bpf: multi program support for cgroup+bpf

introduce BPF_F_ALLOW_MULTI flag that can be used to attach multiple
bpf programs to a cgroup.

The difference between three possible flags for BPF_PROG_ATTACH command:
- NONE(default): No further bpf programs allowed in the subtree.
- BPF_F_ALLOW_OVERRIDE: If a sub-cgroup installs some bpf program,
  the program in this cgroup yields to sub-cgroup program.
- BPF_F_ALLOW_MULTI: If a sub-cgroup installs some bpf program,
  that cgroup program gets run in addition to the program in this cgroup.

NONE and BPF_F_ALLOW_OVERRIDE existed before. This patch doesn't
change their behavior. It only clarifies the semantics in relation
to new flag.

Only one program is allowed to be attached to a cgroup with
NONE or BPF_F_ALLOW_OVERRIDE flag.
Multiple programs are allowed to be attached to a cgroup with
BPF_F_ALLOW_MULTI flag. They are executed in FIFO order
(those that were attached first, run first)
The programs of sub-cgroup are executed first, then programs of
this cgroup and then programs of parent cgroup.
All eligible programs are executed regardless of return code from
earlier programs.

To allow efficient execution of multiple programs attached to a cgroup
and to avoid penalizing cgroups without any programs attached
introduce 'struct bpf_prog_array' which is RCU protected array
of pointers to bpf programs.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
for cgroup bits
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 21 insertions, 7 deletions

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index d6551cd45238..57eb866ae78d 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1896,6 +1896,9 @@ int cgroup_setup_root(struct cgroup_root *root, u16 ss_mask, int ref_flags)
         if (ret)
                 goto destroy_root;
 
+        ret = cgroup_bpf_inherit(root_cgrp);
+        WARN_ON_ONCE(ret);
+
         trace_cgroup_setup_root(root);
 
         /*
@@ -4713,6 +4716,9 @@ static struct cgroup *cgroup_create(struct cgroup *parent)
         cgrp->self.parent = &parent->self;
         cgrp->root = root;
         cgrp->level = level;
+        ret = cgroup_bpf_inherit(cgrp);
+        if (ret)
+                goto out_idr_free;
 
         for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) {
                 cgrp->ancestor_ids[tcgrp->level] = tcgrp->id;
@@ -4747,13 +4753,12 @@ static struct cgroup *cgroup_create(struct cgroup *parent)
         if (!cgroup_on_dfl(cgrp))
                 cgrp->subtree_control = cgroup_control(cgrp);
 
-        if (parent)
-                cgroup_bpf_inherit(cgrp, parent);
-
         cgroup_propagate_control(cgrp);
 
         return cgrp;
 
+out_idr_free:
+        cgroup_idr_remove(&root->cgroup_idr, cgrp->id);
 out_cancel_ref:
         percpu_ref_exit(&cgrp->self.refcnt);
 out_free_cgrp:
@@ -5736,14 +5741,23 @@ void cgroup_sk_free(struct sock_cgroup_data *skcd)
 #endif  /* CONFIG_SOCK_CGROUP_DATA */
 
 #ifdef CONFIG_CGROUP_BPF
-int cgroup_bpf_update(struct cgroup *cgrp, struct bpf_prog *prog,
-                      enum bpf_attach_type type, bool overridable)
+int cgroup_bpf_attach(struct cgroup *cgrp, struct bpf_prog *prog,
+                      enum bpf_attach_type type, u32 flags)
+{
+        int ret;
+
+        mutex_lock(&cgroup_mutex);
+        ret = __cgroup_bpf_attach(cgrp, prog, type, flags);
+        mutex_unlock(&cgroup_mutex);
+        return ret;
+}
+int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
+                      enum bpf_attach_type type, u32 flags)
 {
-        struct cgroup *parent = cgroup_parent(cgrp);
         int ret;
 
         mutex_lock(&cgroup_mutex);
-        ret = __cgroup_bpf_update(cgrp, parent, prog, type, overridable);
+        ret = __cgroup_bpf_detach(cgrp, prog, type, flags);
         mutex_unlock(&cgroup_mutex);
         return ret;
 }