1 // SPDX-License-Identifier: GPL-2.0-only
3 * Functions to manage eBPF programs attached to cgroups
5 * Copyright (c) 2016 Daniel Mack
8 #include <linux/kernel.h>
9 #include <linux/atomic.h>
10 #include <linux/cgroup.h>
11 #include <linux/filter.h>
12 #include <linux/slab.h>
13 #include <linux/sysctl.h>
14 #include <linux/string.h>
15 #include <linux/bpf.h>
16 #include <linux/bpf-cgroup.h>
17 #include <linux/bpf_lsm.h>
18 #include <linux/bpf_verifier.h>
20 #include <net/bpf_sk_storage.h>
22 #include "../cgroup/cgroup-internal.h"
24 DEFINE_STATIC_KEY_ARRAY_FALSE(cgroup_bpf_enabled_key, MAX_CGROUP_BPF_ATTACH_TYPE);
25 EXPORT_SYMBOL(cgroup_bpf_enabled_key);
28 * cgroup bpf destruction makes heavy use of work items and there can be a lot
29 * of concurrent destructions. Use a separate workqueue so that cgroup bpf
30 * destruction work items don't end up filling up max_active of system_wq
31 * which may lead to deadlock.
33 static struct workqueue_struct *cgroup_bpf_destroy_wq;
35 static int __init cgroup_bpf_wq_init(void)
37 cgroup_bpf_destroy_wq = alloc_workqueue("cgroup_bpf_destroy", 0, 1);
38 if (!cgroup_bpf_destroy_wq)
39 panic("Failed to alloc workqueue for cgroup bpf destroy.\n");
42 core_initcall(cgroup_bpf_wq_init);
44 /* __always_inline is necessary to prevent indirect call through run_prog
47 static __always_inline int
48 bpf_prog_run_array_cg(const struct cgroup_bpf *cgrp,
49 enum cgroup_bpf_attach_type atype,
50 const void *ctx, bpf_prog_run_fn run_prog,
51 int retval, u32 *ret_flags)
53 const struct bpf_prog_array_item *item;
54 const struct bpf_prog *prog;
55 const struct bpf_prog_array *array;
56 struct bpf_run_ctx *old_run_ctx;
57 struct bpf_cg_run_ctx run_ctx;
60 run_ctx.retval = retval;
63 array = rcu_dereference(cgrp->effective[atype]);
64 item = &array->items[0];
65 old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);
66 while ((prog = READ_ONCE(item->prog))) {
67 run_ctx.prog_item = item;
68 func_ret = run_prog(prog, ctx);
70 *(ret_flags) |= (func_ret >> 1);
73 if (!func_ret && !IS_ERR_VALUE((long)run_ctx.retval))
74 run_ctx.retval = -EPERM;
77 bpf_reset_run_ctx(old_run_ctx);
80 return run_ctx.retval;
83 unsigned int __cgroup_bpf_run_lsm_sock(const void *ctx,
84 const struct bpf_insn *insn)
86 const struct bpf_prog *shim_prog;
93 sk = (void *)(unsigned long)args[0];
94 /*shim_prog = container_of(insn, struct bpf_prog, insnsi);*/
95 shim_prog = (const struct bpf_prog *)((void *)insn - offsetof(struct bpf_prog, insnsi));
97 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
99 ret = bpf_prog_run_array_cg(&cgrp->bpf,
100 shim_prog->aux->cgroup_atype,
101 ctx, bpf_prog_run, 0, NULL);
105 unsigned int __cgroup_bpf_run_lsm_socket(const void *ctx,
106 const struct bpf_insn *insn)
108 const struct bpf_prog *shim_prog;
115 sock = (void *)(unsigned long)args[0];
116 /*shim_prog = container_of(insn, struct bpf_prog, insnsi);*/
117 shim_prog = (const struct bpf_prog *)((void *)insn - offsetof(struct bpf_prog, insnsi));
119 cgrp = sock_cgroup_ptr(&sock->sk->sk_cgrp_data);
121 ret = bpf_prog_run_array_cg(&cgrp->bpf,
122 shim_prog->aux->cgroup_atype,
123 ctx, bpf_prog_run, 0, NULL);
127 unsigned int __cgroup_bpf_run_lsm_current(const void *ctx,
128 const struct bpf_insn *insn)
130 const struct bpf_prog *shim_prog;
134 /*shim_prog = container_of(insn, struct bpf_prog, insnsi);*/
135 shim_prog = (const struct bpf_prog *)((void *)insn - offsetof(struct bpf_prog, insnsi));
137 /* We rely on trampoline's __bpf_prog_enter_lsm_cgroup to grab RCU read lock. */
138 cgrp = task_dfl_cgroup(current);
140 ret = bpf_prog_run_array_cg(&cgrp->bpf,
141 shim_prog->aux->cgroup_atype,
142 ctx, bpf_prog_run, 0, NULL);
146 #ifdef CONFIG_BPF_LSM
147 struct cgroup_lsm_atype {
152 static struct cgroup_lsm_atype cgroup_lsm_atype[CGROUP_LSM_NUM];
154 static enum cgroup_bpf_attach_type
155 bpf_cgroup_atype_find(enum bpf_attach_type attach_type, u32 attach_btf_id)
159 lockdep_assert_held(&cgroup_mutex);
161 if (attach_type != BPF_LSM_CGROUP)
162 return to_cgroup_bpf_attach_type(attach_type);
164 for (i = 0; i < ARRAY_SIZE(cgroup_lsm_atype); i++)
165 if (cgroup_lsm_atype[i].attach_btf_id == attach_btf_id)
166 return CGROUP_LSM_START + i;
168 for (i = 0; i < ARRAY_SIZE(cgroup_lsm_atype); i++)
169 if (cgroup_lsm_atype[i].attach_btf_id == 0)
170 return CGROUP_LSM_START + i;
176 void bpf_cgroup_atype_get(u32 attach_btf_id, int cgroup_atype)
178 int i = cgroup_atype - CGROUP_LSM_START;
180 lockdep_assert_held(&cgroup_mutex);
182 WARN_ON_ONCE(cgroup_lsm_atype[i].attach_btf_id &&
183 cgroup_lsm_atype[i].attach_btf_id != attach_btf_id);
185 cgroup_lsm_atype[i].attach_btf_id = attach_btf_id;
186 cgroup_lsm_atype[i].refcnt++;
189 void bpf_cgroup_atype_put(int cgroup_atype)
191 int i = cgroup_atype - CGROUP_LSM_START;
194 if (--cgroup_lsm_atype[i].refcnt <= 0)
195 cgroup_lsm_atype[i].attach_btf_id = 0;
196 WARN_ON_ONCE(cgroup_lsm_atype[i].refcnt < 0);
200 static enum cgroup_bpf_attach_type
201 bpf_cgroup_atype_find(enum bpf_attach_type attach_type, u32 attach_btf_id)
203 if (attach_type != BPF_LSM_CGROUP)
204 return to_cgroup_bpf_attach_type(attach_type);
207 #endif /* CONFIG_BPF_LSM */
209 void cgroup_bpf_offline(struct cgroup *cgrp)
212 percpu_ref_kill(&cgrp->bpf.refcnt);
215 static void bpf_cgroup_storages_free(struct bpf_cgroup_storage *storages[])
217 enum bpf_cgroup_storage_type stype;
219 for_each_cgroup_storage_type(stype)
220 bpf_cgroup_storage_free(storages[stype]);
223 static int bpf_cgroup_storages_alloc(struct bpf_cgroup_storage *storages[],
224 struct bpf_cgroup_storage *new_storages[],
225 enum bpf_attach_type type,
226 struct bpf_prog *prog,
229 enum bpf_cgroup_storage_type stype;
230 struct bpf_cgroup_storage_key key;
233 key.cgroup_inode_id = cgroup_id(cgrp);
234 key.attach_type = type;
236 for_each_cgroup_storage_type(stype) {
237 map = prog->aux->cgroup_storage[stype];
241 storages[stype] = cgroup_storage_lookup((void *)map, &key, false);
245 storages[stype] = bpf_cgroup_storage_alloc(prog, stype);
246 if (IS_ERR(storages[stype])) {
247 bpf_cgroup_storages_free(new_storages);
251 new_storages[stype] = storages[stype];
257 static void bpf_cgroup_storages_assign(struct bpf_cgroup_storage *dst[],
258 struct bpf_cgroup_storage *src[])
260 enum bpf_cgroup_storage_type stype;
262 for_each_cgroup_storage_type(stype)
263 dst[stype] = src[stype];
266 static void bpf_cgroup_storages_link(struct bpf_cgroup_storage *storages[],
268 enum bpf_attach_type attach_type)
270 enum bpf_cgroup_storage_type stype;
272 for_each_cgroup_storage_type(stype)
273 bpf_cgroup_storage_link(storages[stype], cgrp, attach_type);
276 /* Called when bpf_cgroup_link is auto-detached from dying cgroup.
277 * It drops cgroup and bpf_prog refcounts, and marks bpf_link as defunct. It
278 * doesn't free link memory, which will eventually be done by bpf_link's
279 * release() callback, when its last FD is closed.
281 static void bpf_cgroup_link_auto_detach(struct bpf_cgroup_link *link)
283 cgroup_put(link->cgroup);
288 * cgroup_bpf_release() - put references of all bpf programs and
289 * release all cgroup bpf data
290 * @work: work structure embedded into the cgroup to modify
292 static void cgroup_bpf_release(struct work_struct *work)
294 struct cgroup *p, *cgrp = container_of(work, struct cgroup,
296 struct bpf_prog_array *old_array;
297 struct list_head *storages = &cgrp->bpf.storages;
298 struct bpf_cgroup_storage *storage, *stmp;
304 for (atype = 0; atype < ARRAY_SIZE(cgrp->bpf.progs); atype++) {
305 struct hlist_head *progs = &cgrp->bpf.progs[atype];
306 struct bpf_prog_list *pl;
307 struct hlist_node *pltmp;
309 hlist_for_each_entry_safe(pl, pltmp, progs, node) {
310 hlist_del(&pl->node);
312 if (pl->prog->expected_attach_type == BPF_LSM_CGROUP)
313 bpf_trampoline_unlink_cgroup_shim(pl->prog);
314 bpf_prog_put(pl->prog);
317 if (pl->link->link.prog->expected_attach_type == BPF_LSM_CGROUP)
318 bpf_trampoline_unlink_cgroup_shim(pl->link->link.prog);
319 bpf_cgroup_link_auto_detach(pl->link);
322 static_branch_dec(&cgroup_bpf_enabled_key[atype]);
324 old_array = rcu_dereference_protected(
325 cgrp->bpf.effective[atype],
326 lockdep_is_held(&cgroup_mutex));
327 bpf_prog_array_free(old_array);
330 list_for_each_entry_safe(storage, stmp, storages, list_cg) {
331 bpf_cgroup_storage_unlink(storage);
332 bpf_cgroup_storage_free(storage);
337 for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
340 percpu_ref_exit(&cgrp->bpf.refcnt);
345 * cgroup_bpf_release_fn() - callback used to schedule releasing
347 * @ref: percpu ref counter structure
349 static void cgroup_bpf_release_fn(struct percpu_ref *ref)
351 struct cgroup *cgrp = container_of(ref, struct cgroup, bpf.refcnt);
353 INIT_WORK(&cgrp->bpf.release_work, cgroup_bpf_release);
354 queue_work(cgroup_bpf_destroy_wq, &cgrp->bpf.release_work);
357 /* Get underlying bpf_prog of bpf_prog_list entry, regardless if it's through
358 * link or direct prog.
360 static struct bpf_prog *prog_list_prog(struct bpf_prog_list *pl)
365 return pl->link->link.prog;
369 /* count number of elements in the list.
370 * it's slow but the list cannot be long
372 static u32 prog_list_length(struct hlist_head *head)
374 struct bpf_prog_list *pl;
377 hlist_for_each_entry(pl, head, node) {
378 if (!prog_list_prog(pl))
385 /* if parent has non-overridable prog attached,
386 * disallow attaching new programs to the descendent cgroup.
387 * if parent has overridable or multi-prog, allow attaching
389 static bool hierarchy_allows_attach(struct cgroup *cgrp,
390 enum cgroup_bpf_attach_type atype)
394 p = cgroup_parent(cgrp);
398 u32 flags = p->bpf.flags[atype];
401 if (flags & BPF_F_ALLOW_MULTI)
403 cnt = prog_list_length(&p->bpf.progs[atype]);
404 WARN_ON_ONCE(cnt > 1);
406 return !!(flags & BPF_F_ALLOW_OVERRIDE);
407 p = cgroup_parent(p);
412 /* compute a chain of effective programs for a given cgroup:
413 * start from the list of programs in this cgroup and add
414 * all parent programs.
415 * Note that parent's F_ALLOW_OVERRIDE-type program is yielding
416 * to programs in this cgroup
418 static int compute_effective_progs(struct cgroup *cgrp,
419 enum cgroup_bpf_attach_type atype,
420 struct bpf_prog_array **array)
422 struct bpf_prog_array_item *item;
423 struct bpf_prog_array *progs;
424 struct bpf_prog_list *pl;
425 struct cgroup *p = cgrp;
428 /* count number of effective programs by walking parents */
430 if (cnt == 0 || (p->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
431 cnt += prog_list_length(&p->bpf.progs[atype]);
432 p = cgroup_parent(p);
435 progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
439 /* populate the array with effective progs */
443 if (cnt > 0 && !(p->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
446 hlist_for_each_entry(pl, &p->bpf.progs[atype], node) {
447 if (!prog_list_prog(pl))
450 item = &progs->items[cnt];
451 item->prog = prog_list_prog(pl);
452 bpf_cgroup_storages_assign(item->cgroup_storage,
456 } while ((p = cgroup_parent(p)));
462 static void activate_effective_progs(struct cgroup *cgrp,
463 enum cgroup_bpf_attach_type atype,
464 struct bpf_prog_array *old_array)
466 old_array = rcu_replace_pointer(cgrp->bpf.effective[atype], old_array,
467 lockdep_is_held(&cgroup_mutex));
468 /* free prog array after grace period, since __cgroup_bpf_run_*()
469 * might be still walking the array
471 bpf_prog_array_free(old_array);
475 * cgroup_bpf_inherit() - inherit effective programs from parent
476 * @cgrp: the cgroup to modify
478 int cgroup_bpf_inherit(struct cgroup *cgrp)
480 /* has to use marco instead of const int, since compiler thinks
481 * that array below is variable length
483 #define NR ARRAY_SIZE(cgrp->bpf.effective)
484 struct bpf_prog_array *arrays[NR] = {};
488 ret = percpu_ref_init(&cgrp->bpf.refcnt, cgroup_bpf_release_fn, 0,
493 for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
496 for (i = 0; i < NR; i++)
497 INIT_HLIST_HEAD(&cgrp->bpf.progs[i]);
499 INIT_LIST_HEAD(&cgrp->bpf.storages);
501 for (i = 0; i < NR; i++)
502 if (compute_effective_progs(cgrp, i, &arrays[i]))
505 for (i = 0; i < NR; i++)
506 activate_effective_progs(cgrp, i, arrays[i]);
510 for (i = 0; i < NR; i++)
511 bpf_prog_array_free(arrays[i]);
513 for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
516 percpu_ref_exit(&cgrp->bpf.refcnt);
521 static int update_effective_progs(struct cgroup *cgrp,
522 enum cgroup_bpf_attach_type atype)
524 struct cgroup_subsys_state *css;
527 /* allocate and recompute effective prog arrays */
528 css_for_each_descendant_pre(css, &cgrp->self) {
529 struct cgroup *desc = container_of(css, struct cgroup, self);
531 if (percpu_ref_is_zero(&desc->bpf.refcnt))
534 err = compute_effective_progs(desc, atype, &desc->bpf.inactive);
539 /* all allocations were successful. Activate all prog arrays */
540 css_for_each_descendant_pre(css, &cgrp->self) {
541 struct cgroup *desc = container_of(css, struct cgroup, self);
543 if (percpu_ref_is_zero(&desc->bpf.refcnt)) {
544 if (unlikely(desc->bpf.inactive)) {
545 bpf_prog_array_free(desc->bpf.inactive);
546 desc->bpf.inactive = NULL;
551 activate_effective_progs(desc, atype, desc->bpf.inactive);
552 desc->bpf.inactive = NULL;
558 /* oom while computing effective. Free all computed effective arrays
559 * since they were not activated
561 css_for_each_descendant_pre(css, &cgrp->self) {
562 struct cgroup *desc = container_of(css, struct cgroup, self);
564 bpf_prog_array_free(desc->bpf.inactive);
565 desc->bpf.inactive = NULL;
571 #define BPF_CGROUP_MAX_PROGS 64
573 static struct bpf_prog_list *find_attach_entry(struct hlist_head *progs,
574 struct bpf_prog *prog,
575 struct bpf_cgroup_link *link,
576 struct bpf_prog *replace_prog,
579 struct bpf_prog_list *pl;
581 /* single-attach case */
583 if (hlist_empty(progs))
585 return hlist_entry(progs->first, typeof(*pl), node);
588 hlist_for_each_entry(pl, progs, node) {
589 if (prog && pl->prog == prog && prog != replace_prog)
590 /* disallow attaching the same prog twice */
591 return ERR_PTR(-EINVAL);
592 if (link && pl->link == link)
593 /* disallow attaching the same link twice */
594 return ERR_PTR(-EINVAL);
597 /* direct prog multi-attach w/ replacement case */
599 hlist_for_each_entry(pl, progs, node) {
600 if (pl->prog == replace_prog)
604 /* prog to replace not found for cgroup */
605 return ERR_PTR(-ENOENT);
612 * __cgroup_bpf_attach() - Attach the program or the link to a cgroup, and
613 * propagate the change to descendants
614 * @cgrp: The cgroup which descendants to traverse
615 * @prog: A program to attach
616 * @link: A link to attach
617 * @replace_prog: Previously attached program to replace if BPF_F_REPLACE is set
618 * @type: Type of attach operation
619 * @flags: Option flags
621 * Exactly one of @prog or @link can be non-null.
622 * Must be called with cgroup_mutex held.
624 static int __cgroup_bpf_attach(struct cgroup *cgrp,
625 struct bpf_prog *prog, struct bpf_prog *replace_prog,
626 struct bpf_cgroup_link *link,
627 enum bpf_attach_type type, u32 flags)
629 u32 saved_flags = (flags & (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI));
630 struct bpf_prog *old_prog = NULL;
631 struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
632 struct bpf_cgroup_storage *new_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
633 struct bpf_prog *new_prog = prog ? : link->link.prog;
634 enum cgroup_bpf_attach_type atype;
635 struct bpf_prog_list *pl;
636 struct hlist_head *progs;
639 if (((flags & BPF_F_ALLOW_OVERRIDE) && (flags & BPF_F_ALLOW_MULTI)) ||
640 ((flags & BPF_F_REPLACE) && !(flags & BPF_F_ALLOW_MULTI)))
641 /* invalid combination */
643 if (link && (prog || replace_prog))
644 /* only either link or prog/replace_prog can be specified */
646 if (!!replace_prog != !!(flags & BPF_F_REPLACE))
647 /* replace_prog implies BPF_F_REPLACE, and vice versa */
650 atype = bpf_cgroup_atype_find(type, new_prog->aux->attach_btf_id);
654 progs = &cgrp->bpf.progs[atype];
656 if (!hierarchy_allows_attach(cgrp, atype))
659 if (!hlist_empty(progs) && cgrp->bpf.flags[atype] != saved_flags)
660 /* Disallow attaching non-overridable on top
661 * of existing overridable in this cgroup.
662 * Disallow attaching multi-prog if overridable or none
666 if (prog_list_length(progs) >= BPF_CGROUP_MAX_PROGS)
669 pl = find_attach_entry(progs, prog, link, replace_prog,
670 flags & BPF_F_ALLOW_MULTI);
674 if (bpf_cgroup_storages_alloc(storage, new_storage, type,
675 prog ? : link->link.prog, cgrp))
681 struct hlist_node *last = NULL;
683 pl = kmalloc(sizeof(*pl), GFP_KERNEL);
685 bpf_cgroup_storages_free(new_storage);
688 if (hlist_empty(progs))
689 hlist_add_head(&pl->node, progs);
691 hlist_for_each(last, progs) {
694 hlist_add_behind(&pl->node, last);
701 bpf_cgroup_storages_assign(pl->storage, storage);
702 cgrp->bpf.flags[atype] = saved_flags;
704 if (type == BPF_LSM_CGROUP) {
705 err = bpf_trampoline_link_cgroup_shim(new_prog, atype);
710 err = update_effective_progs(cgrp, atype);
712 goto cleanup_trampoline;
715 if (type == BPF_LSM_CGROUP)
716 bpf_trampoline_unlink_cgroup_shim(old_prog);
717 bpf_prog_put(old_prog);
719 static_branch_inc(&cgroup_bpf_enabled_key[atype]);
721 bpf_cgroup_storages_link(new_storage, cgrp, type);
725 if (type == BPF_LSM_CGROUP)
726 bpf_trampoline_unlink_cgroup_shim(new_prog);
733 bpf_cgroup_storages_free(new_storage);
735 hlist_del(&pl->node);
741 static int cgroup_bpf_attach(struct cgroup *cgrp,
742 struct bpf_prog *prog, struct bpf_prog *replace_prog,
743 struct bpf_cgroup_link *link,
744 enum bpf_attach_type type,
750 ret = __cgroup_bpf_attach(cgrp, prog, replace_prog, link, type, flags);
755 /* Swap updated BPF program for given link in effective program arrays across
756 * all descendant cgroups. This function is guaranteed to succeed.
758 static void replace_effective_prog(struct cgroup *cgrp,
759 enum cgroup_bpf_attach_type atype,
760 struct bpf_cgroup_link *link)
762 struct bpf_prog_array_item *item;
763 struct cgroup_subsys_state *css;
764 struct bpf_prog_array *progs;
765 struct bpf_prog_list *pl;
766 struct hlist_head *head;
770 css_for_each_descendant_pre(css, &cgrp->self) {
771 struct cgroup *desc = container_of(css, struct cgroup, self);
773 if (percpu_ref_is_zero(&desc->bpf.refcnt))
776 /* find position of link in effective progs array */
777 for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) {
778 if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
781 head = &cg->bpf.progs[atype];
782 hlist_for_each_entry(pl, head, node) {
783 if (!prog_list_prog(pl))
785 if (pl->link == link)
792 progs = rcu_dereference_protected(
793 desc->bpf.effective[atype],
794 lockdep_is_held(&cgroup_mutex));
795 item = &progs->items[pos];
796 WRITE_ONCE(item->prog, link->link.prog);
801 * __cgroup_bpf_replace() - Replace link's program and propagate the change
803 * @cgrp: The cgroup which descendants to traverse
804 * @link: A link for which to replace BPF program
805 * @new_prog: &struct bpf_prog for the target BPF program with its refcnt
808 * Must be called with cgroup_mutex held.
810 static int __cgroup_bpf_replace(struct cgroup *cgrp,
811 struct bpf_cgroup_link *link,
812 struct bpf_prog *new_prog)
814 enum cgroup_bpf_attach_type atype;
815 struct bpf_prog *old_prog;
816 struct bpf_prog_list *pl;
817 struct hlist_head *progs;
820 atype = bpf_cgroup_atype_find(link->type, new_prog->aux->attach_btf_id);
824 progs = &cgrp->bpf.progs[atype];
826 if (link->link.prog->type != new_prog->type)
829 hlist_for_each_entry(pl, progs, node) {
830 if (pl->link == link) {
838 old_prog = xchg(&link->link.prog, new_prog);
839 replace_effective_prog(cgrp, atype, link);
840 bpf_prog_put(old_prog);
844 static int cgroup_bpf_replace(struct bpf_link *link, struct bpf_prog *new_prog,
845 struct bpf_prog *old_prog)
847 struct bpf_cgroup_link *cg_link;
850 cg_link = container_of(link, struct bpf_cgroup_link, link);
853 /* link might have been auto-released by dying cgroup, so fail */
854 if (!cg_link->cgroup) {
858 if (old_prog && link->prog != old_prog) {
862 ret = __cgroup_bpf_replace(cg_link->cgroup, cg_link, new_prog);
868 static struct bpf_prog_list *find_detach_entry(struct hlist_head *progs,
869 struct bpf_prog *prog,
870 struct bpf_cgroup_link *link,
873 struct bpf_prog_list *pl;
876 if (hlist_empty(progs))
877 /* report error when trying to detach and nothing is attached */
878 return ERR_PTR(-ENOENT);
880 /* to maintain backward compatibility NONE and OVERRIDE cgroups
881 * allow detaching with invalid FD (prog==NULL) in legacy mode
883 return hlist_entry(progs->first, typeof(*pl), node);
887 /* to detach MULTI prog the user has to specify valid FD
888 * of the program or link to be detached
890 return ERR_PTR(-EINVAL);
892 /* find the prog or link and detach it */
893 hlist_for_each_entry(pl, progs, node) {
894 if (pl->prog == prog && pl->link == link)
897 return ERR_PTR(-ENOENT);
901 * purge_effective_progs() - After compute_effective_progs fails to alloc new
902 * cgrp->bpf.inactive table we can recover by
903 * recomputing the array in place.
905 * @cgrp: The cgroup which descendants to travers
906 * @prog: A program to detach or NULL
907 * @link: A link to detach or NULL
908 * @atype: Type of detach operation
910 static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
911 struct bpf_cgroup_link *link,
912 enum cgroup_bpf_attach_type atype)
914 struct cgroup_subsys_state *css;
915 struct bpf_prog_array *progs;
916 struct bpf_prog_list *pl;
917 struct hlist_head *head;
921 /* recompute effective prog array in place */
922 css_for_each_descendant_pre(css, &cgrp->self) {
923 struct cgroup *desc = container_of(css, struct cgroup, self);
925 if (percpu_ref_is_zero(&desc->bpf.refcnt))
928 /* find position of link or prog in effective progs array */
929 for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) {
930 if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
933 head = &cg->bpf.progs[atype];
934 hlist_for_each_entry(pl, head, node) {
935 if (!prog_list_prog(pl))
937 if (pl->prog == prog && pl->link == link)
943 /* no link or prog match, skip the cgroup of this layer */
946 progs = rcu_dereference_protected(
947 desc->bpf.effective[atype],
948 lockdep_is_held(&cgroup_mutex));
950 /* Remove the program from the array */
951 WARN_ONCE(bpf_prog_array_delete_safe_at(progs, pos),
952 "Failed to purge a prog from array at index %d", pos);
957 * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and
958 * propagate the change to descendants
959 * @cgrp: The cgroup which descendants to traverse
960 * @prog: A program to detach or NULL
961 * @link: A link to detach or NULL
962 * @type: Type of detach operation
964 * At most one of @prog or @link can be non-NULL.
965 * Must be called with cgroup_mutex held.
967 static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
968 struct bpf_cgroup_link *link, enum bpf_attach_type type)
970 enum cgroup_bpf_attach_type atype;
971 struct bpf_prog *old_prog;
972 struct bpf_prog_list *pl;
973 struct hlist_head *progs;
974 u32 attach_btf_id = 0;
978 attach_btf_id = prog->aux->attach_btf_id;
980 attach_btf_id = link->link.prog->aux->attach_btf_id;
982 atype = bpf_cgroup_atype_find(type, attach_btf_id);
986 progs = &cgrp->bpf.progs[atype];
987 flags = cgrp->bpf.flags[atype];
990 /* only one of prog or link can be specified */
993 pl = find_detach_entry(progs, prog, link, flags & BPF_F_ALLOW_MULTI);
997 /* mark it deleted, so it's ignored while recomputing effective */
1002 if (update_effective_progs(cgrp, atype)) {
1003 /* if update effective array failed replace the prog with a dummy prog*/
1004 pl->prog = old_prog;
1006 purge_effective_progs(cgrp, old_prog, link, atype);
1009 /* now can actually delete it from this cgroup list */
1010 hlist_del(&pl->node);
1013 if (hlist_empty(progs))
1014 /* last program was detached, reset flags to zero */
1015 cgrp->bpf.flags[atype] = 0;
1017 if (type == BPF_LSM_CGROUP)
1018 bpf_trampoline_unlink_cgroup_shim(old_prog);
1019 bpf_prog_put(old_prog);
1021 static_branch_dec(&cgroup_bpf_enabled_key[atype]);
1025 static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
1026 enum bpf_attach_type type)
1031 ret = __cgroup_bpf_detach(cgrp, prog, NULL, type);
1036 /* Must be called with cgroup_mutex held to avoid races. */
1037 static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
1038 union bpf_attr __user *uattr)
1040 __u32 __user *prog_attach_flags = u64_to_user_ptr(attr->query.prog_attach_flags);
1041 bool effective_query = attr->query.query_flags & BPF_F_QUERY_EFFECTIVE;
1042 __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids);
1043 enum bpf_attach_type type = attr->query.attach_type;
1044 enum cgroup_bpf_attach_type from_atype, to_atype;
1045 enum cgroup_bpf_attach_type atype;
1046 struct bpf_prog_array *effective;
1047 int cnt, ret = 0, i;
1051 if (effective_query && prog_attach_flags)
1054 if (type == BPF_LSM_CGROUP) {
1055 if (!effective_query && attr->query.prog_cnt &&
1056 prog_ids && !prog_attach_flags)
1059 from_atype = CGROUP_LSM_START;
1060 to_atype = CGROUP_LSM_END;
1063 from_atype = to_cgroup_bpf_attach_type(type);
1066 to_atype = from_atype;
1067 flags = cgrp->bpf.flags[from_atype];
1070 for (atype = from_atype; atype <= to_atype; atype++) {
1071 if (effective_query) {
1072 effective = rcu_dereference_protected(cgrp->bpf.effective[atype],
1073 lockdep_is_held(&cgroup_mutex));
1074 total_cnt += bpf_prog_array_length(effective);
1076 total_cnt += prog_list_length(&cgrp->bpf.progs[atype]);
1080 /* always output uattr->query.attach_flags as 0 during effective query */
1081 flags = effective_query ? 0 : flags;
1082 if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
1084 if (copy_to_user(&uattr->query.prog_cnt, &total_cnt, sizeof(total_cnt)))
1086 if (attr->query.prog_cnt == 0 || !prog_ids || !total_cnt)
1087 /* return early if user requested only program count + flags */
1090 if (attr->query.prog_cnt < total_cnt) {
1091 total_cnt = attr->query.prog_cnt;
1095 for (atype = from_atype; atype <= to_atype && total_cnt; atype++) {
1096 if (effective_query) {
1097 effective = rcu_dereference_protected(cgrp->bpf.effective[atype],
1098 lockdep_is_held(&cgroup_mutex));
1099 cnt = min_t(int, bpf_prog_array_length(effective), total_cnt);
1100 ret = bpf_prog_array_copy_to_user(effective, prog_ids, cnt);
1102 struct hlist_head *progs;
1103 struct bpf_prog_list *pl;
1104 struct bpf_prog *prog;
1107 progs = &cgrp->bpf.progs[atype];
1108 cnt = min_t(int, prog_list_length(progs), total_cnt);
1110 hlist_for_each_entry(pl, progs, node) {
1111 prog = prog_list_prog(pl);
1113 if (copy_to_user(prog_ids + i, &id, sizeof(id)))
1119 if (prog_attach_flags) {
1120 flags = cgrp->bpf.flags[atype];
1122 for (i = 0; i < cnt; i++)
1123 if (copy_to_user(prog_attach_flags + i,
1124 &flags, sizeof(flags)))
1126 prog_attach_flags += cnt;
1136 static int cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
1137 union bpf_attr __user *uattr)
1142 ret = __cgroup_bpf_query(cgrp, attr, uattr);
1147 int cgroup_bpf_prog_attach(const union bpf_attr *attr,
1148 enum bpf_prog_type ptype, struct bpf_prog *prog)
1150 struct bpf_prog *replace_prog = NULL;
1151 struct cgroup *cgrp;
1154 cgrp = cgroup_get_from_fd(attr->target_fd);
1156 return PTR_ERR(cgrp);
1158 if ((attr->attach_flags & BPF_F_ALLOW_MULTI) &&
1159 (attr->attach_flags & BPF_F_REPLACE)) {
1160 replace_prog = bpf_prog_get_type(attr->replace_bpf_fd, ptype);
1161 if (IS_ERR(replace_prog)) {
1163 return PTR_ERR(replace_prog);
1167 ret = cgroup_bpf_attach(cgrp, prog, replace_prog, NULL,
1168 attr->attach_type, attr->attach_flags);
1171 bpf_prog_put(replace_prog);
1176 int cgroup_bpf_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype)
1178 struct bpf_prog *prog;
1179 struct cgroup *cgrp;
1182 cgrp = cgroup_get_from_fd(attr->target_fd);
1184 return PTR_ERR(cgrp);
1186 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
1190 ret = cgroup_bpf_detach(cgrp, prog, attr->attach_type);
1198 static void bpf_cgroup_link_release(struct bpf_link *link)
1200 struct bpf_cgroup_link *cg_link =
1201 container_of(link, struct bpf_cgroup_link, link);
1204 /* link might have been auto-detached by dying cgroup already,
1205 * in that case our work is done here
1207 if (!cg_link->cgroup)
1212 /* re-check cgroup under lock again */
1213 if (!cg_link->cgroup) {
1218 WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
1220 if (cg_link->type == BPF_LSM_CGROUP)
1221 bpf_trampoline_unlink_cgroup_shim(cg_link->link.prog);
1223 cg = cg_link->cgroup;
1224 cg_link->cgroup = NULL;
1231 static void bpf_cgroup_link_dealloc(struct bpf_link *link)
1233 struct bpf_cgroup_link *cg_link =
1234 container_of(link, struct bpf_cgroup_link, link);
1239 static int bpf_cgroup_link_detach(struct bpf_link *link)
1241 bpf_cgroup_link_release(link);
1246 static void bpf_cgroup_link_show_fdinfo(const struct bpf_link *link,
1247 struct seq_file *seq)
1249 struct bpf_cgroup_link *cg_link =
1250 container_of(link, struct bpf_cgroup_link, link);
1254 if (cg_link->cgroup)
1255 cg_id = cgroup_id(cg_link->cgroup);
1259 "cgroup_id:\t%llu\n"
1260 "attach_type:\t%d\n",
1265 static int bpf_cgroup_link_fill_link_info(const struct bpf_link *link,
1266 struct bpf_link_info *info)
1268 struct bpf_cgroup_link *cg_link =
1269 container_of(link, struct bpf_cgroup_link, link);
1273 if (cg_link->cgroup)
1274 cg_id = cgroup_id(cg_link->cgroup);
1277 info->cgroup.cgroup_id = cg_id;
1278 info->cgroup.attach_type = cg_link->type;
1282 static const struct bpf_link_ops bpf_cgroup_link_lops = {
1283 .release = bpf_cgroup_link_release,
1284 .dealloc = bpf_cgroup_link_dealloc,
1285 .detach = bpf_cgroup_link_detach,
1286 .update_prog = cgroup_bpf_replace,
1287 .show_fdinfo = bpf_cgroup_link_show_fdinfo,
1288 .fill_link_info = bpf_cgroup_link_fill_link_info,
1291 int cgroup_bpf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
1293 struct bpf_link_primer link_primer;
1294 struct bpf_cgroup_link *link;
1295 struct cgroup *cgrp;
1298 if (attr->link_create.flags)
1301 cgrp = cgroup_get_from_fd(attr->link_create.target_fd);
1303 return PTR_ERR(cgrp);
1305 link = kzalloc(sizeof(*link), GFP_USER);
1308 goto out_put_cgroup;
1310 bpf_link_init(&link->link, BPF_LINK_TYPE_CGROUP, &bpf_cgroup_link_lops,
1312 link->cgroup = cgrp;
1313 link->type = attr->link_create.attach_type;
1315 err = bpf_link_prime(&link->link, &link_primer);
1318 goto out_put_cgroup;
1321 err = cgroup_bpf_attach(cgrp, NULL, NULL, link,
1322 link->type, BPF_F_ALLOW_MULTI);
1324 bpf_link_cleanup(&link_primer);
1325 goto out_put_cgroup;
1328 return bpf_link_settle(&link_primer);
1335 int cgroup_bpf_prog_query(const union bpf_attr *attr,
1336 union bpf_attr __user *uattr)
1338 struct cgroup *cgrp;
1341 cgrp = cgroup_get_from_fd(attr->query.target_fd);
1343 return PTR_ERR(cgrp);
1345 ret = cgroup_bpf_query(cgrp, attr, uattr);
1352 * __cgroup_bpf_run_filter_skb() - Run a program for packet filtering
1353 * @sk: The socket sending or receiving traffic
1354 * @skb: The skb that is being sent or received
1355 * @atype: The type of program to be executed
1357 * If no socket is passed, or the socket is not of type INET or INET6,
1358 * this function does nothing and returns 0.
1360 * The program type passed in via @type must be suitable for network
1361 * filtering. No further check is performed to assert that.
1363 * For egress packets, this function can return:
1364 * NET_XMIT_SUCCESS (0) - continue with packet output
1365 * NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr
1366 * NET_XMIT_CN (2) - continue with packet output and notify TCP
1368 * -err - drop packet
1370 * For ingress packets, this function will return -EPERM if any
1371 * attached program was found and if it returned != 1 during execution.
1372 * Otherwise 0 is returned.
1374 int __cgroup_bpf_run_filter_skb(struct sock *sk,
1375 struct sk_buff *skb,
1376 enum cgroup_bpf_attach_type atype)
1378 unsigned int offset = -skb_network_offset(skb);
1379 struct sock *save_sk;
1380 void *saved_data_end;
1381 struct cgroup *cgrp;
1384 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
1387 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1390 __skb_push(skb, offset);
1392 /* compute pointers for the bpf prog */
1393 bpf_compute_and_save_data_end(skb, &saved_data_end);
1395 if (atype == CGROUP_INET_EGRESS) {
1399 ret = bpf_prog_run_array_cg(&cgrp->bpf, atype, skb,
1400 __bpf_prog_run_save_cb, 0, &flags);
1402 /* Return values of CGROUP EGRESS BPF programs are:
1405 * 2: drop packet and cn
1406 * 3: keep packet and cn
1408 * The returned value is then converted to one of the NET_XMIT
1409 * or an error code that is then interpreted as drop packet
1411 * 0: NET_XMIT_SUCCESS skb should be transmitted
1412 * 1: NET_XMIT_DROP skb should be dropped and cn
1413 * 2: NET_XMIT_CN skb should be transmitted and cn
1414 * 3: -err skb should be dropped
1417 cn = flags & BPF_RET_SET_CN;
1418 if (ret && !IS_ERR_VALUE((long)ret))
1421 ret = (cn ? NET_XMIT_CN : NET_XMIT_SUCCESS);
1423 ret = (cn ? NET_XMIT_DROP : ret);
1425 ret = bpf_prog_run_array_cg(&cgrp->bpf, atype,
1426 skb, __bpf_prog_run_save_cb, 0,
1428 if (ret && !IS_ERR_VALUE((long)ret))
1431 bpf_restore_data_end(skb, saved_data_end);
1432 __skb_pull(skb, offset);
1437 EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);
1440 * __cgroup_bpf_run_filter_sk() - Run a program on a sock
1441 * @sk: sock structure to manipulate
1442 * @atype: The type of program to be executed
1444 * socket is passed is expected to be of type INET or INET6.
1446 * The program type passed in via @type must be suitable for sock
1447 * filtering. No further check is performed to assert that.
1449 * This function will return %-EPERM if any if an attached program was found
1450 * and if it returned != 1 during execution. In all other cases, 0 is returned.
1452 int __cgroup_bpf_run_filter_sk(struct sock *sk,
1453 enum cgroup_bpf_attach_type atype)
1455 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1457 return bpf_prog_run_array_cg(&cgrp->bpf, atype, sk, bpf_prog_run, 0,
1460 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
1463 * __cgroup_bpf_run_filter_sock_addr() - Run a program on a sock and
1464 * provided by user sockaddr
1465 * @sk: sock struct that will use sockaddr
1466 * @uaddr: sockaddr struct provided by user
1467 * @uaddrlen: Pointer to the size of the sockaddr struct provided by user. It is
1468 * read-only for AF_INET[6] uaddr but can be modified for AF_UNIX
1470 * @atype: The type of program to be executed
1471 * @t_ctx: Pointer to attach type specific context
1472 * @flags: Pointer to u32 which contains higher bits of BPF program
1473 * return value (OR'ed together).
1475 * socket is expected to be of type INET, INET6 or UNIX.
1477 * This function will return %-EPERM if an attached program is found and
1478 * returned value != 1 during execution. In all other cases, 0 is returned.
1480 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
1481 struct sockaddr *uaddr,
1483 enum cgroup_bpf_attach_type atype,
1487 struct bpf_sock_addr_kern ctx = {
1492 struct sockaddr_storage unspec;
1493 struct cgroup *cgrp;
1496 /* Check socket family since not all sockets represent network
1497 * endpoint (e.g. AF_UNIX).
1499 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6 &&
1500 sk->sk_family != AF_UNIX)
1504 memset(&unspec, 0, sizeof(unspec));
1505 ctx.uaddr = (struct sockaddr *)&unspec;
1508 ctx.uaddrlen = *uaddrlen;
1511 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1512 ret = bpf_prog_run_array_cg(&cgrp->bpf, atype, &ctx, bpf_prog_run,
1516 *uaddrlen = ctx.uaddrlen;
1520 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_addr);
1523 * __cgroup_bpf_run_filter_sock_ops() - Run a program on a sock
1524 * @sk: socket to get cgroup from
1525 * @sock_ops: bpf_sock_ops_kern struct to pass to program. Contains
1526 * sk with connection information (IP addresses, etc.) May not contain
1527 * cgroup info if it is a req sock.
1528 * @atype: The type of program to be executed
1530 * socket passed is expected to be of type INET or INET6.
1532 * The program type passed in via @type must be suitable for sock_ops
1533 * filtering. No further check is performed to assert that.
1535 * This function will return %-EPERM if any if an attached program was found
1536 * and if it returned != 1 during execution. In all other cases, 0 is returned.
1538 int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
1539 struct bpf_sock_ops_kern *sock_ops,
1540 enum cgroup_bpf_attach_type atype)
1542 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1544 return bpf_prog_run_array_cg(&cgrp->bpf, atype, sock_ops, bpf_prog_run,
1547 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);
1549 int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
1550 short access, enum cgroup_bpf_attach_type atype)
1552 struct cgroup *cgrp;
1553 struct bpf_cgroup_dev_ctx ctx = {
1554 .access_type = (access << 16) | dev_type,
1561 cgrp = task_dfl_cgroup(current);
1562 ret = bpf_prog_run_array_cg(&cgrp->bpf, atype, &ctx, bpf_prog_run, 0,
1569 BPF_CALL_2(bpf_get_local_storage, struct bpf_map *, map, u64, flags)
1571 /* flags argument is not used now,
1572 * but provides an ability to extend the API.
1573 * verifier checks that its value is correct.
1575 enum bpf_cgroup_storage_type stype = cgroup_storage_type(map);
1576 struct bpf_cgroup_storage *storage;
1577 struct bpf_cg_run_ctx *ctx;
1580 /* get current cgroup storage from BPF run context */
1581 ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
1582 storage = ctx->prog_item->cgroup_storage[stype];
1584 if (stype == BPF_CGROUP_STORAGE_SHARED)
1585 ptr = &READ_ONCE(storage->buf)->data[0];
1587 ptr = this_cpu_ptr(storage->percpu_buf);
1589 return (unsigned long)ptr;
1592 const struct bpf_func_proto bpf_get_local_storage_proto = {
1593 .func = bpf_get_local_storage,
1595 .ret_type = RET_PTR_TO_MAP_VALUE,
1596 .arg1_type = ARG_CONST_MAP_PTR,
1597 .arg2_type = ARG_ANYTHING,
1600 BPF_CALL_0(bpf_get_retval)
1602 struct bpf_cg_run_ctx *ctx =
1603 container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
1608 const struct bpf_func_proto bpf_get_retval_proto = {
1609 .func = bpf_get_retval,
1611 .ret_type = RET_INTEGER,
1614 BPF_CALL_1(bpf_set_retval, int, retval)
1616 struct bpf_cg_run_ctx *ctx =
1617 container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
1619 ctx->retval = retval;
1623 const struct bpf_func_proto bpf_set_retval_proto = {
1624 .func = bpf_set_retval,
1626 .ret_type = RET_INTEGER,
1627 .arg1_type = ARG_ANYTHING,
1630 static const struct bpf_func_proto *
1631 cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
1633 const struct bpf_func_proto *func_proto;
1635 func_proto = cgroup_common_func_proto(func_id, prog);
1639 func_proto = cgroup_current_func_proto(func_id, prog);
1644 case BPF_FUNC_perf_event_output:
1645 return &bpf_event_output_data_proto;
1647 return bpf_base_func_proto(func_id, prog);
1651 static bool cgroup_dev_is_valid_access(int off, int size,
1652 enum bpf_access_type type,
1653 const struct bpf_prog *prog,
1654 struct bpf_insn_access_aux *info)
1656 const int size_default = sizeof(__u32);
1658 if (type == BPF_WRITE)
1661 if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))
1663 /* The verifier guarantees that size > 0. */
1664 if (off % size != 0)
1668 case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
1669 bpf_ctx_record_field_size(info, size_default);
1670 if (!bpf_ctx_narrow_access_ok(off, size, size_default))
1674 if (size != size_default)
1681 const struct bpf_prog_ops cg_dev_prog_ops = {
1684 const struct bpf_verifier_ops cg_dev_verifier_ops = {
1685 .get_func_proto = cgroup_dev_func_proto,
1686 .is_valid_access = cgroup_dev_is_valid_access,
1690 * __cgroup_bpf_run_filter_sysctl - Run a program on sysctl
1692 * @head: sysctl table header
1693 * @table: sysctl table
1694 * @write: sysctl is being read (= 0) or written (= 1)
1695 * @buf: pointer to buffer (in and out)
1696 * @pcount: value-result argument: value is size of buffer pointed to by @buf,
1697 * result is size of @new_buf if program set new value, initial value
1699 * @ppos: value-result argument: value is position at which read from or write
1700 * to sysctl is happening, result is new position if program overrode it,
1701 * initial value otherwise
1702 * @atype: type of program to be executed
1704 * Program is run when sysctl is being accessed, either read or written, and
1705 * can allow or deny such access.
1707 * This function will return %-EPERM if an attached program is found and
1708 * returned value != 1 during execution. In all other cases 0 is returned.
1710 int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head,
1711 const struct ctl_table *table, int write,
1712 char **buf, size_t *pcount, loff_t *ppos,
1713 enum cgroup_bpf_attach_type atype)
1715 struct bpf_sysctl_kern ctx = {
1721 .cur_len = PAGE_SIZE,
1726 struct cgroup *cgrp;
1730 ctx.cur_val = kmalloc_track_caller(ctx.cur_len, GFP_KERNEL);
1732 table->proc_handler(table, 0, ctx.cur_val, &ctx.cur_len, &pos)) {
1733 /* Let BPF program decide how to proceed. */
1737 if (write && *buf && *pcount) {
1738 /* BPF program should be able to override new value with a
1739 * buffer bigger than provided by user.
1741 ctx.new_val = kmalloc_track_caller(PAGE_SIZE, GFP_KERNEL);
1742 ctx.new_len = min_t(size_t, PAGE_SIZE, *pcount);
1744 memcpy(ctx.new_val, *buf, ctx.new_len);
1746 /* Let BPF program decide how to proceed. */
1752 cgrp = task_dfl_cgroup(current);
1753 ret = bpf_prog_run_array_cg(&cgrp->bpf, atype, &ctx, bpf_prog_run, 0,
1759 if (ret == 1 && ctx.new_updated) {
1762 *pcount = ctx.new_len;
1771 static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen,
1772 struct bpf_sockopt_buf *buf)
1774 if (unlikely(max_optlen < 0))
1777 if (unlikely(max_optlen > PAGE_SIZE)) {
1778 /* We don't expose optvals that are greater than PAGE_SIZE
1779 * to the BPF program.
1781 max_optlen = PAGE_SIZE;
1784 if (max_optlen <= sizeof(buf->data)) {
1785 /* When the optval fits into BPF_SOCKOPT_KERN_BUF_SIZE
1786 * bytes avoid the cost of kzalloc.
1788 ctx->optval = buf->data;
1789 ctx->optval_end = ctx->optval + max_optlen;
1793 ctx->optval = kzalloc(max_optlen, GFP_USER);
1797 ctx->optval_end = ctx->optval + max_optlen;
1802 static void sockopt_free_buf(struct bpf_sockopt_kern *ctx,
1803 struct bpf_sockopt_buf *buf)
1805 if (ctx->optval == buf->data)
1810 static bool sockopt_buf_allocated(struct bpf_sockopt_kern *ctx,
1811 struct bpf_sockopt_buf *buf)
1813 return ctx->optval != buf->data;
1816 int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
1817 int *optname, sockptr_t optval,
1818 int *optlen, char **kernel_optval)
1820 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1821 struct bpf_sockopt_buf buf = {};
1822 struct bpf_sockopt_kern ctx = {
1825 .optname = *optname,
1827 int ret, max_optlen;
1829 /* Allocate a bit more than the initial user buffer for
1830 * BPF program. The canonical use case is overriding
1831 * TCP_CONGESTION(nv) to TCP_CONGESTION(cubic).
1833 max_optlen = max_t(int, 16, *optlen);
1834 max_optlen = sockopt_alloc_buf(&ctx, max_optlen, &buf);
1838 ctx.optlen = *optlen;
1840 if (copy_from_sockptr(ctx.optval, optval,
1841 min(*optlen, max_optlen))) {
1847 ret = bpf_prog_run_array_cg(&cgrp->bpf, CGROUP_SETSOCKOPT,
1848 &ctx, bpf_prog_run, 0, NULL);
1854 if (ctx.optlen == -1) {
1855 /* optlen set to -1, bypass kernel */
1857 } else if (ctx.optlen > max_optlen || ctx.optlen < -1) {
1858 /* optlen is out of bounds */
1859 if (*optlen > PAGE_SIZE && ctx.optlen >= 0) {
1860 pr_info_once("bpf setsockopt: ignoring program buffer with optlen=%d (max_optlen=%d)\n",
1861 ctx.optlen, max_optlen);
1867 /* optlen within bounds, run kernel handler */
1870 /* export any potential modifications */
1872 *optname = ctx.optname;
1874 /* optlen == 0 from BPF indicates that we should
1875 * use original userspace data.
1877 if (ctx.optlen != 0) {
1878 *optlen = ctx.optlen;
1879 /* We've used bpf_sockopt_kern->buf as an intermediary
1880 * storage, but the BPF program indicates that we need
1881 * to pass this data to the kernel setsockopt handler.
1882 * No way to export on-stack buf, have to allocate a
1885 if (!sockopt_buf_allocated(&ctx, &buf)) {
1886 void *p = kmalloc(ctx.optlen, GFP_USER);
1892 memcpy(p, ctx.optval, ctx.optlen);
1895 *kernel_optval = ctx.optval;
1897 /* export and don't free sockopt buf */
1903 sockopt_free_buf(&ctx, &buf);
1907 int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
1908 int optname, sockptr_t optval,
1909 sockptr_t optlen, int max_optlen,
1912 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1913 struct bpf_sockopt_buf buf = {};
1914 struct bpf_sockopt_kern ctx = {
1918 .current_task = current,
1923 orig_optlen = max_optlen;
1924 ctx.optlen = max_optlen;
1925 max_optlen = sockopt_alloc_buf(&ctx, max_optlen, &buf);
1930 /* If kernel getsockopt finished successfully,
1931 * copy whatever was returned to the user back
1932 * into our temporary buffer. Set optlen to the
1933 * one that kernel returned as well to let
1934 * BPF programs inspect the value.
1936 if (copy_from_sockptr(&ctx.optlen, optlen,
1937 sizeof(ctx.optlen))) {
1942 if (ctx.optlen < 0) {
1946 orig_optlen = ctx.optlen;
1948 if (copy_from_sockptr(ctx.optval, optval,
1949 min(ctx.optlen, max_optlen))) {
1956 ret = bpf_prog_run_array_cg(&cgrp->bpf, CGROUP_GETSOCKOPT,
1957 &ctx, bpf_prog_run, retval, NULL);
1963 if (!sockptr_is_null(optval) &&
1964 (ctx.optlen > max_optlen || ctx.optlen < 0)) {
1965 if (orig_optlen > PAGE_SIZE && ctx.optlen >= 0) {
1966 pr_info_once("bpf getsockopt: ignoring program buffer with optlen=%d (max_optlen=%d)\n",
1967 ctx.optlen, max_optlen);
1975 if (ctx.optlen != 0) {
1976 if (!sockptr_is_null(optval) &&
1977 copy_to_sockptr(optval, ctx.optval, ctx.optlen)) {
1981 if (copy_to_sockptr(optlen, &ctx.optlen, sizeof(ctx.optlen))) {
1988 sockopt_free_buf(&ctx, &buf);
1992 int __cgroup_bpf_run_filter_getsockopt_kern(struct sock *sk, int level,
1993 int optname, void *optval,
1994 int *optlen, int retval)
1996 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1997 struct bpf_sockopt_kern ctx = {
2003 .optval_end = optval + *optlen,
2004 .current_task = current,
2008 /* Note that __cgroup_bpf_run_filter_getsockopt doesn't copy
2009 * user data back into BPF buffer when reval != 0. This is
2010 * done as an optimization to avoid extra copy, assuming
2011 * kernel won't populate the data in case of an error.
2012 * Here we always pass the data and memset() should
2013 * be called if that data shouldn't be "exported".
2016 ret = bpf_prog_run_array_cg(&cgrp->bpf, CGROUP_GETSOCKOPT,
2017 &ctx, bpf_prog_run, retval, NULL);
2021 if (ctx.optlen > *optlen)
2024 /* BPF programs can shrink the buffer, export the modifications.
2026 if (ctx.optlen != 0)
2027 *optlen = ctx.optlen;
2033 static ssize_t sysctl_cpy_dir(const struct ctl_dir *dir, char **bufp,
2036 ssize_t tmp_ret = 0, ret;
2038 if (dir->header.parent) {
2039 tmp_ret = sysctl_cpy_dir(dir->header.parent, bufp, lenp);
2044 ret = strscpy(*bufp, dir->header.ctl_table[0].procname, *lenp);
2051 /* Avoid leading slash. */
2055 tmp_ret = strscpy(*bufp, "/", *lenp);
2061 return ret + tmp_ret;
2064 BPF_CALL_4(bpf_sysctl_get_name, struct bpf_sysctl_kern *, ctx, char *, buf,
2065 size_t, buf_len, u64, flags)
2067 ssize_t tmp_ret = 0, ret;
2072 if (!(flags & BPF_F_SYSCTL_BASE_NAME)) {
2075 tmp_ret = sysctl_cpy_dir(ctx->head->parent, &buf, &buf_len);
2080 ret = strscpy(buf, ctx->table->procname, buf_len);
2082 return ret < 0 ? ret : tmp_ret + ret;
2085 static const struct bpf_func_proto bpf_sysctl_get_name_proto = {
2086 .func = bpf_sysctl_get_name,
2088 .ret_type = RET_INTEGER,
2089 .arg1_type = ARG_PTR_TO_CTX,
2090 .arg2_type = ARG_PTR_TO_MEM,
2091 .arg3_type = ARG_CONST_SIZE,
2092 .arg4_type = ARG_ANYTHING,
2095 static int copy_sysctl_value(char *dst, size_t dst_len, char *src,
2104 if (!src || !src_len) {
2105 memset(dst, 0, dst_len);
2109 memcpy(dst, src, min(dst_len, src_len));
2111 if (dst_len > src_len) {
2112 memset(dst + src_len, '\0', dst_len - src_len);
2116 dst[dst_len - 1] = '\0';
2121 BPF_CALL_3(bpf_sysctl_get_current_value, struct bpf_sysctl_kern *, ctx,
2122 char *, buf, size_t, buf_len)
2124 return copy_sysctl_value(buf, buf_len, ctx->cur_val, ctx->cur_len);
2127 static const struct bpf_func_proto bpf_sysctl_get_current_value_proto = {
2128 .func = bpf_sysctl_get_current_value,
2130 .ret_type = RET_INTEGER,
2131 .arg1_type = ARG_PTR_TO_CTX,
2132 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
2133 .arg3_type = ARG_CONST_SIZE,
2136 BPF_CALL_3(bpf_sysctl_get_new_value, struct bpf_sysctl_kern *, ctx, char *, buf,
2141 memset(buf, '\0', buf_len);
2144 return copy_sysctl_value(buf, buf_len, ctx->new_val, ctx->new_len);
2147 static const struct bpf_func_proto bpf_sysctl_get_new_value_proto = {
2148 .func = bpf_sysctl_get_new_value,
2150 .ret_type = RET_INTEGER,
2151 .arg1_type = ARG_PTR_TO_CTX,
2152 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
2153 .arg3_type = ARG_CONST_SIZE,
2156 BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
2157 const char *, buf, size_t, buf_len)
2159 if (!ctx->write || !ctx->new_val || !ctx->new_len || !buf || !buf_len)
2162 if (buf_len > PAGE_SIZE - 1)
2165 memcpy(ctx->new_val, buf, buf_len);
2166 ctx->new_len = buf_len;
2167 ctx->new_updated = 1;
2172 static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = {
2173 .func = bpf_sysctl_set_new_value,
2175 .ret_type = RET_INTEGER,
2176 .arg1_type = ARG_PTR_TO_CTX,
2177 .arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
2178 .arg3_type = ARG_CONST_SIZE,
2181 static const struct bpf_func_proto *
2182 sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
2184 const struct bpf_func_proto *func_proto;
2186 func_proto = cgroup_common_func_proto(func_id, prog);
2190 func_proto = cgroup_current_func_proto(func_id, prog);
2195 case BPF_FUNC_sysctl_get_name:
2196 return &bpf_sysctl_get_name_proto;
2197 case BPF_FUNC_sysctl_get_current_value:
2198 return &bpf_sysctl_get_current_value_proto;
2199 case BPF_FUNC_sysctl_get_new_value:
2200 return &bpf_sysctl_get_new_value_proto;
2201 case BPF_FUNC_sysctl_set_new_value:
2202 return &bpf_sysctl_set_new_value_proto;
2203 case BPF_FUNC_ktime_get_coarse_ns:
2204 return &bpf_ktime_get_coarse_ns_proto;
2205 case BPF_FUNC_perf_event_output:
2206 return &bpf_event_output_data_proto;
2208 return bpf_base_func_proto(func_id, prog);
2212 static bool sysctl_is_valid_access(int off, int size, enum bpf_access_type type,
2213 const struct bpf_prog *prog,
2214 struct bpf_insn_access_aux *info)
2216 const int size_default = sizeof(__u32);
2218 if (off < 0 || off + size > sizeof(struct bpf_sysctl) || off % size)
2222 case bpf_ctx_range(struct bpf_sysctl, write):
2223 if (type != BPF_READ)
2225 bpf_ctx_record_field_size(info, size_default);
2226 return bpf_ctx_narrow_access_ok(off, size, size_default);
2227 case bpf_ctx_range(struct bpf_sysctl, file_pos):
2228 if (type == BPF_READ) {
2229 bpf_ctx_record_field_size(info, size_default);
2230 return bpf_ctx_narrow_access_ok(off, size, size_default);
2232 return size == size_default;
2239 static u32 sysctl_convert_ctx_access(enum bpf_access_type type,
2240 const struct bpf_insn *si,
2241 struct bpf_insn *insn_buf,
2242 struct bpf_prog *prog, u32 *target_size)
2244 struct bpf_insn *insn = insn_buf;
2248 case offsetof(struct bpf_sysctl, write):
2249 *insn++ = BPF_LDX_MEM(
2250 BPF_SIZE(si->code), si->dst_reg, si->src_reg,
2251 bpf_target_off(struct bpf_sysctl_kern, write,
2252 sizeof_field(struct bpf_sysctl_kern,
2256 case offsetof(struct bpf_sysctl, file_pos):
2257 /* ppos is a pointer so it should be accessed via indirect
2258 * loads and stores. Also for stores additional temporary
2259 * register is used since neither src_reg nor dst_reg can be
2262 if (type == BPF_WRITE) {
2263 int treg = BPF_REG_9;
2265 if (si->src_reg == treg || si->dst_reg == treg)
2267 if (si->src_reg == treg || si->dst_reg == treg)
2269 *insn++ = BPF_STX_MEM(
2270 BPF_DW, si->dst_reg, treg,
2271 offsetof(struct bpf_sysctl_kern, tmp_reg));
2272 *insn++ = BPF_LDX_MEM(
2273 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
2275 offsetof(struct bpf_sysctl_kern, ppos));
2276 *insn++ = BPF_RAW_INSN(
2277 BPF_CLASS(si->code) | BPF_MEM | BPF_SIZEOF(u32),
2279 bpf_ctx_narrow_access_offset(
2280 0, sizeof(u32), sizeof(loff_t)),
2282 *insn++ = BPF_LDX_MEM(
2283 BPF_DW, treg, si->dst_reg,
2284 offsetof(struct bpf_sysctl_kern, tmp_reg));
2286 *insn++ = BPF_LDX_MEM(
2287 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
2288 si->dst_reg, si->src_reg,
2289 offsetof(struct bpf_sysctl_kern, ppos));
2290 read_size = bpf_size_to_bytes(BPF_SIZE(si->code));
2291 *insn++ = BPF_LDX_MEM(
2292 BPF_SIZE(si->code), si->dst_reg, si->dst_reg,
2293 bpf_ctx_narrow_access_offset(
2294 0, read_size, sizeof(loff_t)));
2296 *target_size = sizeof(u32);
2300 return insn - insn_buf;
2303 const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
2304 .get_func_proto = sysctl_func_proto,
2305 .is_valid_access = sysctl_is_valid_access,
2306 .convert_ctx_access = sysctl_convert_ctx_access,
2309 const struct bpf_prog_ops cg_sysctl_prog_ops = {
2313 BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, ctx)
2315 const struct net *net = ctx ? sock_net(ctx->sk) : &init_net;
2317 return net->net_cookie;
2320 static const struct bpf_func_proto bpf_get_netns_cookie_sockopt_proto = {
2321 .func = bpf_get_netns_cookie_sockopt,
2323 .ret_type = RET_INTEGER,
2324 .arg1_type = ARG_PTR_TO_CTX_OR_NULL,
2328 static const struct bpf_func_proto *
2329 cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
2331 const struct bpf_func_proto *func_proto;
2333 func_proto = cgroup_common_func_proto(func_id, prog);
2337 func_proto = cgroup_current_func_proto(func_id, prog);
2343 case BPF_FUNC_get_netns_cookie:
2344 return &bpf_get_netns_cookie_sockopt_proto;
2345 case BPF_FUNC_sk_storage_get:
2346 return &bpf_sk_storage_get_proto;
2347 case BPF_FUNC_sk_storage_delete:
2348 return &bpf_sk_storage_delete_proto;
2349 case BPF_FUNC_setsockopt:
2350 if (prog->expected_attach_type == BPF_CGROUP_SETSOCKOPT)
2351 return &bpf_sk_setsockopt_proto;
2353 case BPF_FUNC_getsockopt:
2354 if (prog->expected_attach_type == BPF_CGROUP_SETSOCKOPT)
2355 return &bpf_sk_getsockopt_proto;
2359 case BPF_FUNC_tcp_sock:
2360 return &bpf_tcp_sock_proto;
2362 case BPF_FUNC_perf_event_output:
2363 return &bpf_event_output_data_proto;
2365 return bpf_base_func_proto(func_id, prog);
2369 static bool cg_sockopt_is_valid_access(int off, int size,
2370 enum bpf_access_type type,
2371 const struct bpf_prog *prog,
2372 struct bpf_insn_access_aux *info)
2374 const int size_default = sizeof(__u32);
2376 if (off < 0 || off >= sizeof(struct bpf_sockopt))
2379 if (off % size != 0)
2382 if (type == BPF_WRITE) {
2384 case offsetof(struct bpf_sockopt, retval):
2385 if (size != size_default)
2387 return prog->expected_attach_type ==
2388 BPF_CGROUP_GETSOCKOPT;
2389 case offsetof(struct bpf_sockopt, optname):
2391 case offsetof(struct bpf_sockopt, level):
2392 if (size != size_default)
2394 return prog->expected_attach_type ==
2395 BPF_CGROUP_SETSOCKOPT;
2396 case offsetof(struct bpf_sockopt, optlen):
2397 return size == size_default;
2404 case offsetof(struct bpf_sockopt, sk):
2405 if (size != sizeof(__u64))
2407 info->reg_type = PTR_TO_SOCKET;
2409 case offsetof(struct bpf_sockopt, optval):
2410 if (size != sizeof(__u64))
2412 info->reg_type = PTR_TO_PACKET;
2414 case offsetof(struct bpf_sockopt, optval_end):
2415 if (size != sizeof(__u64))
2417 info->reg_type = PTR_TO_PACKET_END;
2419 case offsetof(struct bpf_sockopt, retval):
2420 if (size != size_default)
2422 return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
2424 if (size != size_default)
2431 #define CG_SOCKOPT_READ_FIELD(F) \
2432 BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, F), \
2433 si->dst_reg, si->src_reg, \
2434 offsetof(struct bpf_sockopt_kern, F))
2436 #define CG_SOCKOPT_WRITE_FIELD(F) \
2437 BPF_RAW_INSN((BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, F) | \
2438 BPF_MEM | BPF_CLASS(si->code)), \
2439 si->dst_reg, si->src_reg, \
2440 offsetof(struct bpf_sockopt_kern, F), \
2443 static u32 cg_sockopt_convert_ctx_access(enum bpf_access_type type,
2444 const struct bpf_insn *si,
2445 struct bpf_insn *insn_buf,
2446 struct bpf_prog *prog,
2449 struct bpf_insn *insn = insn_buf;
2452 case offsetof(struct bpf_sockopt, sk):
2453 *insn++ = CG_SOCKOPT_READ_FIELD(sk);
2455 case offsetof(struct bpf_sockopt, level):
2456 if (type == BPF_WRITE)
2457 *insn++ = CG_SOCKOPT_WRITE_FIELD(level);
2459 *insn++ = CG_SOCKOPT_READ_FIELD(level);
2461 case offsetof(struct bpf_sockopt, optname):
2462 if (type == BPF_WRITE)
2463 *insn++ = CG_SOCKOPT_WRITE_FIELD(optname);
2465 *insn++ = CG_SOCKOPT_READ_FIELD(optname);
2467 case offsetof(struct bpf_sockopt, optlen):
2468 if (type == BPF_WRITE)
2469 *insn++ = CG_SOCKOPT_WRITE_FIELD(optlen);
2471 *insn++ = CG_SOCKOPT_READ_FIELD(optlen);
2473 case offsetof(struct bpf_sockopt, retval):
2474 BUILD_BUG_ON(offsetof(struct bpf_cg_run_ctx, run_ctx) != 0);
2476 if (type == BPF_WRITE) {
2477 int treg = BPF_REG_9;
2479 if (si->src_reg == treg || si->dst_reg == treg)
2481 if (si->src_reg == treg || si->dst_reg == treg)
2483 *insn++ = BPF_STX_MEM(BPF_DW, si->dst_reg, treg,
2484 offsetof(struct bpf_sockopt_kern, tmp_reg));
2485 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, current_task),
2487 offsetof(struct bpf_sockopt_kern, current_task));
2488 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct task_struct, bpf_ctx),
2490 offsetof(struct task_struct, bpf_ctx));
2491 *insn++ = BPF_RAW_INSN(BPF_CLASS(si->code) | BPF_MEM |
2492 BPF_FIELD_SIZEOF(struct bpf_cg_run_ctx, retval),
2494 offsetof(struct bpf_cg_run_ctx, retval),
2496 *insn++ = BPF_LDX_MEM(BPF_DW, treg, si->dst_reg,
2497 offsetof(struct bpf_sockopt_kern, tmp_reg));
2499 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, current_task),
2500 si->dst_reg, si->src_reg,
2501 offsetof(struct bpf_sockopt_kern, current_task));
2502 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct task_struct, bpf_ctx),
2503 si->dst_reg, si->dst_reg,
2504 offsetof(struct task_struct, bpf_ctx));
2505 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_cg_run_ctx, retval),
2506 si->dst_reg, si->dst_reg,
2507 offsetof(struct bpf_cg_run_ctx, retval));
2510 case offsetof(struct bpf_sockopt, optval):
2511 *insn++ = CG_SOCKOPT_READ_FIELD(optval);
2513 case offsetof(struct bpf_sockopt, optval_end):
2514 *insn++ = CG_SOCKOPT_READ_FIELD(optval_end);
2518 return insn - insn_buf;
2521 static int cg_sockopt_get_prologue(struct bpf_insn *insn_buf,
2523 const struct bpf_prog *prog)
2525 /* Nothing to do for sockopt argument. The data is kzalloc'ated.
2530 const struct bpf_verifier_ops cg_sockopt_verifier_ops = {
2531 .get_func_proto = cg_sockopt_func_proto,
2532 .is_valid_access = cg_sockopt_is_valid_access,
2533 .convert_ctx_access = cg_sockopt_convert_ctx_access,
2534 .gen_prologue = cg_sockopt_get_prologue,
2537 const struct bpf_prog_ops cg_sockopt_prog_ops = {
2540 /* Common helpers for cgroup hooks. */
2541 const struct bpf_func_proto *
2542 cgroup_common_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
2545 case BPF_FUNC_get_local_storage:
2546 return &bpf_get_local_storage_proto;
2547 case BPF_FUNC_get_retval:
2548 switch (prog->expected_attach_type) {
2549 case BPF_CGROUP_INET_INGRESS:
2550 case BPF_CGROUP_INET_EGRESS:
2551 case BPF_CGROUP_SOCK_OPS:
2552 case BPF_CGROUP_UDP4_RECVMSG:
2553 case BPF_CGROUP_UDP6_RECVMSG:
2554 case BPF_CGROUP_UNIX_RECVMSG:
2555 case BPF_CGROUP_INET4_GETPEERNAME:
2556 case BPF_CGROUP_INET6_GETPEERNAME:
2557 case BPF_CGROUP_UNIX_GETPEERNAME:
2558 case BPF_CGROUP_INET4_GETSOCKNAME:
2559 case BPF_CGROUP_INET6_GETSOCKNAME:
2560 case BPF_CGROUP_UNIX_GETSOCKNAME:
2563 return &bpf_get_retval_proto;
2565 case BPF_FUNC_set_retval:
2566 switch (prog->expected_attach_type) {
2567 case BPF_CGROUP_INET_INGRESS:
2568 case BPF_CGROUP_INET_EGRESS:
2569 case BPF_CGROUP_SOCK_OPS:
2570 case BPF_CGROUP_UDP4_RECVMSG:
2571 case BPF_CGROUP_UDP6_RECVMSG:
2572 case BPF_CGROUP_UNIX_RECVMSG:
2573 case BPF_CGROUP_INET4_GETPEERNAME:
2574 case BPF_CGROUP_INET6_GETPEERNAME:
2575 case BPF_CGROUP_UNIX_GETPEERNAME:
2576 case BPF_CGROUP_INET4_GETSOCKNAME:
2577 case BPF_CGROUP_INET6_GETSOCKNAME:
2578 case BPF_CGROUP_UNIX_GETSOCKNAME:
2581 return &bpf_set_retval_proto;
2588 /* Common helpers for cgroup hooks with valid process context. */
2589 const struct bpf_func_proto *
2590 cgroup_current_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
2593 case BPF_FUNC_get_current_uid_gid:
2594 return &bpf_get_current_uid_gid_proto;
2595 case BPF_FUNC_get_current_comm:
2596 return &bpf_get_current_comm_proto;
2597 #ifdef CONFIG_CGROUP_NET_CLASSID
2598 case BPF_FUNC_get_cgroup_classid:
2599 return &bpf_get_cgroup_classid_curr_proto;
2601 case BPF_FUNC_current_task_under_cgroup:
2602 return &bpf_current_task_under_cgroup_proto;
projects / J-linux.git / blob