From: Jens Axboe <axboe@kernel.dk>
To: io-uring@vger.kernel.org
Cc: brauner@kernel.org, cyphar@cyphar.com, jannh@google.com,
kees@kernel.org, linux-kernel@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 2/7] io_uring/net: allow filtering on IORING_OP_SOCKET data
Date: Tue, 27 Jan 2026 11:29:57 -0700 [thread overview]
Message-ID: <20260127183311.86505-3-axboe@kernel.dk> (raw)
In-Reply-To: <20260127183311.86505-1-axboe@kernel.dk>
Example population method for the BPF based opcode filtering. This
exposes the socket family, type, and protocol to a registered BPF
filter. This in turn enables the filter to make decisions based on
what was passed in to the IORING_OP_SOCKET request type.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
include/uapi/linux/io_uring/bpf_filter.h | 7 +++++++
io_uring/bpf_filter.c | 11 +++++++++++
io_uring/net.c | 9 +++++++++
io_uring/net.h | 6 ++++++
4 files changed, 33 insertions(+)
diff --git a/include/uapi/linux/io_uring/bpf_filter.h b/include/uapi/linux/io_uring/bpf_filter.h
index 2d4d0e5743e4..4dbc89bbbf10 100644
--- a/include/uapi/linux/io_uring/bpf_filter.h
+++ b/include/uapi/linux/io_uring/bpf_filter.h
@@ -16,6 +16,13 @@ struct io_uring_bpf_ctx {
__u8 sqe_flags;
__u8 pdu_size; /* size of aux data for filter */
__u8 pad[5];
+ union {
+ struct {
+ __u32 family;
+ __u32 type;
+ __u32 protocol;
+ } socket;
+ };
};
enum {
diff --git a/io_uring/bpf_filter.c b/io_uring/bpf_filter.c
index 5207226d72ea..889fa915fa54 100644
--- a/io_uring/bpf_filter.c
+++ b/io_uring/bpf_filter.c
@@ -30,6 +30,17 @@ static void io_uring_populate_bpf_ctx(struct io_uring_bpf_ctx *bctx,
/* clear residual, anything from pdu_size and below */
memset((void *) bctx + offsetof(struct io_uring_bpf_ctx, pdu_size), 0,
sizeof(*bctx) - offsetof(struct io_uring_bpf_ctx, pdu_size));
+
+ /*
+ * Opcodes can provide a handler fo populating more data into bctx,
+ * for filters to use.
+ */
+ switch (req->opcode) {
+ case IORING_OP_SOCKET:
+ bctx->pdu_size = sizeof(bctx->socket);
+ io_socket_bpf_populate(bctx, req);
+ break;
+ }
}
/*
diff --git a/io_uring/net.c b/io_uring/net.c
index 519ea055b761..4fcba36bd0bb 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1699,6 +1699,15 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags)
return IOU_COMPLETE;
}
+void io_socket_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req)
+{
+ struct io_socket *sock = io_kiocb_to_cmd(req, struct io_socket);
+
+ bctx->socket.family = sock->domain;
+ bctx->socket.type = sock->type;
+ bctx->socket.protocol = sock->protocol;
+}
+
int io_socket_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_socket *sock = io_kiocb_to_cmd(req, struct io_socket);
diff --git a/io_uring/net.h b/io_uring/net.h
index 43e5ce5416b7..a862960a3bb9 100644
--- a/io_uring/net.h
+++ b/io_uring/net.h
@@ -3,6 +3,7 @@
#include <linux/net.h>
#include <linux/uio.h>
#include <linux/io_uring_types.h>
+#include <uapi/linux/io_uring/bpf_filter.h>
struct io_async_msghdr {
#if defined(CONFIG_NET)
@@ -44,6 +45,7 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags);
int io_socket_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
int io_socket(struct io_kiocb *req, unsigned int issue_flags);
+void io_socket_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req);
int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
int io_connect(struct io_kiocb *req, unsigned int issue_flags);
@@ -64,4 +66,8 @@ void io_netmsg_cache_free(const void *entry);
static inline void io_netmsg_cache_free(const void *entry)
{
}
+static inline void io_socket_bpf_populate(struct io_uring_bpf_ctx *bctx,
+ struct io_kiocb *req)
+{
+}
#endif
--
2.51.0
next prev parent reply other threads:[~2026-01-27 18:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 18:29 [PATCHSET v7] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-27 18:29 ` [PATCH 1/7] io_uring: add support for BPF filtering for opcode restrictions Jens Axboe
2026-01-27 18:29 ` Jens Axboe [this message]
2026-01-27 18:29 ` [PATCH 3/7] io_uring/bpf_filter: allow filtering on contents of struct open_how Jens Axboe
2026-01-27 18:29 ` [PATCH 4/7] io_uring/bpf_filter: cache lookup table in ctx->bpf_filters Jens Axboe
2026-01-27 18:30 ` [PATCH 5/7] io_uring/bpf_filter: add ref counts to struct io_bpf_filter Jens Axboe
2026-01-27 18:30 ` [PATCH 6/7] io_uring: add task fork hook Jens Axboe
2026-01-27 18:30 ` [PATCH 7/7] io_uring: allow registration of per-task restrictions Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2026-01-19 23:54 [PATCHSET v6] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-19 23:54 ` [PATCH 2/7] io_uring/net: allow filtering on IORING_OP_SOCKET data Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260127183311.86505-3-axboe@kernel.dk \
--to=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.