| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250309132821.103046-1-aleksandr.mikhalitsyn@canonical.com> Date: Sun, 9 Mar 2025 14:28:11 +0100 From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com> To: kuniyu@...zon.com Cc: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, cgroups@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn <willemb@...gle.com>, Leon Romanovsky <leon@...nel.org>, Arnd Bergmann <arnd@...db.de>, Christian Brauner <brauner@...nel.org>, Lennart Poettering <mzxreary@...inter.de>, Luca Boccassi <bluca@...ian.org>, Tejun Heo <tj@...nel.org>, Johannes Weiner <hannes@...xchg.org>, Michal Koutný <mkoutny@...e.com>, Shuah Khan <shuah@...nel.org> Subject: [PATCH net-next 0/4] Add getsockopt(SO_PEERCGROUPID) and fdinfo API to retreive socket's peer cgroup id 1. Add socket cgroup id and socket's peer cgroup id in socket's fdinfo 2. Add SO_PEERCGROUPID which allows to retrieve socket's peer cgroup id 3. Add SO_PEERCGROUPID kselftest Generally speaking, this API allows race-free resolution of socket's peer cgroup id. Currently, to do that SCM_CREDENTIALS/SCM_PIDFD -> pid -> /proc/<pid>/cgroup sequence is used which is racy. As we don't add any new state to the socket itself there is no potential locking issues or performance problems. We use already existing sk->sk_cgrp_data. We already have analogical interfaces to retrieve this information: - inet_diag: INET_DIAG_CGROUP_ID - eBPF: bpf_sk_cgroup_id Having getsockopt() interface makes sense for many applications, because using eBPF is not always an option, while inet_diag has obvious complexety and performance drawbacks if we only want to get this specific info for one specific socket. Idea comes from UAPI kernel group: https://uapi-group.org/kernel-features/ Huge thanks to Christian Brauner, Lennart Poettering and Luca Boccassi for proposing and exchanging ideas about this. Git tree: https://github.com/mihalicyn/linux/tree/so_peercgroupid Cc: linux-kernel@...r.kernel.org Cc: netdev@...r.kernel.org Cc: cgroups@...r.kernel.org Cc: "David S. Miller" <davem@...emloft.net> Cc: Eric Dumazet <edumazet@...gle.com> Cc: Jakub Kicinski <kuba@...nel.org> Cc: Paolo Abeni <pabeni@...hat.com> Cc: Willem de Bruijn <willemb@...gle.com> Cc: Leon Romanovsky <leon@...nel.org> Cc: Arnd Bergmann <arnd@...db.de> Cc: Christian Brauner <brauner@...nel.org> Cc: Kuniyuki Iwashima <kuniyu@...zon.com> Cc: Lennart Poettering <mzxreary@...inter.de> Cc: Luca Boccassi <bluca@...ian.org> Cc: Tejun Heo <tj@...nel.org> Cc: Johannes Weiner <hannes@...xchg.org> Cc: "Michal Koutný" <mkoutny@...e.com> Cc: Shuah Khan <shuah@...nel.org> Alexander Mikhalitsyn (4): net: unix: print cgroup_id and peer_cgroup_id in fdinfo net: core: add getsockopt SO_PEERCGROUPID tools/testing/selftests/cgroup/cgroup_util: add cg_get_id helper tools/testing/selftests/cgroup: add test for SO_PEERCGROUPID arch/alpha/include/uapi/asm/socket.h | 2 + arch/mips/include/uapi/asm/socket.h | 2 + arch/parisc/include/uapi/asm/socket.h | 2 + arch/sparc/include/uapi/asm/socket.h | 2 + include/uapi/asm-generic/socket.h | 2 + net/core/sock.c | 17 + net/unix/af_unix.c | 84 +++++ tools/include/uapi/asm-generic/socket.h | 2 + tools/testing/selftests/cgroup/Makefile | 2 + tools/testing/selftests/cgroup/cgroup_util.c | 15 + tools/testing/selftests/cgroup/cgroup_util.h | 2 + .../selftests/cgroup/test_so_peercgroupid.c | 308 ++++++++++++++++++ 12 files changed, 440 insertions(+) create mode 100644 tools/testing/selftests/cgroup/test_so_peercgroupid.c -- 2.43.0
Powered by blists - more mailing lists