mirror of
https://github.com/lkl/linux.git
synced 2025-12-19 16:13:19 +09:00
69fd337a97
Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
79 lines
1.9 KiB
C
79 lines
1.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _BPF_CGROUP_DEFS_H
|
|
#define _BPF_CGROUP_DEFS_H
|
|
|
|
#ifdef CONFIG_CGROUP_BPF
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/percpu-refcount.h>
|
|
#include <linux/workqueue.h>
|
|
|
|
struct bpf_prog_array;
|
|
|
|
#ifdef CONFIG_BPF_LSM
|
|
#define CGROUP_LSM_NUM 211 /* will be addressed in the next patch */
|
|
#else
|
|
#define CGROUP_LSM_NUM 0
|
|
#endif
|
|
|
|
enum cgroup_bpf_attach_type {
|
|
CGROUP_BPF_ATTACH_TYPE_INVALID = -1,
|
|
CGROUP_INET_INGRESS = 0,
|
|
CGROUP_INET_EGRESS,
|
|
CGROUP_INET_SOCK_CREATE,
|
|
CGROUP_SOCK_OPS,
|
|
CGROUP_DEVICE,
|
|
CGROUP_INET4_BIND,
|
|
CGROUP_INET6_BIND,
|
|
CGROUP_INET4_CONNECT,
|
|
CGROUP_INET6_CONNECT,
|
|
CGROUP_INET4_POST_BIND,
|
|
CGROUP_INET6_POST_BIND,
|
|
CGROUP_UDP4_SENDMSG,
|
|
CGROUP_UDP6_SENDMSG,
|
|
CGROUP_SYSCTL,
|
|
CGROUP_UDP4_RECVMSG,
|
|
CGROUP_UDP6_RECVMSG,
|
|
CGROUP_GETSOCKOPT,
|
|
CGROUP_SETSOCKOPT,
|
|
CGROUP_INET4_GETPEERNAME,
|
|
CGROUP_INET6_GETPEERNAME,
|
|
CGROUP_INET4_GETSOCKNAME,
|
|
CGROUP_INET6_GETSOCKNAME,
|
|
CGROUP_INET_SOCK_RELEASE,
|
|
CGROUP_LSM_START,
|
|
CGROUP_LSM_END = CGROUP_LSM_START + CGROUP_LSM_NUM - 1,
|
|
MAX_CGROUP_BPF_ATTACH_TYPE
|
|
};
|
|
|
|
struct cgroup_bpf {
|
|
/* array of effective progs in this cgroup */
|
|
struct bpf_prog_array __rcu *effective[MAX_CGROUP_BPF_ATTACH_TYPE];
|
|
|
|
/* attached progs to this cgroup and attach flags
|
|
* when flags == 0 or BPF_F_ALLOW_OVERRIDE the progs list will
|
|
* have either zero or one element
|
|
* when BPF_F_ALLOW_MULTI the list can have up to BPF_CGROUP_MAX_PROGS
|
|
*/
|
|
struct hlist_head progs[MAX_CGROUP_BPF_ATTACH_TYPE];
|
|
u8 flags[MAX_CGROUP_BPF_ATTACH_TYPE];
|
|
|
|
/* list of cgroup shared storages */
|
|
struct list_head storages;
|
|
|
|
/* temp storage for effective prog array used by prog_attach/detach */
|
|
struct bpf_prog_array *inactive;
|
|
|
|
/* reference counter used to detach bpf programs after cgroup removal */
|
|
struct percpu_ref refcnt;
|
|
|
|
/* cgroup_bpf is released using a work queue */
|
|
struct work_struct release_work;
|
|
};
|
|
|
|
#else /* CONFIG_CGROUP_BPF */
|
|
struct cgroup_bpf {};
|
|
#endif /* CONFIG_CGROUP_BPF */
|
|
|
|
#endif
|