Re: [PATCH bpf-next v5 1/8] bpf: implement getsockopt and setsockopt hooks

[Stanislav Fomichev <sdf@fomichev.me>]

On 06/13, Stanislav Fomichev wrote:
> > > My canonical example when reasoning about multiple progs was that each one
> > > of them would implement handling for a particular level+optname. So only
> > > a single one form the chain would return 2 or 0, the rest would return 1
> > > without touching the buffer. I can't come up with a good use-case where
> > > two programs in the chain can both return 2 and fill out the buffer.
> > > The majority of the sockopts would still be handled by the kernel,
> > > we'd have only a handful of bpf progs that handle a tiny subset
> > > and delegate the rest to the kernel.
> > >
> > > How about we stop further processing as soon as some program in the chain
> > > returned 2? I think that would address most of the concerns?
> > 
> > What about a case of passive "auditing" BPF programs, that are not
> > modifying anything, but want to capture every single
> > getsockopt/setsockopt call? This premature stop would render that
> > whole approach broken.
> In that case you'd attach that program to the root of a cgroup
> (sub)tree what you want to audit (and it would be always executed and
> would return 1)? And you'd have to attach it first.
On a second thought, that's not true. BPF progs are executed from the
bottom up, so attaching to the root cgroup wouldn't work for that auditing
case :-/