diff options
| author | Roman Gushchin <guro@fb.com> | 2017-11-05 08:15:32 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-11-05 09:26:51 -0500 |
| commit | ebc614f687369f9df99828572b1d85a7c2de3d92 (patch) | |
| tree | bfcaecb3636c2ef3fd31da33138fe72db50663f2 /include/linux/bpf-cgroup.h | |
| parent | ecf8fecb7828648cba0e42de7464a7e600c93459 (diff) | |
bpf, cgroup: implement eBPF-based device controller for cgroup v2
Cgroup v2 lacks the device controller, provided by cgroup v1.
This patch adds a new eBPF program type, which in combination
of previously added ability to attach multiple eBPF programs
to a cgroup, will provide a similar functionality, but with some
additional flexibility.
This patch introduces a BPF_PROG_TYPE_CGROUP_DEVICE program type.
A program takes major and minor device numbers, device type
(block/character) and access type (mknod/read/write) as parameters
and returns an integer which defines if the operation should be
allowed or terminated with -EPERM.
Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/bpf-cgroup.h')
| -rw-r--r-- | include/linux/bpf-cgroup.h | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h index 87a7db9feb38..a7f16e0f8d68 100644 --- a/include/linux/bpf-cgroup.h +++ b/include/linux/bpf-cgroup.h | |||
| @@ -67,6 +67,9 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, | |||
| 67 | struct bpf_sock_ops_kern *sock_ops, | 67 | struct bpf_sock_ops_kern *sock_ops, |
| 68 | enum bpf_attach_type type); | 68 | enum bpf_attach_type type); |
| 69 | 69 | ||
| 70 | int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, | ||
| 71 | short access, enum bpf_attach_type type); | ||
| 72 | |||
| 70 | /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */ | 73 | /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */ |
| 71 | #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \ | 74 | #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \ |
| 72 | ({ \ | 75 | ({ \ |
| @@ -112,6 +115,17 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, | |||
| 112 | } \ | 115 | } \ |
| 113 | __ret; \ | 116 | __ret; \ |
| 114 | }) | 117 | }) |
| 118 | |||
| 119 | #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access) \ | ||
| 120 | ({ \ | ||
| 121 | int __ret = 0; \ | ||
| 122 | if (cgroup_bpf_enabled) \ | ||
| 123 | __ret = __cgroup_bpf_check_dev_permission(type, major, minor, \ | ||
| 124 | access, \ | ||
| 125 | BPF_CGROUP_DEVICE); \ | ||
| 126 | \ | ||
| 127 | __ret; \ | ||
| 128 | }) | ||
| 115 | #else | 129 | #else |
| 116 | 130 | ||
| 117 | struct cgroup_bpf {}; | 131 | struct cgroup_bpf {}; |
| @@ -122,6 +136,7 @@ static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; } | |||
| 122 | #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; }) | 136 | #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; }) |
| 123 | #define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; }) | 137 | #define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; }) |
| 124 | #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; }) | 138 | #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; }) |
| 139 | #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; }) | ||
| 125 | 140 | ||
| 126 | #endif /* CONFIG_CGROUP_BPF */ | 141 | #endif /* CONFIG_CGROUP_BPF */ |
| 127 | 142 | ||