1*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593Smuzhiyun============================ 4*4882a593SmuzhiyunBPF_PROG_TYPE_CGROUP_SOCKOPT 5*4882a593Smuzhiyun============================ 6*4882a593Smuzhiyun 7*4882a593Smuzhiyun``BPF_PROG_TYPE_CGROUP_SOCKOPT`` program type can be attached to two 8*4882a593Smuzhiyuncgroup hooks: 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun* ``BPF_CGROUP_GETSOCKOPT`` - called every time process executes ``getsockopt`` 11*4882a593Smuzhiyun system call. 12*4882a593Smuzhiyun* ``BPF_CGROUP_SETSOCKOPT`` - called every time process executes ``setsockopt`` 13*4882a593Smuzhiyun system call. 14*4882a593Smuzhiyun 15*4882a593SmuzhiyunThe context (``struct bpf_sockopt``) has associated socket (``sk``) and 16*4882a593Smuzhiyunall input arguments: ``level``, ``optname``, ``optval`` and ``optlen``. 17*4882a593Smuzhiyun 18*4882a593SmuzhiyunBPF_CGROUP_SETSOCKOPT 19*4882a593Smuzhiyun===================== 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun``BPF_CGROUP_SETSOCKOPT`` is triggered *before* the kernel handling of 22*4882a593Smuzhiyunsockopt and it has writable context: it can modify the supplied arguments 23*4882a593Smuzhiyunbefore passing them down to the kernel. This hook has access to the cgroup 24*4882a593Smuzhiyunand socket local storage. 25*4882a593Smuzhiyun 26*4882a593SmuzhiyunIf BPF program sets ``optlen`` to -1, the control will be returned 27*4882a593Smuzhiyunback to the userspace after all other BPF programs in the cgroup 28*4882a593Smuzhiyunchain finish (i.e. kernel ``setsockopt`` handling will *not* be executed). 29*4882a593Smuzhiyun 30*4882a593SmuzhiyunNote, that ``optlen`` can not be increased beyond the user-supplied 31*4882a593Smuzhiyunvalue. It can only be decreased or set to -1. Any other value will 32*4882a593Smuzhiyuntrigger ``EFAULT``. 33*4882a593Smuzhiyun 34*4882a593SmuzhiyunReturn Type 35*4882a593Smuzhiyun----------- 36*4882a593Smuzhiyun 37*4882a593Smuzhiyun* ``0`` - reject the syscall, ``EPERM`` will be returned to the userspace. 38*4882a593Smuzhiyun* ``1`` - success, continue with next BPF program in the cgroup chain. 39*4882a593Smuzhiyun 40*4882a593SmuzhiyunBPF_CGROUP_GETSOCKOPT 41*4882a593Smuzhiyun===================== 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun``BPF_CGROUP_GETSOCKOPT`` is triggered *after* the kernel handing of 44*4882a593Smuzhiyunsockopt. The BPF hook can observe ``optval``, ``optlen`` and ``retval`` 45*4882a593Smuzhiyunif it's interested in whatever kernel has returned. BPF hook can override 46*4882a593Smuzhiyunthe values above, adjust ``optlen`` and reset ``retval`` to 0. If ``optlen`` 47*4882a593Smuzhiyunhas been increased above initial ``getsockopt`` value (i.e. userspace 48*4882a593Smuzhiyunbuffer is too small), ``EFAULT`` is returned. 49*4882a593Smuzhiyun 50*4882a593SmuzhiyunThis hook has access to the cgroup and socket local storage. 51*4882a593Smuzhiyun 52*4882a593SmuzhiyunNote, that the only acceptable value to set to ``retval`` is 0 and the 53*4882a593Smuzhiyunoriginal value that the kernel returned. Any other value will trigger 54*4882a593Smuzhiyun``EFAULT``. 55*4882a593Smuzhiyun 56*4882a593SmuzhiyunReturn Type 57*4882a593Smuzhiyun----------- 58*4882a593Smuzhiyun 59*4882a593Smuzhiyun* ``0`` - reject the syscall, ``EPERM`` will be returned to the userspace. 60*4882a593Smuzhiyun* ``1`` - success: copy ``optval`` and ``optlen`` to userspace, return 61*4882a593Smuzhiyun ``retval`` from the syscall (note that this can be overwritten by 62*4882a593Smuzhiyun the BPF program from the parent cgroup). 63*4882a593Smuzhiyun 64*4882a593SmuzhiyunCgroup Inheritance 65*4882a593Smuzhiyun================== 66*4882a593Smuzhiyun 67*4882a593SmuzhiyunSuppose, there is the following cgroup hierarchy where each cgroup 68*4882a593Smuzhiyunhas ``BPF_CGROUP_GETSOCKOPT`` attached at each level with 69*4882a593Smuzhiyun``BPF_F_ALLOW_MULTI`` flag:: 70*4882a593Smuzhiyun 71*4882a593Smuzhiyun A (root, parent) 72*4882a593Smuzhiyun \ 73*4882a593Smuzhiyun B (child) 74*4882a593Smuzhiyun 75*4882a593SmuzhiyunWhen the application calls ``getsockopt`` syscall from the cgroup B, 76*4882a593Smuzhiyunthe programs are executed from the bottom up: B, A. First program 77*4882a593Smuzhiyun(B) sees the result of kernel's ``getsockopt``. It can optionally 78*4882a593Smuzhiyunadjust ``optval``, ``optlen`` and reset ``retval`` to 0. After that 79*4882a593Smuzhiyuncontrol will be passed to the second (A) program which will see the 80*4882a593Smuzhiyunsame context as B including any potential modifications. 81*4882a593Smuzhiyun 82*4882a593SmuzhiyunSame for ``BPF_CGROUP_SETSOCKOPT``: if the program is attached to 83*4882a593SmuzhiyunA and B, the trigger order is B, then A. If B does any changes 84*4882a593Smuzhiyunto the input arguments (``level``, ``optname``, ``optval``, ``optlen``), 85*4882a593Smuzhiyunthen the next program in the chain (A) will see those changes, 86*4882a593Smuzhiyun*not* the original input ``setsockopt`` arguments. The potentially 87*4882a593Smuzhiyunmodified values will be then passed down to the kernel. 88*4882a593Smuzhiyun 89*4882a593SmuzhiyunLarge optval 90*4882a593Smuzhiyun============ 91*4882a593SmuzhiyunWhen the ``optval`` is greater than the ``PAGE_SIZE``, the BPF program 92*4882a593Smuzhiyuncan access only the first ``PAGE_SIZE`` of that data. So it has to options: 93*4882a593Smuzhiyun 94*4882a593Smuzhiyun* Set ``optlen`` to zero, which indicates that the kernel should 95*4882a593Smuzhiyun use the original buffer from the userspace. Any modifications 96*4882a593Smuzhiyun done by the BPF program to the ``optval`` are ignored. 97*4882a593Smuzhiyun* Set ``optlen`` to the value less than ``PAGE_SIZE``, which 98*4882a593Smuzhiyun indicates that the kernel should use BPF's trimmed ``optval``. 99*4882a593Smuzhiyun 100*4882a593SmuzhiyunWhen the BPF program returns with the ``optlen`` greater than 101*4882a593Smuzhiyun``PAGE_SIZE``, the userspace will receive ``EFAULT`` errno. 102*4882a593Smuzhiyun 103*4882a593SmuzhiyunExample 104*4882a593Smuzhiyun======= 105*4882a593Smuzhiyun 106*4882a593SmuzhiyunSee ``tools/testing/selftests/bpf/progs/sockopt_sk.c`` for an example 107*4882a593Smuzhiyunof BPF program that handles socket options. 108