1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun #include <string.h>
3*4882a593Smuzhiyun #include <netinet/in.h>
4*4882a593Smuzhiyun #include <netinet/tcp.h>
5*4882a593Smuzhiyun #include <linux/bpf.h>
6*4882a593Smuzhiyun #include <bpf/bpf_helpers.h>
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun char _license[] SEC("license") = "GPL";
9*4882a593Smuzhiyun __u32 _version SEC("version") = 1;
10*4882a593Smuzhiyun
11*4882a593Smuzhiyun #ifndef PAGE_SIZE
12*4882a593Smuzhiyun #define PAGE_SIZE 4096
13*4882a593Smuzhiyun #endif
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun #define SOL_CUSTOM 0xdeadbeef
16*4882a593Smuzhiyun
17*4882a593Smuzhiyun struct sockopt_sk {
18*4882a593Smuzhiyun __u8 val;
19*4882a593Smuzhiyun };
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun struct {
22*4882a593Smuzhiyun __uint(type, BPF_MAP_TYPE_SK_STORAGE);
23*4882a593Smuzhiyun __uint(map_flags, BPF_F_NO_PREALLOC);
24*4882a593Smuzhiyun __type(key, int);
25*4882a593Smuzhiyun __type(value, struct sockopt_sk);
26*4882a593Smuzhiyun } socket_storage_map SEC(".maps");
27*4882a593Smuzhiyun
28*4882a593Smuzhiyun SEC("cgroup/getsockopt")
_getsockopt(struct bpf_sockopt * ctx)29*4882a593Smuzhiyun int _getsockopt(struct bpf_sockopt *ctx)
30*4882a593Smuzhiyun {
31*4882a593Smuzhiyun __u8 *optval_end = ctx->optval_end;
32*4882a593Smuzhiyun __u8 *optval = ctx->optval;
33*4882a593Smuzhiyun struct sockopt_sk *storage;
34*4882a593Smuzhiyun
35*4882a593Smuzhiyun if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
36*4882a593Smuzhiyun /* Not interested in SOL_IP:IP_TOS;
37*4882a593Smuzhiyun * let next BPF program in the cgroup chain or kernel
38*4882a593Smuzhiyun * handle it.
39*4882a593Smuzhiyun */
40*4882a593Smuzhiyun ctx->optlen = 0; /* bypass optval>PAGE_SIZE */
41*4882a593Smuzhiyun return 1;
42*4882a593Smuzhiyun }
43*4882a593Smuzhiyun
44*4882a593Smuzhiyun if (ctx->level == SOL_SOCKET && ctx->optname == SO_SNDBUF) {
45*4882a593Smuzhiyun /* Not interested in SOL_SOCKET:SO_SNDBUF;
46*4882a593Smuzhiyun * let next BPF program in the cgroup chain or kernel
47*4882a593Smuzhiyun * handle it.
48*4882a593Smuzhiyun */
49*4882a593Smuzhiyun return 1;
50*4882a593Smuzhiyun }
51*4882a593Smuzhiyun
52*4882a593Smuzhiyun if (ctx->level == SOL_TCP && ctx->optname == TCP_CONGESTION) {
53*4882a593Smuzhiyun /* Not interested in SOL_TCP:TCP_CONGESTION;
54*4882a593Smuzhiyun * let next BPF program in the cgroup chain or kernel
55*4882a593Smuzhiyun * handle it.
56*4882a593Smuzhiyun */
57*4882a593Smuzhiyun return 1;
58*4882a593Smuzhiyun }
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun if (ctx->level == SOL_IP && ctx->optname == IP_FREEBIND) {
61*4882a593Smuzhiyun if (optval + 1 > optval_end)
62*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun ctx->retval = 0; /* Reset system call return value to zero */
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun /* Always export 0x55 */
67*4882a593Smuzhiyun optval[0] = 0x55;
68*4882a593Smuzhiyun ctx->optlen = 1;
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun /* Userspace buffer is PAGE_SIZE * 2, but BPF
71*4882a593Smuzhiyun * program can only see the first PAGE_SIZE
72*4882a593Smuzhiyun * bytes of data.
73*4882a593Smuzhiyun */
74*4882a593Smuzhiyun if (optval_end - optval != PAGE_SIZE)
75*4882a593Smuzhiyun return 0; /* EPERM, unexpected data size */
76*4882a593Smuzhiyun
77*4882a593Smuzhiyun return 1;
78*4882a593Smuzhiyun }
79*4882a593Smuzhiyun
80*4882a593Smuzhiyun if (ctx->level != SOL_CUSTOM)
81*4882a593Smuzhiyun return 0; /* EPERM, deny everything except custom level */
82*4882a593Smuzhiyun
83*4882a593Smuzhiyun if (optval + 1 > optval_end)
84*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun storage = bpf_sk_storage_get(&socket_storage_map, ctx->sk, 0,
87*4882a593Smuzhiyun BPF_SK_STORAGE_GET_F_CREATE);
88*4882a593Smuzhiyun if (!storage)
89*4882a593Smuzhiyun return 0; /* EPERM, couldn't get sk storage */
90*4882a593Smuzhiyun
91*4882a593Smuzhiyun if (!ctx->retval)
92*4882a593Smuzhiyun return 0; /* EPERM, kernel should not have handled
93*4882a593Smuzhiyun * SOL_CUSTOM, something is wrong!
94*4882a593Smuzhiyun */
95*4882a593Smuzhiyun ctx->retval = 0; /* Reset system call return value to zero */
96*4882a593Smuzhiyun
97*4882a593Smuzhiyun optval[0] = storage->val;
98*4882a593Smuzhiyun ctx->optlen = 1;
99*4882a593Smuzhiyun
100*4882a593Smuzhiyun return 1;
101*4882a593Smuzhiyun }
102*4882a593Smuzhiyun
103*4882a593Smuzhiyun SEC("cgroup/setsockopt")
_setsockopt(struct bpf_sockopt * ctx)104*4882a593Smuzhiyun int _setsockopt(struct bpf_sockopt *ctx)
105*4882a593Smuzhiyun {
106*4882a593Smuzhiyun __u8 *optval_end = ctx->optval_end;
107*4882a593Smuzhiyun __u8 *optval = ctx->optval;
108*4882a593Smuzhiyun struct sockopt_sk *storage;
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
111*4882a593Smuzhiyun /* Not interested in SOL_IP:IP_TOS;
112*4882a593Smuzhiyun * let next BPF program in the cgroup chain or kernel
113*4882a593Smuzhiyun * handle it.
114*4882a593Smuzhiyun */
115*4882a593Smuzhiyun ctx->optlen = 0; /* bypass optval>PAGE_SIZE */
116*4882a593Smuzhiyun return 1;
117*4882a593Smuzhiyun }
118*4882a593Smuzhiyun
119*4882a593Smuzhiyun if (ctx->level == SOL_SOCKET && ctx->optname == SO_SNDBUF) {
120*4882a593Smuzhiyun /* Overwrite SO_SNDBUF value */
121*4882a593Smuzhiyun
122*4882a593Smuzhiyun if (optval + sizeof(__u32) > optval_end)
123*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
124*4882a593Smuzhiyun
125*4882a593Smuzhiyun *(__u32 *)optval = 0x55AA;
126*4882a593Smuzhiyun ctx->optlen = 4;
127*4882a593Smuzhiyun
128*4882a593Smuzhiyun return 1;
129*4882a593Smuzhiyun }
130*4882a593Smuzhiyun
131*4882a593Smuzhiyun if (ctx->level == SOL_TCP && ctx->optname == TCP_CONGESTION) {
132*4882a593Smuzhiyun /* Always use cubic */
133*4882a593Smuzhiyun
134*4882a593Smuzhiyun if (optval + 5 > optval_end)
135*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
136*4882a593Smuzhiyun
137*4882a593Smuzhiyun memcpy(optval, "cubic", 5);
138*4882a593Smuzhiyun ctx->optlen = 5;
139*4882a593Smuzhiyun
140*4882a593Smuzhiyun return 1;
141*4882a593Smuzhiyun }
142*4882a593Smuzhiyun
143*4882a593Smuzhiyun if (ctx->level == SOL_IP && ctx->optname == IP_FREEBIND) {
144*4882a593Smuzhiyun /* Original optlen is larger than PAGE_SIZE. */
145*4882a593Smuzhiyun if (ctx->optlen != PAGE_SIZE * 2)
146*4882a593Smuzhiyun return 0; /* EPERM, unexpected data size */
147*4882a593Smuzhiyun
148*4882a593Smuzhiyun if (optval + 1 > optval_end)
149*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
150*4882a593Smuzhiyun
151*4882a593Smuzhiyun /* Make sure we can trim the buffer. */
152*4882a593Smuzhiyun optval[0] = 0;
153*4882a593Smuzhiyun ctx->optlen = 1;
154*4882a593Smuzhiyun
155*4882a593Smuzhiyun /* Usepace buffer is PAGE_SIZE * 2, but BPF
156*4882a593Smuzhiyun * program can only see the first PAGE_SIZE
157*4882a593Smuzhiyun * bytes of data.
158*4882a593Smuzhiyun */
159*4882a593Smuzhiyun if (optval_end - optval != PAGE_SIZE)
160*4882a593Smuzhiyun return 0; /* EPERM, unexpected data size */
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun return 1;
163*4882a593Smuzhiyun }
164*4882a593Smuzhiyun
165*4882a593Smuzhiyun if (ctx->level != SOL_CUSTOM)
166*4882a593Smuzhiyun return 0; /* EPERM, deny everything except custom level */
167*4882a593Smuzhiyun
168*4882a593Smuzhiyun if (optval + 1 > optval_end)
169*4882a593Smuzhiyun return 0; /* EPERM, bounds check */
170*4882a593Smuzhiyun
171*4882a593Smuzhiyun storage = bpf_sk_storage_get(&socket_storage_map, ctx->sk, 0,
172*4882a593Smuzhiyun BPF_SK_STORAGE_GET_F_CREATE);
173*4882a593Smuzhiyun if (!storage)
174*4882a593Smuzhiyun return 0; /* EPERM, couldn't get sk storage */
175*4882a593Smuzhiyun
176*4882a593Smuzhiyun storage->val = optval[0];
177*4882a593Smuzhiyun ctx->optlen = -1; /* BPF has consumed this option, don't call kernel
178*4882a593Smuzhiyun * setsockopt handler.
179*4882a593Smuzhiyun */
180*4882a593Smuzhiyun
181*4882a593Smuzhiyun return 1;
182*4882a593Smuzhiyun }
183