Git Repo - linux.git/commit - kernel/bpf/verifier.c

author	Roman Gushchin <[email protected]>
	Sun, 5 Nov 2017 13:15:32 +0000 (08:15 -0500)
committer	David S. Miller <[email protected]>
	Sun, 5 Nov 2017 14:26:51 +0000 (23:26 +0900)
commit	ebc614f687369f9df99828572b1d85a7c2de3d92
tree	bfcaecb3636c2ef3fd31da33138fe72db50663f2	tree \| snapshot
parent	ecf8fecb7828648cba0e42de7464a7e600c93459	commit \| diff

bpf, cgroup: implement eBPF-based device controller for cgroup v2

Cgroup v2 lacks the device controller, provided by cgroup v1.
This patch adds a new eBPF program type, which in combination
of previously added ability to attach multiple eBPF programs
to a cgroup, will provide a similar functionality, but with some
additional flexibility.

This patch introduces a BPF_PROG_TYPE_CGROUP_DEVICE program type.
A program takes major and minor device numbers, device type
(block/character) and access type (mknod/read/write) as parameters
and returns an integer which defines if the operation should be
allowed or terminated with -EPERM.

Signed-off-by: Roman Gushchin <[email protected]>
Acked-by: Alexei Starovoitov <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Cc: Daniel Borkmann <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

include/linux/bpf-cgroup.h		diff \| blob \| blame \| history
include/linux/bpf_types.h		diff \| blob \| blame \| history
include/linux/device_cgroup.h		diff \| blob \| blame \| history
include/uapi/linux/bpf.h		diff \| blob \| blame \| history
kernel/bpf/cgroup.c		diff \| blob \| blame \| history
kernel/bpf/syscall.c		diff \| blob \| blame \| history
kernel/bpf/verifier.c		diff \| blob \| blame \| history
tools/include/uapi/linux/bpf.h		diff \| blob \| blame \| history