From: Wei Wang <weibunny@fb.com>
To: <netdev@vger.kernel.org>, Jakub Kicinski <kuba@kernel.org>,
Daniel Zahka <daniel.zahka@gmail.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
David Wei <dw@davidwei.uk>, Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>
Cc: Wei Wang <weibunny@fb.com>
Subject: [PATCH net-next 5/9] psp: add unprivileged version of psp_device_get_locked
Date: Mon, 23 Feb 2026 16:24:05 -0800 [thread overview]
Message-ID: <20260224002410.1553838-6-weibunny@fb.com> (raw)
In-Reply-To: <20260224002410.1553838-1-weibunny@fb.com>
Add a place holder function called psp_device_get_locked_unpriv() which
will be used for commands that are unprivileged and are used for
exisiting commands like dev-dump, dev-get, rx-assoc, tx-assoc.
Commands including dev-add/delete/change-ntf, key-rotate would keep
using the privileged version.
Following commit will be implementing the unprivileged version check.
Signed-off-by: Wei Wang <weibunny@fb.com>
---
Documentation/netlink/specs/psp.yaml | 2 +-
net/psp/psp-nl-gen.c | 2 +-
net/psp/psp-nl-gen.h | 2 ++
net/psp/psp.h | 2 +-
net/psp/psp_main.c | 3 ++-
net/psp/psp_nl.c | 28 +++++++++++++++++++++-------
6 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/Documentation/netlink/specs/psp.yaml b/Documentation/netlink/specs/psp.yaml
index f3a57782d2cf..2ef94f3503c8 100644
--- a/Documentation/netlink/specs/psp.yaml
+++ b/Documentation/netlink/specs/psp.yaml
@@ -170,7 +170,7 @@ operations:
- ifindex
- psp-versions-cap
- psp-versions-ena
- pre: psp-device-get-locked
+ pre: psp-device-get-locked-unpriv
post: psp-device-unlock
dump:
reply: *dev-all
diff --git a/net/psp/psp-nl-gen.c b/net/psp/psp-nl-gen.c
index 22a48d0fa378..106607a201d8 100644
--- a/net/psp/psp-nl-gen.c
+++ b/net/psp/psp-nl-gen.c
@@ -57,7 +57,7 @@ static const struct nla_policy psp_get_stats_nl_policy[PSP_A_STATS_DEV_ID + 1] =
static const struct genl_split_ops psp_nl_ops[] = {
{
.cmd = PSP_CMD_DEV_GET,
- .pre_doit = psp_device_get_locked,
+ .pre_doit = psp_device_get_locked_unpriv,
.doit = psp_nl_dev_get_doit,
.post_doit = psp_device_unlock,
.policy = psp_dev_get_nl_policy,
diff --git a/net/psp/psp-nl-gen.h b/net/psp/psp-nl-gen.h
index 599c5f1c82f2..7abad086be1e 100644
--- a/net/psp/psp-nl-gen.h
+++ b/net/psp/psp-nl-gen.h
@@ -15,6 +15,8 @@
/* Common nested types */
extern const struct nla_policy psp_keys_nl_policy[PSP_A_KEYS_SPI + 1];
+int psp_device_get_locked_unpriv(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
int psp_device_get_locked(const struct genl_split_ops *ops,
struct sk_buff *skb, struct genl_info *info);
int psp_assoc_device_get_locked(const struct genl_split_ops *ops,
diff --git a/net/psp/psp.h b/net/psp/psp.h
index 9f19137593a0..0e4ca03de869 100644
--- a/net/psp/psp.h
+++ b/net/psp/psp.h
@@ -14,7 +14,7 @@ extern struct xarray psp_devs;
extern struct mutex psp_devs_lock;
void psp_dev_free(struct psp_dev *psd);
-int psp_dev_check_access(struct psp_dev *psd, struct net *net);
+int psp_dev_check_access(struct psp_dev *psd, struct net *net, bool unpriv);
void psp_nl_notify_dev(struct psp_dev *psd, u32 cmd);
diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c
index a8534124f626..ad2294622a7d 100644
--- a/net/psp/psp_main.c
+++ b/net/psp/psp_main.c
@@ -27,10 +27,11 @@ struct mutex psp_devs_lock;
* psp_dev_check_access() - check if user in a given net ns can access PSP dev
* @psd: PSP device structure user is trying to access
* @net: net namespace user is in
+ * @unpriv: whether the caller is unprivileged
*
* Return: 0 if PSP device should be visible in @net, errno otherwise.
*/
-int psp_dev_check_access(struct psp_dev *psd, struct net *net)
+int psp_dev_check_access(struct psp_dev *psd, struct net *net, bool unpriv)
{
if (dev_net(psd->main_netdev) == net)
return 0;
diff --git a/net/psp/psp_nl.c b/net/psp/psp_nl.c
index 6afd7707ec12..8e0e4a853f9b 100644
--- a/net/psp/psp_nl.c
+++ b/net/psp/psp_nl.c
@@ -41,7 +41,8 @@ static int psp_nl_reply_send(struct sk_buff *rsp, struct genl_info *info)
/* Device stuff */
static struct psp_dev *
-psp_device_get_and_lock(struct net *net, struct nlattr *dev_id)
+psp_device_get_and_lock(struct net *net, struct nlattr *dev_id,
+ bool unpriv)
{
struct psp_dev *psd;
int err;
@@ -56,7 +57,7 @@ psp_device_get_and_lock(struct net *net, struct nlattr *dev_id)
mutex_lock(&psd->lock);
mutex_unlock(&psp_devs_lock);
- err = psp_dev_check_access(psd, net);
+ err = psp_dev_check_access(psd, net, unpriv);
if (err) {
mutex_unlock(&psd->lock);
return ERR_PTR(err);
@@ -72,7 +73,20 @@ int psp_device_get_locked(const struct genl_split_ops *ops,
return -EINVAL;
info->user_ptr[0] = psp_device_get_and_lock(genl_info_net(info),
- info->attrs[PSP_A_DEV_ID]);
+ info->attrs[PSP_A_DEV_ID],
+ false);
+ return PTR_ERR_OR_ZERO(info->user_ptr[0]);
+}
+
+int psp_device_get_locked_unpriv(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info)
+{
+ if (GENL_REQ_ATTR_CHECK(info, PSP_A_DEV_ID))
+ return -EINVAL;
+
+ info->user_ptr[0] = psp_device_get_and_lock(genl_info_net(info),
+ info->attrs[PSP_A_DEV_ID],
+ true);
return PTR_ERR_OR_ZERO(info->user_ptr[0]);
}
@@ -160,7 +174,7 @@ static int
psp_nl_dev_get_dumpit_one(struct sk_buff *rsp, struct netlink_callback *cb,
struct psp_dev *psd)
{
- if (psp_dev_check_access(psd, sock_net(rsp->sk)))
+ if (psp_dev_check_access(psd, sock_net(rsp->sk), true))
return 0;
return psp_nl_dev_fill(psd, rsp, genl_info_dump(cb));
@@ -305,7 +319,7 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,
psd = psp_dev_get_for_sock(socket->sk);
if (psd) {
- err = psp_dev_check_access(psd, genl_info_net(info));
+ err = psp_dev_check_access(psd, genl_info_net(info), true);
if (err) {
psp_dev_put(psd);
psd = NULL;
@@ -330,7 +344,7 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,
psp_dev_put(psd);
} else {
- psd = psp_device_get_and_lock(genl_info_net(info), id);
+ psd = psp_device_get_and_lock(genl_info_net(info), id, true);
if (IS_ERR(psd)) {
err = PTR_ERR(psd);
goto err_sock_put;
@@ -573,7 +587,7 @@ static int
psp_nl_stats_get_dumpit_one(struct sk_buff *rsp, struct netlink_callback *cb,
struct psp_dev *psd)
{
- if (psp_dev_check_access(psd, sock_net(rsp->sk)))
+ if (psp_dev_check_access(psd, sock_net(rsp->sk), true))
return 0;
return psp_nl_stats_fill(psd, rsp, genl_info_dump(cb));
--
2.47.3
next prev parent reply other threads:[~2026-02-24 0:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 0:24 [PATCH net-next 0/9] psp: Add support for dev-assoc/disassoc Wei Wang
2026-02-24 0:24 ` [PATCH net-next 2/9] selftests/net: Export Netlink class via lib.py Wei Wang
2026-02-24 0:24 ` [PATCH net-next 3/9] selftests/net: Add env for container based tests Wei Wang
2026-02-24 18:10 ` Bobby Eshleman
2026-02-28 2:30 ` Jakub Kicinski
2026-03-01 4:15 ` David Wei
2026-03-01 4:17 ` David Wei
2026-03-01 4:18 ` David Wei
2026-02-24 0:24 ` [PATCH net-next 4/9] selftests/net: Add netkit container ping test Wei Wang
2026-02-24 0:24 ` Wei Wang [this message]
2026-02-24 0:24 ` [PATCH net-next 6/9] psp: Add new netlink cmd for dev-assoc and dev-disassoc Wei Wang
2026-02-24 0:24 ` [PATCH net-next 7/9] psp: add a new netdev event for dev unregister Wei Wang
2026-02-24 0:24 ` [PATCH net-next 8/9] selftests/net: Add bpf skb forwarding program Wei Wang
2026-02-24 18:56 ` Bobby Eshleman
2026-02-24 0:24 ` [PATCH net-next 9/9] selftest/net: psp: Add test for dev-assoc/disassoc Wei Wang
2026-02-28 2:33 ` Jakub Kicinski
[not found] ` <20260224002410.1553838-2-weibunny@fb.com>
2026-02-28 2:34 ` [PATCH net-next 1/9] selftests/net: Add bpf skb forwarding program Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260224002410.1553838-6-weibunny@fb.com \
--to=weibunny@fb.com \
--cc=andrew+netdev@lunn.ch \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=dw@davidwei.uk \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox