From: Jens Axboe <axboe@kernel.dk>
To: io-uring@vger.kernel.org
Cc: brauner@kernel.org, cyphar@cyphar.com, jannh@google.com,
kees@kernel.org, linux-kernel@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 3/7] io_uring/bpf_filter: allow filtering on contents of struct open_how
Date: Tue, 27 Jan 2026 11:29:58 -0700 [thread overview]
Message-ID: <20260127183311.86505-4-axboe@kernel.dk> (raw)
In-Reply-To: <20260127183311.86505-1-axboe@kernel.dk>
This adds custom filtering for IORING_OP_OPENAT and IORING_OP_OPENAT2,
where the open_how flags, mode, and resolve can be checked by filters.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
include/uapi/linux/io_uring/bpf_filter.h | 5 +++++
io_uring/bpf_filter.c | 6 ++++++
io_uring/openclose.c | 9 +++++++++
io_uring/openclose.h | 3 +++
4 files changed, 23 insertions(+)
diff --git a/include/uapi/linux/io_uring/bpf_filter.h b/include/uapi/linux/io_uring/bpf_filter.h
index 4dbc89bbbf10..220351b81bc0 100644
--- a/include/uapi/linux/io_uring/bpf_filter.h
+++ b/include/uapi/linux/io_uring/bpf_filter.h
@@ -22,6 +22,11 @@ struct io_uring_bpf_ctx {
__u32 type;
__u32 protocol;
} socket;
+ struct {
+ __u64 flags;
+ __u64 mode;
+ __u64 resolve;
+ } open;
};
};
diff --git a/io_uring/bpf_filter.c b/io_uring/bpf_filter.c
index 889fa915fa54..ff723ec44828 100644
--- a/io_uring/bpf_filter.c
+++ b/io_uring/bpf_filter.c
@@ -12,6 +12,7 @@
#include "io_uring.h"
#include "bpf_filter.h"
#include "net.h"
+#include "openclose.h"
struct io_bpf_filter {
struct bpf_prog *prog;
@@ -40,6 +41,11 @@ static void io_uring_populate_bpf_ctx(struct io_uring_bpf_ctx *bctx,
bctx->pdu_size = sizeof(bctx->socket);
io_socket_bpf_populate(bctx, req);
break;
+ case IORING_OP_OPENAT:
+ case IORING_OP_OPENAT2:
+ bctx->pdu_size = sizeof(bctx->open);
+ io_openat_bpf_populate(bctx, req);
+ break;
}
}
diff --git a/io_uring/openclose.c b/io_uring/openclose.c
index 15dde9bd6ff6..31c687adf873 100644
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -85,6 +85,15 @@ static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
return 0;
}
+void io_openat_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req)
+{
+ struct io_open *open = io_kiocb_to_cmd(req, struct io_open);
+
+ bctx->open.flags = open->how.flags;
+ bctx->open.mode = open->how.mode;
+ bctx->open.resolve = open->how.resolve;
+}
+
int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_open *open = io_kiocb_to_cmd(req, struct io_open);
diff --git a/io_uring/openclose.h b/io_uring/openclose.h
index 4ca2a9935abc..566739920658 100644
--- a/io_uring/openclose.h
+++ b/io_uring/openclose.h
@@ -1,11 +1,14 @@
// SPDX-License-Identifier: GPL-2.0
+#include "bpf_filter.h"
+
int __io_close_fixed(struct io_ring_ctx *ctx, unsigned int issue_flags,
unsigned int offset);
int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
int io_openat(struct io_kiocb *req, unsigned int issue_flags);
void io_open_cleanup(struct io_kiocb *req);
+void io_openat_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req);
int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
int io_openat2(struct io_kiocb *req, unsigned int issue_flags);
--
2.51.0
next prev parent reply other threads:[~2026-01-27 18:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 18:29 [PATCHSET v7] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-27 18:29 ` [PATCH 1/7] io_uring: add support for BPF filtering for opcode restrictions Jens Axboe
2026-01-27 18:29 ` [PATCH 2/7] io_uring/net: allow filtering on IORING_OP_SOCKET data Jens Axboe
2026-01-27 18:29 ` Jens Axboe [this message]
2026-01-27 18:29 ` [PATCH 4/7] io_uring/bpf_filter: cache lookup table in ctx->bpf_filters Jens Axboe
2026-01-27 18:30 ` [PATCH 5/7] io_uring/bpf_filter: add ref counts to struct io_bpf_filter Jens Axboe
2026-01-27 18:30 ` [PATCH 6/7] io_uring: add task fork hook Jens Axboe
2026-01-27 18:30 ` [PATCH 7/7] io_uring: allow registration of per-task restrictions Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2026-01-19 23:54 [PATCHSET v6] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-19 23:54 ` [PATCH 3/7] io_uring/bpf_filter: allow filtering on contents of struct open_how Jens Axboe
2026-01-27 9:33 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260127183311.86505-4-axboe@kernel.dk \
--to=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.