On Mon, Jun 29, 2026 at 10:47:41PM -0700, John Fastabend wrote:
I think we additionally need to also block BPF_PROG_TYPE_SOCKET_FILTER? Did you check this case I guess the same case is possible there?


Yes, same inversion. I'll block BPF_PROG_TYPE_SOCKET_FILTER in v4.

Then another patch needs to restrict BPF_SOCK_OPS users. For that
we need to block BPF_SOCK_OPS_HDR_OPT_LEN_CB and BPF_SOCK_OPS_WRITE_*.
Let me know if you want to do those as well. Let me know if you want
to do both patches or just the prog blocking above with the possible
addition of SOCKET_FILTER. I didn't search very hard so probably need
to check all the BPF_SOCK_OPS_* to find the valid cases.


Just the prog blocking with BPF_PROG_TYPE_SOCKET_FILTER added. I'll
leave SOCK_OPS out of this series.

Bests,
Sechang

Reply via email to