^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Functions to manage eBPF programs attached to cgroups
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright (c) 2016 Daniel Mack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #include <linux/atomic.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/cgroup.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/filter.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/sysctl.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/bpf.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/bpf-cgroup.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <net/sock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <net/bpf_sk_storage.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include "../cgroup/cgroup-internal.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) EXPORT_SYMBOL(cgroup_bpf_enabled_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) void cgroup_bpf_offline(struct cgroup *cgrp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) cgroup_get(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) percpu_ref_kill(&cgrp->bpf.refcnt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) static void bpf_cgroup_storages_free(struct bpf_cgroup_storage *storages[])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) enum bpf_cgroup_storage_type stype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) for_each_cgroup_storage_type(stype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) bpf_cgroup_storage_free(storages[stype]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) static int bpf_cgroup_storages_alloc(struct bpf_cgroup_storage *storages[],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) struct bpf_cgroup_storage *new_storages[],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) enum bpf_attach_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) struct cgroup *cgrp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) enum bpf_cgroup_storage_type stype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) struct bpf_cgroup_storage_key key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) struct bpf_map *map;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) key.cgroup_inode_id = cgroup_id(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) key.attach_type = type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) for_each_cgroup_storage_type(stype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) map = prog->aux->cgroup_storage[stype];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) if (!map)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) storages[stype] = cgroup_storage_lookup((void *)map, &key, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) if (storages[stype])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) storages[stype] = bpf_cgroup_storage_alloc(prog, stype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) if (IS_ERR(storages[stype])) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) bpf_cgroup_storages_free(new_storages);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) new_storages[stype] = storages[stype];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) static void bpf_cgroup_storages_assign(struct bpf_cgroup_storage *dst[],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) struct bpf_cgroup_storage *src[])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) enum bpf_cgroup_storage_type stype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) for_each_cgroup_storage_type(stype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) dst[stype] = src[stype];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) static void bpf_cgroup_storages_link(struct bpf_cgroup_storage *storages[],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) enum bpf_attach_type attach_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) enum bpf_cgroup_storage_type stype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) for_each_cgroup_storage_type(stype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) bpf_cgroup_storage_link(storages[stype], cgrp, attach_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) /* Called when bpf_cgroup_link is auto-detached from dying cgroup.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) * It drops cgroup and bpf_prog refcounts, and marks bpf_link as defunct. It
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) * doesn't free link memory, which will eventually be done by bpf_link's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * release() callback, when its last FD is closed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) static void bpf_cgroup_link_auto_detach(struct bpf_cgroup_link *link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) cgroup_put(link->cgroup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) link->cgroup = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) * cgroup_bpf_release() - put references of all bpf programs and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) * release all cgroup bpf data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) * @work: work structure embedded into the cgroup to modify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) static void cgroup_bpf_release(struct work_struct *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) struct cgroup *p, *cgrp = container_of(work, struct cgroup,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) bpf.release_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) struct bpf_prog_array *old_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) struct list_head *storages = &cgrp->bpf.storages;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) struct bpf_cgroup_storage *storage, *stmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) unsigned int type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) mutex_lock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) for (type = 0; type < ARRAY_SIZE(cgrp->bpf.progs); type++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) struct list_head *progs = &cgrp->bpf.progs[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) struct bpf_prog_list *pl, *pltmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) list_for_each_entry_safe(pl, pltmp, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) list_del(&pl->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) if (pl->prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) bpf_prog_put(pl->prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) if (pl->link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) bpf_cgroup_link_auto_detach(pl->link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) kfree(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) static_branch_dec(&cgroup_bpf_enabled_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) old_array = rcu_dereference_protected(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) cgrp->bpf.effective[type],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) lockdep_is_held(&cgroup_mutex));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) bpf_prog_array_free(old_array);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) list_for_each_entry_safe(storage, stmp, storages, list_cg) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) bpf_cgroup_storage_unlink(storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) bpf_cgroup_storage_free(storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) cgroup_bpf_put(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) percpu_ref_exit(&cgrp->bpf.refcnt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) * cgroup_bpf_release_fn() - callback used to schedule releasing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) * of bpf cgroup data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) * @ref: percpu ref counter structure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) static void cgroup_bpf_release_fn(struct percpu_ref *ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) struct cgroup *cgrp = container_of(ref, struct cgroup, bpf.refcnt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) INIT_WORK(&cgrp->bpf.release_work, cgroup_bpf_release);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) queue_work(system_wq, &cgrp->bpf.release_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) /* Get underlying bpf_prog of bpf_prog_list entry, regardless if it's through
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) * link or direct prog.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) static struct bpf_prog *prog_list_prog(struct bpf_prog_list *pl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) if (pl->prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) return pl->prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) if (pl->link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) return pl->link->link.prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) /* count number of elements in the list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) * it's slow but the list cannot be long
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) static u32 prog_list_length(struct list_head *head)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) u32 cnt = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) list_for_each_entry(pl, head, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) if (!prog_list_prog(pl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) cnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) return cnt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) /* if parent has non-overridable prog attached,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) * disallow attaching new programs to the descendent cgroup.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) * if parent has overridable or multi-prog, allow attaching
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) static bool hierarchy_allows_attach(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) struct cgroup *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) p = cgroup_parent(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) if (!p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) u32 flags = p->bpf.flags[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) u32 cnt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) if (flags & BPF_F_ALLOW_MULTI)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) cnt = prog_list_length(&p->bpf.progs[type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) WARN_ON_ONCE(cnt > 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) if (cnt == 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) return !!(flags & BPF_F_ALLOW_OVERRIDE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) p = cgroup_parent(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) } while (p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) /* compute a chain of effective programs for a given cgroup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) * start from the list of programs in this cgroup and add
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) * all parent programs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) * Note that parent's F_ALLOW_OVERRIDE-type program is yielding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) * to programs in this cgroup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) static int compute_effective_progs(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) enum bpf_attach_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) struct bpf_prog_array **array)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) struct bpf_prog_array_item *item;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) struct bpf_prog_array *progs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) struct cgroup *p = cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) int cnt = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) /* count number of effective programs by walking parents */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) if (cnt == 0 || (p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) cnt += prog_list_length(&p->bpf.progs[type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) p = cgroup_parent(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) } while (p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) if (!progs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) /* populate the array with effective progs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) cnt = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) p = cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) if (cnt > 0 && !(p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) list_for_each_entry(pl, &p->bpf.progs[type], node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) if (!prog_list_prog(pl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) item = &progs->items[cnt];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) item->prog = prog_list_prog(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) bpf_cgroup_storages_assign(item->cgroup_storage,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) pl->storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) cnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) } while ((p = cgroup_parent(p)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) *array = progs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) static void activate_effective_progs(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) enum bpf_attach_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) struct bpf_prog_array *old_array)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) old_array = rcu_replace_pointer(cgrp->bpf.effective[type], old_array,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) lockdep_is_held(&cgroup_mutex));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) /* free prog array after grace period, since __cgroup_bpf_run_*()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) * might be still walking the array
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) bpf_prog_array_free(old_array);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) * cgroup_bpf_inherit() - inherit effective programs from parent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) * @cgrp: the cgroup to modify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) int cgroup_bpf_inherit(struct cgroup *cgrp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) /* has to use marco instead of const int, since compiler thinks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) * that array below is variable length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) #define NR ARRAY_SIZE(cgrp->bpf.effective)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) struct bpf_prog_array *arrays[NR] = {};
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) struct cgroup *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) int ret, i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) ret = percpu_ref_init(&cgrp->bpf.refcnt, cgroup_bpf_release_fn, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) cgroup_bpf_get(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) for (i = 0; i < NR; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) INIT_LIST_HEAD(&cgrp->bpf.progs[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) INIT_LIST_HEAD(&cgrp->bpf.storages);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) for (i = 0; i < NR; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) if (compute_effective_progs(cgrp, i, &arrays[i]))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) for (i = 0; i < NR; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) activate_effective_progs(cgrp, i, arrays[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) for (i = 0; i < NR; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) bpf_prog_array_free(arrays[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) cgroup_bpf_put(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) percpu_ref_exit(&cgrp->bpf.refcnt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) static int update_effective_progs(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) struct cgroup_subsys_state *css;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) /* allocate and recompute effective prog arrays */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) css_for_each_descendant_pre(css, &cgrp->self) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) struct cgroup *desc = container_of(css, struct cgroup, self);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) if (percpu_ref_is_zero(&desc->bpf.refcnt))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) err = compute_effective_progs(desc, type, &desc->bpf.inactive);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) /* all allocations were successful. Activate all prog arrays */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) css_for_each_descendant_pre(css, &cgrp->self) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) struct cgroup *desc = container_of(css, struct cgroup, self);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) if (percpu_ref_is_zero(&desc->bpf.refcnt)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) if (unlikely(desc->bpf.inactive)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) bpf_prog_array_free(desc->bpf.inactive);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) desc->bpf.inactive = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) activate_effective_progs(desc, type, desc->bpf.inactive);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) desc->bpf.inactive = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) /* oom while computing effective. Free all computed effective arrays
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) * since they were not activated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) css_for_each_descendant_pre(css, &cgrp->self) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) struct cgroup *desc = container_of(css, struct cgroup, self);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) bpf_prog_array_free(desc->bpf.inactive);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) desc->bpf.inactive = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) #define BPF_CGROUP_MAX_PROGS 64
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) static struct bpf_prog_list *find_attach_entry(struct list_head *progs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) struct bpf_cgroup_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) struct bpf_prog *replace_prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) bool allow_multi)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) /* single-attach case */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) if (!allow_multi) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) if (list_empty(progs))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return list_first_entry(progs, typeof(*pl), node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) list_for_each_entry(pl, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) if (prog && pl->prog == prog && prog != replace_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) /* disallow attaching the same prog twice */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) if (link && pl->link == link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) /* disallow attaching the same link twice */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) /* direct prog multi-attach w/ replacement case */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) if (replace_prog) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) list_for_each_entry(pl, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) if (pl->prog == replace_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) /* a match found */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) return pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) /* prog to replace not found for cgroup */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) return ERR_PTR(-ENOENT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) * __cgroup_bpf_attach() - Attach the program or the link to a cgroup, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) * propagate the change to descendants
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) * @cgrp: The cgroup which descendants to traverse
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) * @prog: A program to attach
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) * @link: A link to attach
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) * @replace_prog: Previously attached program to replace if BPF_F_REPLACE is set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) * @type: Type of attach operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) * @flags: Option flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) * Exactly one of @prog or @link can be non-null.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) * Must be called with cgroup_mutex held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) int __cgroup_bpf_attach(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) struct bpf_prog *prog, struct bpf_prog *replace_prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) struct bpf_cgroup_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) enum bpf_attach_type type, u32 flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) u32 saved_flags = (flags & (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) struct list_head *progs = &cgrp->bpf.progs[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) struct bpf_prog *old_prog = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) struct bpf_cgroup_storage *new_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {};
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) if (((flags & BPF_F_ALLOW_OVERRIDE) && (flags & BPF_F_ALLOW_MULTI)) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) ((flags & BPF_F_REPLACE) && !(flags & BPF_F_ALLOW_MULTI)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) /* invalid combination */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) if (link && (prog || replace_prog))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) /* only either link or prog/replace_prog can be specified */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) if (!!replace_prog != !!(flags & BPF_F_REPLACE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) /* replace_prog implies BPF_F_REPLACE, and vice versa */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) if (!hierarchy_allows_attach(cgrp, type))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) if (!list_empty(progs) && cgrp->bpf.flags[type] != saved_flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) /* Disallow attaching non-overridable on top
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) * of existing overridable in this cgroup.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) * Disallow attaching multi-prog if overridable or none
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) if (prog_list_length(progs) >= BPF_CGROUP_MAX_PROGS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) return -E2BIG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) pl = find_attach_entry(progs, prog, link, replace_prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) flags & BPF_F_ALLOW_MULTI);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) if (IS_ERR(pl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) return PTR_ERR(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) if (bpf_cgroup_storages_alloc(storage, new_storage, type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) prog ? : link->link.prog, cgrp))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) if (pl) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) old_prog = pl->prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) pl = kmalloc(sizeof(*pl), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) if (!pl) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) bpf_cgroup_storages_free(new_storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) list_add_tail(&pl->node, progs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) pl->prog = prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) pl->link = link;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) bpf_cgroup_storages_assign(pl->storage, storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) cgrp->bpf.flags[type] = saved_flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) err = update_effective_progs(cgrp, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) if (old_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) bpf_prog_put(old_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) static_branch_inc(&cgroup_bpf_enabled_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) bpf_cgroup_storages_link(new_storage, cgrp, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) if (old_prog) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) pl->prog = old_prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) pl->link = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) bpf_cgroup_storages_free(new_storage);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) if (!old_prog) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) list_del(&pl->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) kfree(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) /* Swap updated BPF program for given link in effective program arrays across
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) * all descendant cgroups. This function is guaranteed to succeed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) static void replace_effective_prog(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) enum bpf_attach_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) struct bpf_cgroup_link *link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) struct bpf_prog_array_item *item;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) struct cgroup_subsys_state *css;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) struct bpf_prog_array *progs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) struct list_head *head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) struct cgroup *cg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) int pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) css_for_each_descendant_pre(css, &cgrp->self) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) struct cgroup *desc = container_of(css, struct cgroup, self);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) if (percpu_ref_is_zero(&desc->bpf.refcnt))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) /* find position of link in effective progs array */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) if (pos && !(cg->bpf.flags[type] & BPF_F_ALLOW_MULTI))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) head = &cg->bpf.progs[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) list_for_each_entry(pl, head, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) if (!prog_list_prog(pl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) if (pl->link == link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) goto found;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) pos++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) found:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) BUG_ON(!cg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) progs = rcu_dereference_protected(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) desc->bpf.effective[type],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) lockdep_is_held(&cgroup_mutex));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) item = &progs->items[pos];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) WRITE_ONCE(item->prog, link->link.prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) * __cgroup_bpf_replace() - Replace link's program and propagate the change
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) * to descendants
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) * @cgrp: The cgroup which descendants to traverse
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) * @link: A link for which to replace BPF program
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) * @type: Type of attach operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) * Must be called with cgroup_mutex held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) static int __cgroup_bpf_replace(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) struct bpf_cgroup_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) struct bpf_prog *new_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) struct list_head *progs = &cgrp->bpf.progs[link->type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) struct bpf_prog *old_prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) bool found = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) if (link->link.prog->type != new_prog->type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) list_for_each_entry(pl, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) if (pl->link == link) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) found = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) if (!found)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) return -ENOENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) old_prog = xchg(&link->link.prog, new_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) replace_effective_prog(cgrp, link->type, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) bpf_prog_put(old_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) static int cgroup_bpf_replace(struct bpf_link *link, struct bpf_prog *new_prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) struct bpf_prog *old_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) struct bpf_cgroup_link *cg_link;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) cg_link = container_of(link, struct bpf_cgroup_link, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) mutex_lock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) /* link might have been auto-released by dying cgroup, so fail */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) if (!cg_link->cgroup) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) ret = -ENOLINK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) if (old_prog && link->prog != old_prog) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) ret = __cgroup_bpf_replace(cg_link->cgroup, cg_link, new_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) out_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) static struct bpf_prog_list *find_detach_entry(struct list_head *progs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) struct bpf_cgroup_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) bool allow_multi)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) if (!allow_multi) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) if (list_empty(progs))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) /* report error when trying to detach and nothing is attached */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) return ERR_PTR(-ENOENT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) /* to maintain backward compatibility NONE and OVERRIDE cgroups
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) * allow detaching with invalid FD (prog==NULL) in legacy mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) return list_first_entry(progs, typeof(*pl), node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) if (!prog && !link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) /* to detach MULTI prog the user has to specify valid FD
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) * of the program or link to be detached
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) /* find the prog or link and detach it */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) list_for_each_entry(pl, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) if (pl->prog == prog && pl->link == link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) return pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) return ERR_PTR(-ENOENT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) * propagate the change to descendants
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) * @cgrp: The cgroup which descendants to traverse
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) * @prog: A program to detach or NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) * @prog: A link to detach or NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) * @type: Type of detach operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) * At most one of @prog or @link can be non-NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) * Must be called with cgroup_mutex held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) struct bpf_cgroup_link *link, enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) struct list_head *progs = &cgrp->bpf.progs[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) u32 flags = cgrp->bpf.flags[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) struct bpf_prog *old_prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) if (prog && link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) /* only one of prog or link can be specified */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) pl = find_detach_entry(progs, prog, link, flags & BPF_F_ALLOW_MULTI);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) if (IS_ERR(pl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) return PTR_ERR(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) /* mark it deleted, so it's ignored while recomputing effective */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) old_prog = pl->prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) pl->prog = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) pl->link = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) err = update_effective_progs(cgrp, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) goto cleanup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) /* now can actually delete it from this cgroup list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) list_del(&pl->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) kfree(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) if (list_empty(progs))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) /* last program was detached, reset flags to zero */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) cgrp->bpf.flags[type] = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) if (old_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) bpf_prog_put(old_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) static_branch_dec(&cgroup_bpf_enabled_key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) cleanup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) /* restore back prog or link */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) pl->prog = old_prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) pl->link = link;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) /* Must be called with cgroup_mutex held to avoid races. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) union bpf_attr __user *uattr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) enum bpf_attach_type type = attr->query.attach_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) struct list_head *progs = &cgrp->bpf.progs[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) u32 flags = cgrp->bpf.flags[type];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) struct bpf_prog_array *effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) struct bpf_prog *prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) int cnt, ret = 0, i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) effective = rcu_dereference_protected(cgrp->bpf.effective[type],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) lockdep_is_held(&cgroup_mutex));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) cnt = bpf_prog_array_length(effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) cnt = prog_list_length(progs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) if (copy_to_user(&uattr->query.prog_cnt, &cnt, sizeof(cnt)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) if (attr->query.prog_cnt == 0 || !prog_ids || !cnt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) /* return early if user requested only program count + flags */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) if (attr->query.prog_cnt < cnt) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) cnt = attr->query.prog_cnt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) ret = -ENOSPC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) return bpf_prog_array_copy_to_user(effective, prog_ids, cnt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) struct bpf_prog_list *pl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) u32 id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) list_for_each_entry(pl, progs, node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) prog = prog_list_prog(pl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) id = prog->aux->id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) if (copy_to_user(prog_ids + i, &id, sizeof(id)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) if (++i == cnt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) int cgroup_bpf_prog_attach(const union bpf_attr *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) enum bpf_prog_type ptype, struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) struct bpf_prog *replace_prog = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) cgrp = cgroup_get_from_fd(attr->target_fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) if (IS_ERR(cgrp))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) return PTR_ERR(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) if ((attr->attach_flags & BPF_F_ALLOW_MULTI) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) (attr->attach_flags & BPF_F_REPLACE)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) replace_prog = bpf_prog_get_type(attr->replace_bpf_fd, ptype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) if (IS_ERR(replace_prog)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) return PTR_ERR(replace_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) ret = cgroup_bpf_attach(cgrp, prog, replace_prog, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) attr->attach_type, attr->attach_flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) if (replace_prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) bpf_prog_put(replace_prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) int cgroup_bpf_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) struct bpf_prog *prog;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) cgrp = cgroup_get_from_fd(attr->target_fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) if (IS_ERR(cgrp))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) return PTR_ERR(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) if (IS_ERR(prog))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) prog = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) ret = cgroup_bpf_detach(cgrp, prog, attr->attach_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) if (prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) bpf_prog_put(prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) static void bpf_cgroup_link_release(struct bpf_link *link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) struct bpf_cgroup_link *cg_link =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) container_of(link, struct bpf_cgroup_link, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) struct cgroup *cg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) /* link might have been auto-detached by dying cgroup already,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) * in that case our work is done here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) if (!cg_link->cgroup)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) mutex_lock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) /* re-check cgroup under lock again */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) if (!cg_link->cgroup) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) cg_link->type));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) cg = cg_link->cgroup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) cg_link->cgroup = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) cgroup_put(cg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) static void bpf_cgroup_link_dealloc(struct bpf_link *link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) struct bpf_cgroup_link *cg_link =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) container_of(link, struct bpf_cgroup_link, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) kfree(cg_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) static int bpf_cgroup_link_detach(struct bpf_link *link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) bpf_cgroup_link_release(link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) static void bpf_cgroup_link_show_fdinfo(const struct bpf_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) struct seq_file *seq)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) struct bpf_cgroup_link *cg_link =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) container_of(link, struct bpf_cgroup_link, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) u64 cg_id = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) mutex_lock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) if (cg_link->cgroup)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) cg_id = cgroup_id(cg_link->cgroup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) seq_printf(seq,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) "cgroup_id:\t%llu\n"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) "attach_type:\t%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) cg_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) cg_link->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) static int bpf_cgroup_link_fill_link_info(const struct bpf_link *link,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) struct bpf_link_info *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) struct bpf_cgroup_link *cg_link =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) container_of(link, struct bpf_cgroup_link, link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) u64 cg_id = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) mutex_lock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) if (cg_link->cgroup)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) cg_id = cgroup_id(cg_link->cgroup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) mutex_unlock(&cgroup_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) info->cgroup.cgroup_id = cg_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) info->cgroup.attach_type = cg_link->type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) static const struct bpf_link_ops bpf_cgroup_link_lops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) .release = bpf_cgroup_link_release,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) .dealloc = bpf_cgroup_link_dealloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) .detach = bpf_cgroup_link_detach,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) .update_prog = cgroup_bpf_replace,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) .show_fdinfo = bpf_cgroup_link_show_fdinfo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) .fill_link_info = bpf_cgroup_link_fill_link_info,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) int cgroup_bpf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906) struct bpf_link_primer link_primer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) struct bpf_cgroup_link *link;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) if (attr->link_create.flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) cgrp = cgroup_get_from_fd(attr->link_create.target_fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) if (IS_ERR(cgrp))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) return PTR_ERR(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) link = kzalloc(sizeof(*link), GFP_USER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) if (!link) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) goto out_put_cgroup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) bpf_link_init(&link->link, BPF_LINK_TYPE_CGROUP, &bpf_cgroup_link_lops,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) link->cgroup = cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) link->type = attr->link_create.attach_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) err = bpf_link_prime(&link->link, &link_primer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) kfree(link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) goto out_put_cgroup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) err = cgroup_bpf_attach(cgrp, NULL, NULL, link, link->type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) BPF_F_ALLOW_MULTI);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) bpf_link_cleanup(&link_primer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) goto out_put_cgroup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) return bpf_link_settle(&link_primer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) out_put_cgroup:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) int cgroup_bpf_prog_query(const union bpf_attr *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) union bpf_attr __user *uattr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) cgrp = cgroup_get_from_fd(attr->query.target_fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) if (IS_ERR(cgrp))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) return PTR_ERR(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) ret = cgroup_bpf_query(cgrp, attr, uattr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) cgroup_put(cgrp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) * __cgroup_bpf_run_filter_skb() - Run a program for packet filtering
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) * @sk: The socket sending or receiving traffic
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) * @skb: The skb that is being sent or received
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968) * @type: The type of program to be exectuted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) * If no socket is passed, or the socket is not of type INET or INET6,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) * this function does nothing and returns 0.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) * The program type passed in via @type must be suitable for network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) * filtering. No further check is performed to assert that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) * For egress packets, this function can return:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) * NET_XMIT_SUCCESS (0) - continue with packet output
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) * NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) * NET_XMIT_CN (2) - continue with packet output and notify TCP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) * to call cwr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) * -EPERM - drop packet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) * For ingress packets, this function will return -EPERM if any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) * attached program was found and if it returned != 1 during execution.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) * Otherwise 0 is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) int __cgroup_bpf_run_filter_skb(struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) struct sk_buff *skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) unsigned int offset = skb->data - skb_network_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) struct sock *save_sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) void *saved_data_end;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) if (!sk || !sk_fullsock(sk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) save_sk = skb->sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) skb->sk = sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) __skb_push(skb, offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) /* compute pointers for the bpf prog */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) bpf_compute_and_save_data_end(skb, &saved_data_end);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) if (type == BPF_CGROUP_INET_EGRESS) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) ret = BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013) cgrp->bpf.effective[type], skb, __bpf_prog_run_save_cb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) __bpf_prog_run_save_cb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) ret = (ret == 1 ? 0 : -EPERM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) bpf_restore_data_end(skb, saved_data_end);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) __skb_pull(skb, offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) skb->sk = save_sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) * __cgroup_bpf_run_filter_sk() - Run a program on a sock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) * @sk: sock structure to manipulate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) * @type: The type of program to be exectuted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) * socket is passed is expected to be of type INET or INET6.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) * The program type passed in via @type must be suitable for sock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) * filtering. No further check is performed to assert that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) * This function will return %-EPERM if any if an attached program was found
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) * and if it returned != 1 during execution. In all other cases, 0 is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) int __cgroup_bpf_run_filter_sk(struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sk, BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) return ret == 1 ? 0 : -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052) * __cgroup_bpf_run_filter_sock_addr() - Run a program on a sock and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) * provided by user sockaddr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) * @sk: sock struct that will use sockaddr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) * @uaddr: sockaddr struct provided by user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) * @type: The type of program to be exectuted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) * @t_ctx: Pointer to attach type specific context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) * socket is expected to be of type INET or INET6.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) * This function will return %-EPERM if an attached program is found and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) * returned value != 1 during execution. In all other cases, 0 is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) struct sockaddr *uaddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) enum bpf_attach_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) void *t_ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) struct bpf_sock_addr_kern ctx = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) .sk = sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) .uaddr = uaddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) .t_ctx = t_ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) struct sockaddr_storage unspec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) /* Check socket family since not all sockets represent network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) * endpoint (e.g. AF_UNIX).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) if (!ctx.uaddr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) memset(&unspec, 0, sizeof(unspec));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) ctx.uaddr = (struct sockaddr *)&unspec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) return ret == 1 ? 0 : -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_addr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) * __cgroup_bpf_run_filter_sock_ops() - Run a program on a sock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) * @sk: socket to get cgroup from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) * @sock_ops: bpf_sock_ops_kern struct to pass to program. Contains
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) * sk with connection information (IP addresses, etc.) May not contain
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101) * cgroup info if it is a req sock.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) * @type: The type of program to be exectuted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) * socket passed is expected to be of type INET or INET6.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) * The program type passed in via @type must be suitable for sock_ops
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) * filtering. No further check is performed to assert that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) * This function will return %-EPERM if any if an attached program was found
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) * and if it returned != 1 during execution. In all other cases, 0 is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) struct bpf_sock_ops_kern *sock_ops,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sock_ops,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) return ret == 1 ? 0 : -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) short access, enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) struct bpf_cgroup_dev_ctx ctx = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) .access_type = (access << 16) | dev_type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) .major = major,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) .minor = minor,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) int allow = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137) cgrp = task_dfl_cgroup(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) allow = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) return !allow;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) static const struct bpf_func_proto *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) cgroup_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) switch (func_id) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149) case BPF_FUNC_get_current_uid_gid:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) return &bpf_get_current_uid_gid_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) case BPF_FUNC_get_local_storage:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) return &bpf_get_local_storage_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) case BPF_FUNC_get_current_cgroup_id:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) return &bpf_get_current_cgroup_id_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) case BPF_FUNC_perf_event_output:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) return &bpf_event_output_data_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) return bpf_base_func_proto(func_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) static const struct bpf_func_proto *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) return cgroup_base_func_proto(func_id, prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) static bool cgroup_dev_is_valid_access(int off, int size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) enum bpf_access_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) const struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) struct bpf_insn_access_aux *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) const int size_default = sizeof(__u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) if (type == BPF_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) /* The verifier guarantees that size > 0. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181) if (off % size != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) switch (off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185) case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186) bpf_ctx_record_field_size(info, size_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187) if (!bpf_ctx_narrow_access_ok(off, size, size_default))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) if (size != size_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) const struct bpf_prog_ops cg_dev_prog_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) const struct bpf_verifier_ops cg_dev_verifier_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) .get_func_proto = cgroup_dev_func_proto,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203) .is_valid_access = cgroup_dev_is_valid_access,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) * __cgroup_bpf_run_filter_sysctl - Run a program on sysctl
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) * @head: sysctl table header
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) * @table: sysctl table
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) * @write: sysctl is being read (= 0) or written (= 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) * @buf: pointer to buffer (in and out)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) * @pcount: value-result argument: value is size of buffer pointed to by @buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) * result is size of @new_buf if program set new value, initial value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) * otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216) * @ppos: value-result argument: value is position at which read from or write
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) * to sysctl is happening, result is new position if program overrode it,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) * initial value otherwise
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) * @type: type of program to be executed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) * Program is run when sysctl is being accessed, either read or written, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) * can allow or deny such access.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) * This function will return %-EPERM if an attached program is found and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) * returned value != 1 during execution. In all other cases 0 is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) struct ctl_table *table, int write,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) char **buf, size_t *pcount, loff_t *ppos,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230) enum bpf_attach_type type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) struct bpf_sysctl_kern ctx = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) .head = head,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) .table = table,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) .write = write,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) .ppos = ppos,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) .cur_val = NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) .cur_len = PAGE_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) .new_val = NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) .new_len = 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) .new_updated = 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) struct cgroup *cgrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) loff_t pos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) ctx.cur_val = kmalloc_track_caller(ctx.cur_len, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) if (!ctx.cur_val ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) table->proc_handler(table, 0, ctx.cur_val, &ctx.cur_len, &pos)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) /* Let BPF program decide how to proceed. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) ctx.cur_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) if (write && *buf && *pcount) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) /* BPF program should be able to override new value with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) * buffer bigger than provided by user.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) ctx.new_val = kmalloc_track_caller(PAGE_SIZE, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) ctx.new_len = min_t(size_t, PAGE_SIZE, *pcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) if (ctx.new_val) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) memcpy(ctx.new_val, *buf, ctx.new_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) /* Let BPF program decide how to proceed. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) ctx.new_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) cgrp = task_dfl_cgroup(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) kfree(ctx.cur_val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) if (ret == 1 && ctx.new_updated) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) kfree(*buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) *buf = ctx.new_val;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) *pcount = ctx.new_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) kfree(ctx.new_val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) return ret == 1 ? 0 : -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) #ifdef CONFIG_NET
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) static bool __cgroup_bpf_prog_array_is_empty(struct cgroup *cgrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) enum bpf_attach_type attach_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) struct bpf_prog_array *prog_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) bool empty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) prog_array = rcu_dereference(cgrp->bpf.effective[attach_type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) empty = bpf_prog_array_is_empty(prog_array);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) return empty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) if (unlikely(max_optlen < 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) if (unlikely(max_optlen > PAGE_SIZE)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) /* We don't expose optvals that are greater than PAGE_SIZE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) * to the BPF program.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) max_optlen = PAGE_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) ctx->optval = kzalloc(max_optlen, GFP_USER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) if (!ctx->optval)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) ctx->optval_end = ctx->optval + max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) return max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) static void sockopt_free_buf(struct bpf_sockopt_kern *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) kfree(ctx->optval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) int *optname, char __user *optval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329) int *optlen, char **kernel_optval)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) struct bpf_sockopt_kern ctx = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) .sk = sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) .level = *level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) .optname = *optname,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) int ret, max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) /* Opportunistic check to see whether we have any BPF program
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) * attached to the hook so we don't waste time allocating
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341) * memory and locking the socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) if (!cgroup_bpf_enabled ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_SETSOCKOPT))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347) /* Allocate a bit more than the initial user buffer for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) * BPF program. The canonical use case is overriding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) * TCP_CONGESTION(nv) to TCP_CONGESTION(cubic).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) max_optlen = max_t(int, 16, *optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) max_optlen = sockopt_alloc_buf(&ctx, max_optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) if (max_optlen < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) return max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) ctx.optlen = *optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) if (copy_from_user(ctx.optval, optval, min(*optlen, max_optlen)) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) lock_sock(sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_SETSOCKOPT],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) &ctx, BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) release_sock(sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) if (!ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) if (ctx.optlen == -1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) /* optlen set to -1, bypass kernel */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) ret = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377) } else if (ctx.optlen > max_optlen || ctx.optlen < -1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) /* optlen is out of bounds */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) /* optlen within bounds, run kernel handler */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) /* export any potential modifications */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) *level = ctx.level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) *optname = ctx.optname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) /* optlen == 0 from BPF indicates that we should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) * use original userspace data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) if (ctx.optlen != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) *optlen = ctx.optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) *kernel_optval = ctx.optval;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) /* export and don't free sockopt buf */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) sockopt_free_buf(&ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405) int optname, char __user *optval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406) int __user *optlen, int max_optlen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) int retval)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) struct bpf_sockopt_kern ctx = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) .sk = sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) .level = level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413) .optname = optname,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) .retval = retval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) /* Opportunistic check to see whether we have any BPF program
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) * attached to the hook so we don't waste time allocating
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420) * memory and locking the socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) if (!cgroup_bpf_enabled ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_GETSOCKOPT))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424) return retval;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) ctx.optlen = max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) max_optlen = sockopt_alloc_buf(&ctx, max_optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429) if (max_optlen < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) return max_optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432) if (!retval) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) /* If kernel getsockopt finished successfully,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) * copy whatever was returned to the user back
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) * into our temporary buffer. Set optlen to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) * one that kernel returned as well to let
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) * BPF programs inspect the value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) if (get_user(ctx.optlen, optlen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) if (ctx.optlen < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) if (copy_from_user(ctx.optval, optval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451) min(ctx.optlen, max_optlen)) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457) lock_sock(sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) &ctx, BPF_PROG_RUN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) release_sock(sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) if (!ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) if (ctx.optlen > max_optlen || ctx.optlen < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) /* BPF programs only allowed to set retval to 0, not some
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) * arbitrary value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) if (ctx.retval != 0 && ctx.retval != retval) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480) if (ctx.optlen != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) if (copy_to_user(optval, ctx.optval, ctx.optlen) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) put_user(ctx.optlen, optlen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) ret = ctx.retval;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) sockopt_free_buf(&ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496) static ssize_t sysctl_cpy_dir(const struct ctl_dir *dir, char **bufp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) size_t *lenp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) ssize_t tmp_ret = 0, ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501) if (dir->header.parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502) tmp_ret = sysctl_cpy_dir(dir->header.parent, bufp, lenp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) if (tmp_ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504) return tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) ret = strscpy(*bufp, dir->header.ctl_table[0].procname, *lenp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510) *bufp += ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511) *lenp -= ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) ret += tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) /* Avoid leading slash. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) if (!ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518) tmp_ret = strscpy(*bufp, "/", *lenp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519) if (tmp_ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) return tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) *bufp += tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522) *lenp -= tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524) return ret + tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) BPF_CALL_4(bpf_sysctl_get_name, struct bpf_sysctl_kern *, ctx, char *, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) size_t, buf_len, u64, flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) ssize_t tmp_ret = 0, ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532) if (!buf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) if (!(flags & BPF_F_SYSCTL_BASE_NAME)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536) if (!ctx->head)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) tmp_ret = sysctl_cpy_dir(ctx->head->parent, &buf, &buf_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) if (tmp_ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540) return tmp_ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) ret = strscpy(buf, ctx->table->procname, buf_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) return ret < 0 ? ret : tmp_ret + ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) static const struct bpf_func_proto bpf_sysctl_get_name_proto = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) .func = bpf_sysctl_get_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) .gpl_only = false,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) .ret_type = RET_INTEGER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) .arg1_type = ARG_PTR_TO_CTX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553) .arg2_type = ARG_PTR_TO_MEM,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554) .arg3_type = ARG_CONST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) .arg4_type = ARG_ANYTHING,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558) static int copy_sysctl_value(char *dst, size_t dst_len, char *src,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) size_t src_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561) if (!dst)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564) if (!dst_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565) return -E2BIG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567) if (!src || !src_len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) memset(dst, 0, dst_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572) memcpy(dst, src, min(dst_len, src_len));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) if (dst_len > src_len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575) memset(dst + src_len, '\0', dst_len - src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) return src_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) dst[dst_len - 1] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) return -E2BIG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584) BPF_CALL_3(bpf_sysctl_get_current_value, struct bpf_sysctl_kern *, ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585) char *, buf, size_t, buf_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587) return copy_sysctl_value(buf, buf_len, ctx->cur_val, ctx->cur_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590) static const struct bpf_func_proto bpf_sysctl_get_current_value_proto = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591) .func = bpf_sysctl_get_current_value,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592) .gpl_only = false,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593) .ret_type = RET_INTEGER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) .arg1_type = ARG_PTR_TO_CTX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) .arg2_type = ARG_PTR_TO_UNINIT_MEM,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596) .arg3_type = ARG_CONST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599) BPF_CALL_3(bpf_sysctl_get_new_value, struct bpf_sysctl_kern *, ctx, char *, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) size_t, buf_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602) if (!ctx->write) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603) if (buf && buf_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604) memset(buf, '\0', buf_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607) return copy_sysctl_value(buf, buf_len, ctx->new_val, ctx->new_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610) static const struct bpf_func_proto bpf_sysctl_get_new_value_proto = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611) .func = bpf_sysctl_get_new_value,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612) .gpl_only = false,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613) .ret_type = RET_INTEGER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614) .arg1_type = ARG_PTR_TO_CTX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615) .arg2_type = ARG_PTR_TO_UNINIT_MEM,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) .arg3_type = ARG_CONST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619) BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620) const char *, buf, size_t, buf_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) if (!ctx->write || !ctx->new_val || !ctx->new_len || !buf || !buf_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625) if (buf_len > PAGE_SIZE - 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) return -E2BIG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) memcpy(ctx->new_val, buf, buf_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) ctx->new_len = buf_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630) ctx->new_updated = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635) static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636) .func = bpf_sysctl_set_new_value,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) .gpl_only = false,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638) .ret_type = RET_INTEGER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639) .arg1_type = ARG_PTR_TO_CTX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640) .arg2_type = ARG_PTR_TO_MEM,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) .arg3_type = ARG_CONST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) static const struct bpf_func_proto *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645) sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647) switch (func_id) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648) case BPF_FUNC_strtol:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) return &bpf_strtol_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650) case BPF_FUNC_strtoul:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) return &bpf_strtoul_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) case BPF_FUNC_sysctl_get_name:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653) return &bpf_sysctl_get_name_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) case BPF_FUNC_sysctl_get_current_value:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655) return &bpf_sysctl_get_current_value_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656) case BPF_FUNC_sysctl_get_new_value:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657) return &bpf_sysctl_get_new_value_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) case BPF_FUNC_sysctl_set_new_value:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659) return &bpf_sysctl_set_new_value_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) return cgroup_base_func_proto(func_id, prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665) static bool sysctl_is_valid_access(int off, int size, enum bpf_access_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666) const struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) struct bpf_insn_access_aux *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669) const int size_default = sizeof(__u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671) if (off < 0 || off + size > sizeof(struct bpf_sysctl) || off % size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674) switch (off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675) case bpf_ctx_range(struct bpf_sysctl, write):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) if (type != BPF_READ)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678) bpf_ctx_record_field_size(info, size_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679) return bpf_ctx_narrow_access_ok(off, size, size_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680) case bpf_ctx_range(struct bpf_sysctl, file_pos):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681) if (type == BPF_READ) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) bpf_ctx_record_field_size(info, size_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) return bpf_ctx_narrow_access_ok(off, size, size_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685) return size == size_default;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692) static u32 sysctl_convert_ctx_access(enum bpf_access_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693) const struct bpf_insn *si,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) struct bpf_insn *insn_buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695) struct bpf_prog *prog, u32 *target_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697) struct bpf_insn *insn = insn_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) u32 read_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700) switch (si->off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701) case offsetof(struct bpf_sysctl, write):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) *insn++ = BPF_LDX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703) BPF_SIZE(si->code), si->dst_reg, si->src_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704) bpf_target_off(struct bpf_sysctl_kern, write,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) sizeof_field(struct bpf_sysctl_kern,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) write),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707) target_size));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) case offsetof(struct bpf_sysctl, file_pos):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710) /* ppos is a pointer so it should be accessed via indirect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711) * loads and stores. Also for stores additional temporary
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) * register is used since neither src_reg nor dst_reg can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713) * overridden.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715) if (type == BPF_WRITE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716) int treg = BPF_REG_9;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718) if (si->src_reg == treg || si->dst_reg == treg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719) --treg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) if (si->src_reg == treg || si->dst_reg == treg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) --treg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) *insn++ = BPF_STX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723) BPF_DW, si->dst_reg, treg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724) offsetof(struct bpf_sysctl_kern, tmp_reg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) *insn++ = BPF_LDX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) treg, si->dst_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) offsetof(struct bpf_sysctl_kern, ppos));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729) *insn++ = BPF_STX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730) BPF_SIZEOF(u32), treg, si->src_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731) bpf_ctx_narrow_access_offset(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) 0, sizeof(u32), sizeof(loff_t)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) *insn++ = BPF_LDX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) BPF_DW, treg, si->dst_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) offsetof(struct bpf_sysctl_kern, tmp_reg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737) *insn++ = BPF_LDX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739) si->dst_reg, si->src_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740) offsetof(struct bpf_sysctl_kern, ppos));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) read_size = bpf_size_to_bytes(BPF_SIZE(si->code));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) *insn++ = BPF_LDX_MEM(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743) BPF_SIZE(si->code), si->dst_reg, si->dst_reg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744) bpf_ctx_narrow_access_offset(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) 0, read_size, sizeof(loff_t)));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) *target_size = sizeof(u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751) return insn - insn_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754) const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) .get_func_proto = sysctl_func_proto,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756) .is_valid_access = sysctl_is_valid_access,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757) .convert_ctx_access = sysctl_convert_ctx_access,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) const struct bpf_prog_ops cg_sysctl_prog_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763) static const struct bpf_func_proto *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) switch (func_id) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) #ifdef CONFIG_NET
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768) case BPF_FUNC_sk_storage_get:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769) return &bpf_sk_storage_get_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) case BPF_FUNC_sk_storage_delete:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771) return &bpf_sk_storage_delete_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) #ifdef CONFIG_INET
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) case BPF_FUNC_tcp_sock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775) return &bpf_tcp_sock_proto;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) return cgroup_base_func_proto(func_id, prog);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) static bool cg_sockopt_is_valid_access(int off, int size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) enum bpf_access_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784) const struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) struct bpf_insn_access_aux *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787) const int size_default = sizeof(__u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789) if (off < 0 || off >= sizeof(struct bpf_sockopt))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792) if (off % size != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) if (type == BPF_WRITE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796) switch (off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797) case offsetof(struct bpf_sockopt, retval):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) if (size != size_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) return prog->expected_attach_type ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) BPF_CGROUP_GETSOCKOPT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) case offsetof(struct bpf_sockopt, optname):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) fallthrough;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) case offsetof(struct bpf_sockopt, level):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805) if (size != size_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807) return prog->expected_attach_type ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) BPF_CGROUP_SETSOCKOPT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) case offsetof(struct bpf_sockopt, optlen):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810) return size == size_default;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816) switch (off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817) case offsetof(struct bpf_sockopt, sk):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818) if (size != sizeof(__u64))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) info->reg_type = PTR_TO_SOCKET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822) case offsetof(struct bpf_sockopt, optval):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) if (size != sizeof(__u64))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) info->reg_type = PTR_TO_PACKET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) case offsetof(struct bpf_sockopt, optval_end):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828) if (size != sizeof(__u64))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830) info->reg_type = PTR_TO_PACKET_END;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) case offsetof(struct bpf_sockopt, retval):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) if (size != size_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) if (size != size_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844) #define CG_SOCKOPT_ACCESS_FIELD(T, F) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) T(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, F), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) si->dst_reg, si->src_reg, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) offsetof(struct bpf_sockopt_kern, F))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) static u32 cg_sockopt_convert_ctx_access(enum bpf_access_type type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) const struct bpf_insn *si,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851) struct bpf_insn *insn_buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852) struct bpf_prog *prog,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853) u32 *target_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855) struct bpf_insn *insn = insn_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) switch (si->off) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858) case offsetof(struct bpf_sockopt, sk):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861) case offsetof(struct bpf_sockopt, level):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) if (type == BPF_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, level);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, level);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) case offsetof(struct bpf_sockopt, optname):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868) if (type == BPF_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873) case offsetof(struct bpf_sockopt, optlen):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) if (type == BPF_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) case offsetof(struct bpf_sockopt, retval):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880) if (type == BPF_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, retval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, retval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) case offsetof(struct bpf_sockopt, optval):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) case offsetof(struct bpf_sockopt, optval_end):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval_end);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) return insn - insn_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) static int cg_sockopt_get_prologue(struct bpf_insn *insn_buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897) bool direct_write,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) const struct bpf_prog *prog)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900) /* Nothing to do for sockopt argument. The data is kzalloc'ated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905) const struct bpf_verifier_ops cg_sockopt_verifier_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906) .get_func_proto = cg_sockopt_func_proto,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) .is_valid_access = cg_sockopt_is_valid_access,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) .convert_ctx_access = cg_sockopt_convert_ctx_access,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909) .gen_prologue = cg_sockopt_get_prologue,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912) const struct bpf_prog_ops cg_sockopt_prog_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) };
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags