On Mon, 11 Aug 2025 at 19:50, Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote: > > bpf_cgroup_from_id currently ends up doing a check on whether the cgroup > being looked up is a descendant of the root cgroup of the current task's > cgroup namespace. This leads to unreliable results since this kfunc can > be invoked from any arbitrary context, for any arbitrary value of > current. Fix this by removing namespace-awarness in the kfunc, and > include a test that detects such a case and fails without the fix. > The CI failure is probably because of the ugly unshare(2), I will fix and respin. > Kumar Kartikeya Dwivedi (2): > bpf: Do not limit bpf_cgroup_from_id to current's namespace > selftests/bpf: Add a test for bpf_cgroup_from_id lookup in non-root > cgns > > include/linux/cgroup.h | 2 +- > kernel/bpf/cgroup_iter.c | 2 +- > kernel/bpf/helpers.c | 2 +- > kernel/cgroup/cgroup.c | 7 ++- > .../selftests/bpf/prog_tests/cgrp_kfunc.c | 48 +++++++++++++++++++ > .../selftests/bpf/progs/cgrp_kfunc_success.c | 12 +++++ > 6 files changed, 69 insertions(+), 4 deletions(-) > > > base-commit: fa479132845e94b60068fad01c2a9979b3efe2dc > -- > 2.47.3 >
