kernel/bpf/cgroup.c

   1 /*
   2  * Functions to manage eBPF programs attached to cgroups
   3  *
   4  * Copyright (c) 2016 Daniel Mack
   5  *
   6  * This file is subject to the terms and conditions of version 2 of the GNU
   7  * General Public License.  See the file COPYING in the main directory of the
   8  * Linux distribution for more details.
   9  */
  10
  11 #include <linux/kernel.h>
  12 #include <linux/atomic.h>
  13 #include <linux/cgroup.h>
  14 #include <linux/slab.h>
  15 #include <linux/bpf.h>
  16 #include <linux/bpf-cgroup.h>
  17 #include <net/sock.h>
  18
  19 DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
  20 EXPORT_SYMBOL(cgroup_bpf_enabled_key);
  21
  22 /**
  23  * cgroup_bpf_put() - put references of all bpf programs
  24  * @cgrp: the cgroup to modify
  25  */
  26 void cgroup_bpf_put(struct cgroup *cgrp)
  27 {
  28         unsigned int type;
  29
  30         for (type = 0; type < ARRAY_SIZE(cgrp->bpf.prog); type++) {
  31                 struct bpf_prog *prog = cgrp->bpf.prog[type];
  32
  33                 if (prog) {
  34                         bpf_prog_put(prog);
  35                         static_branch_dec(&cgroup_bpf_enabled_key);
  36                 }
  37         }
  38 }
  39
  40 /**
  41  * cgroup_bpf_inherit() - inherit effective programs from parent
  42  * @cgrp: the cgroup to modify
  43  * @parent: the parent to inherit from
  44  */
  45 void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)
  46 {
  47         unsigned int type;
  48
  49         for (type = 0; type < ARRAY_SIZE(cgrp->bpf.effective); type++) {
  50                 struct bpf_prog *e;
  51
  52                 e = rcu_dereference_protected(parent->bpf.effective[type],
  53                                               lockdep_is_held(&cgroup_mutex));
  54                 rcu_assign_pointer(cgrp->bpf.effective[type], e);
  55         }
  56 }
  57
  58 /**
  59  * __cgroup_bpf_update() - Update the pinned program of a cgroup, and
  60  *                         propagate the change to descendants
  61  * @cgrp: The cgroup which descendants to traverse
  62  * @parent: The parent of @cgrp, or %NULL if @cgrp is the root
  63  * @prog: A new program to pin
  64  * @type: Type of pinning operation (ingress/egress)
  65  *
  66  * Each cgroup has a set of two pointers for bpf programs; one for eBPF
  67  * programs it owns, and which is effective for execution.
  68  *
  69  * If @prog is not %NULL, this function attaches a new program to the cgroup
  70  * and releases the one that is currently attached, if any. @prog is then made
  71  * the effective program of type @type in that cgroup.
  72  *
  73  * If @prog is %NULL, the currently attached program of type @type is released,
  74  * and the effective program of the parent cgroup (if any) is inherited to
  75  * @cgrp.
  76  *
  77  * Then, the descendants of @cgrp are walked and the effective program for
  78  * each of them is set to the effective program of @cgrp unless the
  79  * descendant has its own program attached, in which case the subbranch is
  80  * skipped. This ensures that delegated subcgroups with own programs are left
  81  * untouched.
  82  *
  83  * Must be called with cgroup_mutex held.
  84  */
  85 void __cgroup_bpf_update(struct cgroup *cgrp,
  86                          struct cgroup *parent,
  87                          struct bpf_prog *prog,
  88                          enum bpf_attach_type type)
  89 {
  90         struct bpf_prog *old_prog, *effective;
  91         struct cgroup_subsys_state *pos;
  92
  93         old_prog = xchg(cgrp->bpf.prog + type, prog);
  94
  95         effective = (!prog && parent) ?
  96                 rcu_dereference_protected(parent->bpf.effective[type],
  97                                           lockdep_is_held(&cgroup_mutex)) :
  98                 prog;
  99
 100         css_for_each_descendant_pre(pos, &cgrp->self) {
 101                 struct cgroup *desc = container_of(pos, struct cgroup, self);
 102
 103                 /* skip the subtree if the descendant has its own program */
 104                 if (desc->bpf.prog[type] && desc != cgrp)
 105                         pos = css_rightmost_descendant(pos);
 106                 else
 107                         rcu_assign_pointer(desc->bpf.effective[type],
 108                                            effective);
 109         }
 110
 111         if (prog)
 112                 static_branch_inc(&cgroup_bpf_enabled_key);
 113
 114         if (old_prog) {
 115                 bpf_prog_put(old_prog);
 116                 static_branch_dec(&cgroup_bpf_enabled_key);
 117         }
 118 }
 119
 120 /**
 121  * __cgroup_bpf_run_filter_skb() - Run a program for packet filtering
 122  * @sk: The socken sending or receiving traffic
 123  * @skb: The skb that is being sent or received
 124  * @type: The type of program to be exectuted
 125  *
 126  * If no socket is passed, or the socket is not of type INET or INET6,
 127  * this function does nothing and returns 0.
 128  *
 129  * The program type passed in via @type must be suitable for network
 130  * filtering. No further check is performed to assert that.
 131  *
 132  * This function will return %-EPERM if any if an attached program was found
 133  * and if it returned != 1 during execution. In all other cases, 0 is returned.
 134  */
 135 int __cgroup_bpf_run_filter_skb(struct sock *sk,
 136                                 struct sk_buff *skb,
 137                                 enum bpf_attach_type type)
 138 {
 139         struct bpf_prog *prog;
 140         struct cgroup *cgrp;
 141         int ret = 0;
 142
 143         if (!sk || !sk_fullsock(sk))
 144                 return 0;
 145
 146         if (sk->sk_family != AF_INET &&
 147             sk->sk_family != AF_INET6)
 148                 return 0;
 149
 150         cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
 151
 152         rcu_read_lock();
 153
 154         prog = rcu_dereference(cgrp->bpf.effective[type]);
 155         if (prog) {
 156                 unsigned int offset = skb->data - skb_network_header(skb);
 157
 158                 __skb_push(skb, offset);
 159                 ret = bpf_prog_run_save_cb(prog, skb) == 1 ? 0 : -EPERM;
 160                 __skb_pull(skb, offset);
 161         }
 162
 163         rcu_read_unlock();
 164
 165         return ret;
 166 }
 167 EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);
 168
 169 /**
 170  * __cgroup_bpf_run_filter_sk() - Run a program on a sock
 171  * @sk: sock structure to manipulate
 172  * @type: The type of program to be exectuted
 173  *
 174  * socket is passed is expected to be of type INET or INET6.
 175  *
 176  * The program type passed in via @type must be suitable for sock
 177  * filtering. No further check is performed to assert that.
 178  *
 179  * This function will return %-EPERM if any if an attached program was found
 180  * and if it returned != 1 during execution. In all other cases, 0 is returned.
 181  */
 182 int __cgroup_bpf_run_filter_sk(struct sock *sk,
 183                                enum bpf_attach_type type)
 184 {
 185         struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
 186         struct bpf_prog *prog;
 187         int ret = 0;
 188
 189
 190         rcu_read_lock();
 191
 192         prog = rcu_dereference(cgrp->bpf.effective[type]);
 193         if (prog)
 194                 ret = BPF_PROG_RUN(prog, sk) == 1 ? 0 : -EPERM;
 195
 196         rcu_read_unlock();
 197
 198         return ret;
 199 }
 200 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);