Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / 3007098494bec614fb55dee7bc0410bb7db5ad18 / . / kernel / bpf / cgroup.c
blob: a0ab43f264b0040ab28db16dec4ff6eaaae6a637 [file] [log] [blame]
Daniel Mack30070982016-11-23 16:52:26 +0100[diff] [blame^]1/*
2 * Functions to manage eBPF programs attached to cgroups
3 *
4 * Copyright (c) 2016 Daniel Mack
5 *
6 * This file is subject to the terms and conditions of version 2 of the GNU
7 * General Public License. See the file COPYING in the main directory of the
8 * Linux distribution for more details.
9 */
10
11#include <linux/kernel.h>
12#include <linux/atomic.h>
13#include <linux/cgroup.h>
14#include <linux/slab.h>
15#include <linux/bpf.h>
16#include <linux/bpf-cgroup.h>
17#include <net/sock.h>
18
19DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
20EXPORT_SYMBOL(cgroup_bpf_enabled_key);
21
22/**
23 * cgroup_bpf_put() - put references of all bpf programs
24 * @cgrp: the cgroup to modify
25 */
26void cgroup_bpf_put(struct cgroup *cgrp)
27{
28 unsigned int type;
29
30 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.prog); type++) {
31 struct bpf_prog *prog = cgrp->bpf.prog[type];
32
33 if (prog) {
34 bpf_prog_put(prog);
35 static_branch_dec(&cgroup_bpf_enabled_key);
36 }
37 }
38}
39
40/**
41 * cgroup_bpf_inherit() - inherit effective programs from parent
42 * @cgrp: the cgroup to modify
43 * @parent: the parent to inherit from
44 */
45void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)
46{
47 unsigned int type;
48
49 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.effective); type++) {
50 struct bpf_prog *e;
51
52 e = rcu_dereference_protected(parent->bpf.effective[type],
53 lockdep_is_held(&cgroup_mutex));
54 rcu_assign_pointer(cgrp->bpf.effective[type], e);
55 }
56}
57
58/**
59 * __cgroup_bpf_update() - Update the pinned program of a cgroup, and
60 * propagate the change to descendants
61 * @cgrp: The cgroup which descendants to traverse
62 * @parent: The parent of @cgrp, or %NULL if @cgrp is the root
63 * @prog: A new program to pin
64 * @type: Type of pinning operation (ingress/egress)
65 *
66 * Each cgroup has a set of two pointers for bpf programs; one for eBPF
67 * programs it owns, and which is effective for execution.
68 *
69 * If @prog is %NULL, this function attaches a new program to the cgroup and
70 * releases the one that is currently attached, if any. @prog is then made
71 * the effective program of type @type in that cgroup.
72 *
73 * If @prog is %NULL, the currently attached program of type @type is released,
74 * and the effective program of the parent cgroup (if any) is inherited to
75 * @cgrp.
76 *
77 * Then, the descendants of @cgrp are walked and the effective program for
78 * each of them is set to the effective program of @cgrp unless the
79 * descendant has its own program attached, in which case the subbranch is
80 * skipped. This ensures that delegated subcgroups with own programs are left
81 * untouched.
82 *
83 * Must be called with cgroup_mutex held.
84 */
85void __cgroup_bpf_update(struct cgroup *cgrp,
86 struct cgroup *parent,
87 struct bpf_prog *prog,
88 enum bpf_attach_type type)
89{
90 struct bpf_prog *old_prog, *effective;
91 struct cgroup_subsys_state *pos;
92
93 old_prog = xchg(cgrp->bpf.prog + type, prog);
94
95 effective = (!prog && parent) ?
96 rcu_dereference_protected(parent->bpf.effective[type],
97 lockdep_is_held(&cgroup_mutex)) :
98 prog;
99
100 css_for_each_descendant_pre(pos, &cgrp->self) {
101 struct cgroup *desc = container_of(pos, struct cgroup, self);
102
103 /* skip the subtree if the descendant has its own program */
104 if (desc->bpf.prog[type] && desc != cgrp)
105 pos = css_rightmost_descendant(pos);
106 else
107 rcu_assign_pointer(desc->bpf.effective[type],
108 effective);
109 }
110
111 if (prog)
112 static_branch_inc(&cgroup_bpf_enabled_key);
113
114 if (old_prog) {
115 bpf_prog_put(old_prog);
116 static_branch_dec(&cgroup_bpf_enabled_key);
117 }
118}
119
120/**
121 * __cgroup_bpf_run_filter() - Run a program for packet filtering
122 * @sk: The socken sending or receiving traffic
123 * @skb: The skb that is being sent or received
124 * @type: The type of program to be exectuted
125 *
126 * If no socket is passed, or the socket is not of type INET or INET6,
127 * this function does nothing and returns 0.
128 *
129 * The program type passed in via @type must be suitable for network
130 * filtering. No further check is performed to assert that.
131 *
132 * This function will return %-EPERM if any if an attached program was found
133 * and if it returned != 1 during execution. In all other cases, 0 is returned.
134 */
135int __cgroup_bpf_run_filter(struct sock *sk,
136 struct sk_buff *skb,
137 enum bpf_attach_type type)
138{
139 struct bpf_prog *prog;
140 struct cgroup *cgrp;
141 int ret = 0;
142
143 if (!sk || !sk_fullsock(sk))
144 return 0;
145
146 if (sk->sk_family != AF_INET &&
147 sk->sk_family != AF_INET6)
148 return 0;
149
150 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
151
152 rcu_read_lock();
153
154 prog = rcu_dereference(cgrp->bpf.effective[type]);
155 if (prog) {
156 unsigned int offset = skb->data - skb_network_header(skb);
157
158 __skb_push(skb, offset);
159 ret = bpf_prog_run_save_cb(prog, skb) == 1 ? 0 : -EPERM;
160 __skb_pull(skb, offset);
161 }
162
163 rcu_read_unlock();
164
165 return ret;
166}
167EXPORT_SYMBOL(__cgroup_bpf_run_filter);