Contributors: 5
Author Tokens Token Proportion Commits Commit Proportion
Stanislav Fomichev 4221 88.60% 3 42.86%
Breno Leitão 489 10.26% 1 14.29%
Andrii Nakryiko 35 0.73% 1 14.29%
Wang Yufen 14 0.29% 1 14.29%
Daniel Müller 5 0.10% 1 14.29%
Total 4764 7 
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171
// SPDX-License-Identifier: GPL-2.0
#include <test_progs.h>
#include <io_uring/mini_liburing.h>
#include "cgroup_helpers.h"

static char bpf_log_buf[4096];
static bool verbose;

#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif

enum sockopt_test_error {
	OK = 0,
	DENY_LOAD,
	DENY_ATTACH,
	EOPNOTSUPP_GETSOCKOPT,
	EPERM_GETSOCKOPT,
	EFAULT_GETSOCKOPT,
	EPERM_SETSOCKOPT,
	EFAULT_SETSOCKOPT,
};

static struct sockopt_test {
	const char			*descr;
	const struct bpf_insn		insns[64];
	enum bpf_attach_type		attach_type;
	enum bpf_attach_type		expected_attach_type;

	int				set_optname;
	int				set_level;
	const char			set_optval[64];
	socklen_t			set_optlen;

	int				get_optname;
	int				get_level;
	const char			get_optval[64];
	socklen_t			get_optlen;
	socklen_t			get_optlen_ret;

	enum sockopt_test_error		error;
	bool				io_uring_support;
} tests[] = {

	/* ==================== getsockopt ====================  */

	{
		.descr = "getsockopt: no expected_attach_type",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),

		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = 0,
		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: wrong expected_attach_type",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),

		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,
		.error = DENY_ATTACH,
	},
	{
		.descr = "getsockopt: bypass bpf hook",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 1 << 3 },
		.set_optlen = 1,

		.get_optval = { 1 << 3 },
		.get_optlen = 1,
	},
	{
		.descr = "getsockopt: return EPERM from bpf hook",
		.insns = {
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_IP,
		.get_optname = IP_TOS,

		.get_optlen = 1,
		.error = EPERM_GETSOCKOPT,
	},
	{
		.descr = "getsockopt: no optval bounds check, deny loading",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),

			/* ctx->optval[0] = 0x80 */
			BPF_MOV64_IMM(BPF_REG_0, 0x80),
			BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_0, 0),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,
		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: read ctx->level",
		.insns = {
			/* r6 = ctx->level */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, level)),

			/* if (ctx->level == 123) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 123, 4),
			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = 123,

		.get_optlen = 1,
	},
	{
		.descr = "getsockopt: deny writing to ctx->level",
		.insns = {
			/* ctx->level = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, level)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: read ctx->optname",
		.insns = {
			/* r6 = ctx->optname */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optname)),

			/* if (ctx->optname == 123) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 123, 4),
			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_optname = 123,

		.get_optlen = 1,
	},
	{
		.descr = "getsockopt: read ctx->retval",
		.insns = {
			/* r6 = ctx->retval */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_IP,
		.get_optname = IP_TOS,
		.get_optlen = 1,
	},
	{
		.descr = "getsockopt: deny writing to ctx->optname",
		.insns = {
			/* ctx->optname = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optname)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: read ctx->optlen",
		.insns = {
			/* r6 = ctx->optlen */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optlen)),

			/* if (ctx->optlen == 64) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 64, 4),
			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_SOCKET,
		.get_optlen = 64,
		.io_uring_support = true,
	},
	{
		.descr = "getsockopt: deny bigger ctx->optlen",
		.insns = {
			/* ctx->optlen = 65 */
			BPF_MOV64_IMM(BPF_REG_0, 65),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),

			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_optlen = 64,

		.error = EFAULT_GETSOCKOPT,
		.io_uring_support = true,
	},
	{
		.descr = "getsockopt: ignore >PAGE_SIZE optlen",
		.insns = {
			/* write 0xFF to the first optval byte */

			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r2 = ctx->optval */
			BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
			/* r6 = ctx->optval + 1 */
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),

			/* r7 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
			/* ctx->optval[0] = 0xF0 */
			BPF_ST_MEM(BPF_B, BPF_REG_2, 0, 0xFF),
			/* } */

			/* retval changes are ignored */
			/* ctx->retval = 5 */
			BPF_MOV64_IMM(BPF_REG_0, 5),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = 1234,
		.get_optname = 5678,
		.get_optval = {}, /* the changes are ignored */
		.get_optlen = PAGE_SIZE + 1,
		.error = EOPNOTSUPP_GETSOCKOPT,
		.io_uring_support = true,
	},
	{
		.descr = "getsockopt: support smaller ctx->optlen",
		.insns = {
			/* ctx->optlen = 32 */
			BPF_MOV64_IMM(BPF_REG_0, 32),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_SOCKET,
		.get_optlen = 64,
		.get_optlen_ret = 32,
		.io_uring_support = true,
	},
	{
		.descr = "getsockopt: deny writing to ctx->optval",
		.insns = {
			/* ctx->optval = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optval)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: deny writing to ctx->optval_end",
		.insns = {
			/* ctx->optval_end = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optval_end)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "getsockopt: rewrite value",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r2 = ctx->optval */
			BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
			/* r6 = ctx->optval + 1 */
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),

			/* r7 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
			/* ctx->optval[0] = 0xF0 */
			BPF_ST_MEM(BPF_B, BPF_REG_2, 0, 0xF0),
			/* } */

			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1*/
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_GETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,

		.get_level = SOL_IP,
		.get_optname = IP_TOS,

		.get_optval = { 0xF0 },
		.get_optlen = 1,
	},

	/* ==================== setsockopt ====================  */

	{
		.descr = "setsockopt: no expected_attach_type",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),

		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = 0,
		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: wrong expected_attach_type",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),

		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_GETSOCKOPT,
		.error = DENY_ATTACH,
	},
	{
		.descr = "setsockopt: bypass bpf hook",
		.insns = {
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 1 << 3 },
		.set_optlen = 1,

		.get_optval = { 1 << 3 },
		.get_optlen = 1,
	},
	{
		.descr = "setsockopt: return EPERM from bpf hook",
		.insns = {
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_level = SOL_IP,
		.set_optname = IP_TOS,

		.set_optlen = 1,
		.error = EPERM_SETSOCKOPT,
	},
	{
		.descr = "setsockopt: no optval bounds check, deny loading",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),

			/* r0 = ctx->optval[0] */
			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, 0),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,
		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: read ctx->level",
		.insns = {
			/* r6 = ctx->level */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, level)),

			/* if (ctx->level == 123) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 123, 4),
			/* ctx->optlen = -1 */
			BPF_MOV64_IMM(BPF_REG_0, -1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_level = 123,

		.set_optlen = 1,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: allow changing ctx->level",
		.insns = {
			/* ctx->level = SOL_IP */
			BPF_MOV64_IMM(BPF_REG_0, SOL_IP),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, level)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = 234, /* should be rewritten to SOL_IP */

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 1 << 3 },
		.set_optlen = 1,
		.get_optval = { 1 << 3 },
		.get_optlen = 1,
	},
	{
		.descr = "setsockopt: read ctx->optname",
		.insns = {
			/* r6 = ctx->optname */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optname)),

			/* if (ctx->optname == 123) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 123, 4),
			/* ctx->optlen = -1 */
			BPF_MOV64_IMM(BPF_REG_0, -1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_optname = 123,

		.set_optlen = 1,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: allow changing ctx->optname",
		.insns = {
			/* ctx->optname = IP_TOS */
			BPF_MOV64_IMM(BPF_REG_0, IP_TOS),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optname)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = 456, /* should be rewritten to IP_TOS */

		.set_optval = { 1 << 3 },
		.set_optlen = 1,
		.get_optval = { 1 << 3 },
		.get_optlen = 1,
	},
	{
		.descr = "setsockopt: read ctx->optlen",
		.insns = {
			/* r6 = ctx->optlen */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optlen)),

			/* if (ctx->optlen == 64) { */
			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 64, 4),
			/* ctx->optlen = -1 */
			BPF_MOV64_IMM(BPF_REG_0, -1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } else { */
			/* return 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_optlen = 64,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: ctx->optlen == -1 is ok",
		.insns = {
			/* ctx->optlen = -1 */
			BPF_MOV64_IMM(BPF_REG_0, -1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_optlen = 64,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: deny ctx->optlen < 0 (except -1)",
		.insns = {
			/* ctx->optlen = -2 */
			BPF_MOV64_IMM(BPF_REG_0, -2),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_optlen = 4,

		.error = EFAULT_SETSOCKOPT,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: deny ctx->optlen > input optlen",
		.insns = {
			/* ctx->optlen = 65 */
			BPF_MOV64_IMM(BPF_REG_0, 65),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_optlen = 64,

		.error = EFAULT_SETSOCKOPT,
		.io_uring_support = true,
	},
	{
		.descr = "setsockopt: ignore >PAGE_SIZE optlen",
		.insns = {
			/* write 0xFF to the first optval byte */

			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r2 = ctx->optval */
			BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
			/* r6 = ctx->optval + 1 */
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),

			/* r7 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
			/* ctx->optval[0] = 0xF0 */
			BPF_ST_MEM(BPF_B, BPF_REG_2, 0, 0xF0),
			/* } */

			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.set_level = SOL_IP,
		.set_optname = IP_TOS,
		.set_optval = {},
		.set_optlen = PAGE_SIZE + 1,

		.get_level = SOL_IP,
		.get_optname = IP_TOS,
		.get_optval = {}, /* the changes are ignored */
		.get_optlen = 4,
	},
	{
		.descr = "setsockopt: allow changing ctx->optlen within bounds",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r2 = ctx->optval */
			BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
			/* r6 = ctx->optval + 1 */
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),

			/* r7 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
			/* ctx->optval[0] = 1 << 3 */
			BPF_ST_MEM(BPF_B, BPF_REG_2, 0, 1 << 3),
			/* } */

			/* ctx->optlen = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optlen)),

			/* return 1*/
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 1, 1, 1, 1 },
		.set_optlen = 4,
		.get_optval = { 1 << 3 },
		.get_optlen = 1,
	},
	{
		.descr = "setsockopt: deny write ctx->retval",
		.insns = {
			/* ctx->retval = 0 */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: deny read ctx->retval",
		.insns = {
			/* r6 = ctx->retval */
			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, retval)),

			/* return 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: deny writing to ctx->optval",
		.insns = {
			/* ctx->optval = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optval)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: deny writing to ctx->optval_end",
		.insns = {
			/* ctx->optval_end = 1 */
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
				    offsetof(struct bpf_sockopt, optval_end)),
			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.error = DENY_LOAD,
	},
	{
		.descr = "setsockopt: allow IP_TOS <= 128",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r7 = ctx->optval + 1 */
			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 1),

			/* r8 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_7, BPF_REG_8, 4),

			/* r9 = ctx->optval[0] */
			BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_6, 0),

			/* if (ctx->optval[0] < 128) */
			BPF_JMP_IMM(BPF_JGT, BPF_REG_9, 128, 2),
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } */

			/* } else { */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */

			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 0x80 },
		.set_optlen = 1,
		.get_optval = { 0x80 },
		.get_optlen = 1,
	},
	{
		.descr = "setsockopt: deny IP_TOS > 128",
		.insns = {
			/* r6 = ctx->optval */
			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval)),
			/* r7 = ctx->optval + 1 */
			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 1),

			/* r8 = ctx->optval_end */
			BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_1,
				    offsetof(struct bpf_sockopt, optval_end)),

			/* if (ctx->optval + 1 <= ctx->optval_end) { */
			BPF_JMP_REG(BPF_JGT, BPF_REG_7, BPF_REG_8, 4),

			/* r9 = ctx->optval[0] */
			BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_6, 0),

			/* if (ctx->optval[0] < 128) */
			BPF_JMP_IMM(BPF_JGT, BPF_REG_9, 128, 2),
			BPF_MOV64_IMM(BPF_REG_0, 1),
			BPF_JMP_A(1),
			/* } */

			/* } else { */
			BPF_MOV64_IMM(BPF_REG_0, 0),
			/* } */

			BPF_EXIT_INSN(),
		},
		.attach_type = BPF_CGROUP_SETSOCKOPT,
		.expected_attach_type = BPF_CGROUP_SETSOCKOPT,

		.get_level = SOL_IP,
		.set_level = SOL_IP,

		.get_optname = IP_TOS,
		.set_optname = IP_TOS,

		.set_optval = { 0x81 },
		.set_optlen = 1,
		.get_optval = { 0x00 },
		.get_optlen = 1,

		.error = EPERM_SETSOCKOPT,
	},
};

static int load_prog(const struct bpf_insn *insns,
		     enum bpf_attach_type expected_attach_type)
{
	LIBBPF_OPTS(bpf_prog_load_opts, opts,
		.expected_attach_type = expected_attach_type,
		.log_level = 2,
		.log_buf = bpf_log_buf,
		.log_size = sizeof(bpf_log_buf),
	);
	int fd, insns_cnt = 0;

	for (;
	     insns[insns_cnt].code != (BPF_JMP | BPF_EXIT);
	     insns_cnt++) {
	}
	insns_cnt++;

	fd = bpf_prog_load(BPF_PROG_TYPE_CGROUP_SOCKOPT, NULL, "GPL", insns, insns_cnt, &opts);
	if (verbose && fd < 0)
		fprintf(stderr, "%s\n", bpf_log_buf);

	return fd;
}

/* Core function that handles io_uring ring initialization,
 * sending SQE with sockopt command and waiting for the CQE.
 */
static int uring_sockopt(int op, int fd, int level, int optname,
			 const void *optval, socklen_t optlen)
{
	struct io_uring_cqe *cqe;
	struct io_uring_sqe *sqe;
	struct io_uring ring;
	int err;

	err = io_uring_queue_init(1, &ring, 0);
	if (!ASSERT_OK(err, "io_uring initialization"))
		return err;

	sqe = io_uring_get_sqe(&ring);
	if (!ASSERT_NEQ(sqe, NULL, "Get an SQE")) {
		err = -1;
		goto fail;
	}

	io_uring_prep_cmd(sqe, op, fd, level, optname, optval, optlen);

	err = io_uring_submit(&ring);
	if (!ASSERT_EQ(err, 1, "Submit SQE"))
		goto fail;

	err = io_uring_wait_cqe(&ring, &cqe);
	if (!ASSERT_OK(err, "Wait for CQE"))
		goto fail;

	err = cqe->res;

fail:
	io_uring_queue_exit(&ring);

	return err;
}

static int uring_setsockopt(int fd, int level, int optname, const void *optval,
			    socklen_t optlen)
{
	return uring_sockopt(SOCKET_URING_OP_SETSOCKOPT, fd, level, optname,
			     optval, optlen);
}

static int uring_getsockopt(int fd, int level, int optname, void *optval,
			    socklen_t *optlen)
{
	int ret = uring_sockopt(SOCKET_URING_OP_GETSOCKOPT, fd, level, optname,
				optval, *optlen);
	if (ret < 0)
		return ret;

	/* Populate optlen back to be compatible with systemcall interface,
	 * and simplify the test.
	 */
	*optlen = ret;

	return 0;
}

/* Execute the setsocktopt operation */
static int call_setsockopt(bool use_io_uring, int fd, int level, int optname,
			   const void *optval, socklen_t optlen)
{
	if (use_io_uring)
		return uring_setsockopt(fd, level, optname, optval, optlen);

	return setsockopt(fd, level, optname, optval, optlen);
}

/* Execute the getsocktopt operation */
static int call_getsockopt(bool use_io_uring, int fd, int level, int optname,
			   void *optval, socklen_t *optlen)
{
	if (use_io_uring)
		return uring_getsockopt(fd, level, optname, optval, optlen);

	return getsockopt(fd, level, optname, optval, optlen);
}

static int run_test(int cgroup_fd, struct sockopt_test *test, bool use_io_uring)
{
	int sock_fd, err, prog_fd;
	void *optval = NULL;
	int ret = 0;

	prog_fd = load_prog(test->insns, test->expected_attach_type);
	if (prog_fd < 0) {
		if (test->error == DENY_LOAD)
			return 0;

		log_err("Failed to load BPF program");
		return -1;
	}

	err = bpf_prog_attach(prog_fd, cgroup_fd, test->attach_type, 0);
	if (err < 0) {
		if (test->error == DENY_ATTACH)
			goto close_prog_fd;

		log_err("Failed to attach BPF program");
		ret = -1;
		goto close_prog_fd;
	}

	sock_fd = socket(AF_INET, SOCK_STREAM, 0);
	if (sock_fd < 0) {
		log_err("Failed to create AF_INET socket");
		ret = -1;
		goto detach_prog;
	}

	if (test->set_optlen) {
		if (test->set_optlen >= PAGE_SIZE) {
			int num_pages = test->set_optlen / PAGE_SIZE;
			int remainder = test->set_optlen % PAGE_SIZE;

			test->set_optlen = num_pages * sysconf(_SC_PAGESIZE) + remainder;
		}

		err = call_setsockopt(use_io_uring, sock_fd, test->set_level,
				      test->set_optname, test->set_optval,
				      test->set_optlen);
		if (err) {
			if (errno == EPERM && test->error == EPERM_SETSOCKOPT)
				goto close_sock_fd;
			if (errno == EFAULT && test->error == EFAULT_SETSOCKOPT)
				goto free_optval;

			log_err("Failed to call setsockopt");
			ret = -1;
			goto close_sock_fd;
		}
	}

	if (test->get_optlen) {
		if (test->get_optlen >= PAGE_SIZE) {
			int num_pages = test->get_optlen / PAGE_SIZE;
			int remainder = test->get_optlen % PAGE_SIZE;

			test->get_optlen = num_pages * sysconf(_SC_PAGESIZE) + remainder;
		}

		optval = malloc(test->get_optlen);
		memset(optval, 0, test->get_optlen);
		socklen_t optlen = test->get_optlen;
		socklen_t expected_get_optlen = test->get_optlen_ret ?:
			test->get_optlen;

		err = call_getsockopt(use_io_uring, sock_fd, test->get_level,
				      test->get_optname, optval, &optlen);
		if (err) {
			if (errno == EOPNOTSUPP && test->error == EOPNOTSUPP_GETSOCKOPT)
				goto free_optval;
			if (errno == EPERM && test->error == EPERM_GETSOCKOPT)
				goto free_optval;
			if (errno == EFAULT && test->error == EFAULT_GETSOCKOPT)
				goto free_optval;

			log_err("Failed to call getsockopt");
			ret = -1;
			goto free_optval;
		}

		if (optlen != expected_get_optlen) {
			errno = 0;
			log_err("getsockopt returned unexpected optlen");
			ret = -1;
			goto free_optval;
		}

		if (memcmp(optval, test->get_optval, optlen) != 0) {
			errno = 0;
			log_err("getsockopt returned unexpected optval");
			ret = -1;
			goto free_optval;
		}
	}

	ret = test->error != OK;

free_optval:
	free(optval);
close_sock_fd:
	close(sock_fd);
detach_prog:
	bpf_prog_detach2(prog_fd, cgroup_fd, test->attach_type);
close_prog_fd:
	close(prog_fd);
	return ret;
}

void test_sockopt(void)
{
	int cgroup_fd, i;

	cgroup_fd = test__join_cgroup("/sockopt");
	if (!ASSERT_GE(cgroup_fd, 0, "join_cgroup"))
		return;

	for (i = 0; i < ARRAY_SIZE(tests); i++) {
		if (!test__start_subtest(tests[i].descr))
			continue;

		ASSERT_OK(run_test(cgroup_fd, &tests[i], false),
			  tests[i].descr);
		if (tests[i].io_uring_support)
			ASSERT_OK(run_test(cgroup_fd, &tests[i], true),
				  tests[i].descr);
	}

	close(cgroup_fd);
}