10:43:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1681209810; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Z06CA+JcDdJSFA9PnH61/Q3e0p+z11skMn3k+JedjsCMAnWO3NCgcJES26N4PNFfs 3S5I/ZLknwsf3zB991NJIy0DPB9P7ps9Qyfr/N5hpVr4WAdf+aRhvQFcus2d2rChn/ lk446tSYDUX6ooVqg9Nf0fW6Ec8X42j0wTauiriComSpNn4RRjoNZw0D5ISr2oED/9 fUQgYjYw+YE77RvMSw+SpBnfZ4224/8gyPDLdYI0sgusM3RQlhYPH2okArpyL1pLvu P4GRnceeOPPH7X/JtXEZIN13S7xdLyFEsu1RDb8WowET8yEARhQLp+BTQ0tB4D0r7m fdrp7mYQiI2zg== Received: by mail-ej1-f72.google.com with SMTP id b3-20020a170906038300b009489cf242c8so4397490eja.4 for ; Tue, 11 Apr 2023 03:43:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681209810; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pU+XkxxaqxIltFz6HAiJgXotXtTecmR/abIbMqTWsWw=; b=Rs5cX7BjPuM4w9WZt3o3gIfbDFAzaCqpmAkjX9jDSOkAmhvS2g/QovSfZcUUEwYuRC Coe4siqVkDojdyO4W/Irt5soZdVlurXwTsX6ZZ8FJCbvdI3ymJNrRcYvkcIM8AVQJ13E 3u8q/WSNwjWBnwKdrTeGk367Afv9q6TuDQUxwxIn3iQTvkSRUTOSvgVLjtM2zCqDNz52 QEuPmjI1BF+6QYlkPHKvKXNzXkLsD6uNwff+mzOwTkv2lQPC6ncxTrtO+O7yBuaBN03l 5gzw3f85VaWMHGXbSWu2QpNvDL38SoqRCQvUjMMykYEVIedgBzcNgEA4iYfPLp+1gEDj QReQ== X-Gm-Message-State: AAQBX9cUKhdp5t5VK7q+CkvVNaP5PJV+98FQHwq4o+qCHVz8Bs4N3T5P hh9JrdefL55A00Ter9c6ckFvFVyMKyv7wXzLY4OcQcc2Gf9yTQ175ms48E0Guw4euMxvNeQAkRe B/QLK9XY6NbCl6t6HTW3hios/wl4tyo7W02JvPlPSbw== X-Received: by 2002:a17:907:6a12:b0:94a:474a:4dd7 with SMTP id rf18-20020a1709076a1200b0094a474a4dd7mr7376313ejc.60.1681209810561; Tue, 11 Apr 2023 03:43:30 -0700 (PDT) X-Received: by 2002:a17:907:6a12:b0:94a:474a:4dd7 with SMTP id rf18-20020a1709076a1200b0094a474a4dd7mr7376308ejc.60.1681209810274; Tue, 11 Apr 2023 03:43:30 -0700 (PDT) Received: from amikhalitsyn.. ([95.91.208.118]) by smtp.gmail.com with ESMTPSA id ne7-20020a1709077b8700b00948c320fcfdsm5921805ejc.202.2023.04.11.03.43.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Apr 2023 03:43:29 -0700 (PDT) From: Alexander Mikhalitsyn To: davem@davemloft.net Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Alexander Mikhalitsyn , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Leon Romanovsky , David Ahern , Arnd Bergmann , Kees Cook , Christian Brauner , Kuniyuki Iwashima , Lennart Poettering , linux-arch@vger.kernel.org, Daniel Borkmann Subject: [PATCH net-next v3 2/4] net: socket: add sockopts blacklist for BPF cgroup hook Date: Tue, 11 Apr 2023 12:42:29 +0200 Message-Id: <20230411104231.160837-3-aleksandr.mikhalitsyn@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230411104231.160837-1-aleksandr.mikhalitsyn@canonical.com> References: <20230411104231.160837-1-aleksandr.mikhalitsyn@canonical.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762877307215632294?= X-GMAIL-MSGID: =?utf-8?q?1762877307215632294?= During work on SO_PEERPIDFD, it was discovered (thanks to Christian), that bpf cgroup hook can cause FD leaks when used with sockopts which install FDs into the process fdtable. After some offlist discussion it was proposed to add a blacklist of socket options those can cause troubles when BPF cgroup hook is enabled. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Leon Romanovsky Cc: David Ahern Cc: Arnd Bergmann Cc: Kees Cook Cc: Christian Brauner Cc: Kuniyuki Iwashima Cc: Lennart Poettering Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-arch@vger.kernel.org Suggested-by: Daniel Borkmann Suggested-by: Christian Brauner Signed-off-by: Alexander Mikhalitsyn Acked-by: Christian Brauner --- net/socket.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/net/socket.c b/net/socket.c index 73e493da4589..9c1ef11de23f 100644 --- a/net/socket.c +++ b/net/socket.c @@ -108,6 +108,8 @@ #include #include +#include + #ifdef CONFIG_NET_RX_BUSY_POLL unsigned int sysctl_net_busy_read __read_mostly; unsigned int sysctl_net_busy_poll __read_mostly; @@ -2227,6 +2229,36 @@ static bool sock_use_custom_sol_socket(const struct socket *sock) return test_bit(SOCK_CUSTOM_SOCKOPT, &sock->flags); } +#ifdef CONFIG_CGROUP_BPF +static bool sockopt_installs_fd(int level, int optname) +{ + /* + * These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOPT + * hook returns an error after success of the original handler + * sctp_getsockopt(...), userspace will receive an error from getsockopt + * syscall and will be not aware that fd was successfully installed into fdtable. + * + * Let's prevent bpf cgroup hook from running on them. + */ + if (level == SOL_SCTP) { + switch (optname) { + case SCTP_SOCKOPT_PEELOFF: + case SCTP_SOCKOPT_PEELOFF_FLAGS: + return true; + default: + return false; + } + } + + return false; +} +#else /* CONFIG_CGROUP_BPF */ +static inline bool sockopt_installs_fd(int level, int optname) +{ + return false; +} +#endif /* CONFIG_CGROUP_BPF */ + /* * Set a socket option. Because we don't know the option lengths we have * to pass the user mode parameter for the protocols to sort out. @@ -2250,7 +2282,7 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval, if (err) goto out_put; - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) err = BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock->sk, &level, &optname, user_optval, &optlen, &kernel_optval); @@ -2304,7 +2336,7 @@ int __sys_getsockopt(int fd, int level, int optname, char __user *optval, if (err) goto out_put; - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) max_optlen = BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen); if (level == SOL_SOCKET) @@ -2315,7 +2347,7 @@ int __sys_getsockopt(int fd, int level, int optname, char __user *optval, err = sock->ops->getsockopt(sock, level, optname, optval, optlen); - if (!in_compat_syscall()) + if (!in_compat_syscall() && !sockopt_installs_fd(level, optname)) err = BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock->sk, level, optname, optval, optlen, max_optlen, err);