| Message ID | 20210813230530.333779-1-sdf@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT | expand |
On Fri, Aug 13, 2021 at 04:05:28PM -0700, Stanislav Fomichev wrote: > We'd like to be able to identify netns from setsockopt hooks > to be able to do the enforcement of some options only in the > "initial" netns (to give users the ability to create clear/isolated > sandboxes if needed without any enforcement by doing unshare(net)). > > v3: > - remove extra 'ctx->skb == NULL' check (Martin KaFai Lau) > - rework test to make sure the helper is really called, not just > verified Acked-by: Martin KaFai Lau <kafai@fb.com>
We'd like to be able to identify netns from setsockopt hooks to be able to do the enforcement of some options only in the "initial" netns (to give users the ability to create clear/isolated sandboxes if needed without any enforcement by doing unshare(net)). v3: - remove extra 'ctx->skb == NULL' check (Martin KaFai Lau) - rework test to make sure the helper is really called, not just verified v2: - add missing CONFIG_NET Stanislav Fomichev (2): bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT selftests/bpf: verify bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT kernel/bpf/cgroup.c | 18 ++++++++++++++++++ tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++ 2 files changed, 34 insertions(+)