1 /* 2 * Functions to manage eBPF programs attached to cgroups 3 * 4 * Copyright (c) 2016 Daniel Mack 5 * 6 * This file is subject to the terms and conditions of version 2 of the GNU 7 * General Public License. See the file COPYING in the main directory of the 8 * Linux distribution for more details. 9 */ 10 11 #include <linux/kernel.h> 12 #include <linux/atomic.h> 13 #include <linux/cgroup.h> 14 #include <linux/slab.h> 15 #include <linux/bpf.h> 16 #include <linux/bpf-cgroup.h> 17 #include <net/sock.h> 18 19 DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key); 20 EXPORT_SYMBOL(cgroup_bpf_enabled_key); 21 22 /** 23 * cgroup_bpf_put() - put references of all bpf programs 24 * @cgrp: the cgroup to modify 25 */ 26 void cgroup_bpf_put(struct cgroup *cgrp) 27 { 28 unsigned int type; 29 30 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.prog); type++) { 31 struct bpf_prog *prog = cgrp->bpf.prog[type]; 32 33 if (prog) { 34 bpf_prog_put(prog); 35 static_branch_dec(&cgroup_bpf_enabled_key); 36 } 37 } 38 } 39 40 /** 41 * cgroup_bpf_inherit() - inherit effective programs from parent 42 * @cgrp: the cgroup to modify 43 * @parent: the parent to inherit from 44 */ 45 void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent) 46 { 47 unsigned int type; 48 49 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.effective); type++) { 50 struct bpf_prog *e; 51 52 e = rcu_dereference_protected(parent->bpf.effective[type], 53 lockdep_is_held(&cgroup_mutex)); 54 rcu_assign_pointer(cgrp->bpf.effective[type], e); 55 } 56 } 57 58 /** 59 * __cgroup_bpf_update() - Update the pinned program of a cgroup, and 60 * propagate the change to descendants 61 * @cgrp: The cgroup which descendants to traverse 62 * @parent: The parent of @cgrp, or %NULL if @cgrp is the root 63 * @prog: A new program to pin 64 * @type: Type of pinning operation (ingress/egress) 65 * 66 * Each cgroup has a set of two pointers for bpf programs; one for eBPF 67 * programs it owns, and which is effective for execution. 68 * 69 * If @prog is %NULL, this function attaches a new program to the cgroup and 70 * releases the one that is currently attached, if any. @prog is then made 71 * the effective program of type @type in that cgroup. 72 * 73 * If @prog is %NULL, the currently attached program of type @type is released, 74 * and the effective program of the parent cgroup (if any) is inherited to 75 * @cgrp. 76 * 77 * Then, the descendants of @cgrp are walked and the effective program for 78 * each of them is set to the effective program of @cgrp unless the 79 * descendant has its own program attached, in which case the subbranch is 80 * skipped. This ensures that delegated subcgroups with own programs are left 81 * untouched. 82 * 83 * Must be called with cgroup_mutex held. 84 */ 85 void __cgroup_bpf_update(struct cgroup *cgrp, 86 struct cgroup *parent, 87 struct bpf_prog *prog, 88 enum bpf_attach_type type) 89 { 90 struct bpf_prog *old_prog, *effective; 91 struct cgroup_subsys_state *pos; 92 93 old_prog = xchg(cgrp->bpf.prog + type, prog); 94 95 effective = (!prog && parent) ? 96 rcu_dereference_protected(parent->bpf.effective[type], 97 lockdep_is_held(&cgroup_mutex)) : 98 prog; 99 100 css_for_each_descendant_pre(pos, &cgrp->self) { 101 struct cgroup *desc = container_of(pos, struct cgroup, self); 102 103 /* skip the subtree if the descendant has its own program */ 104 if (desc->bpf.prog[type] && desc != cgrp) 105 pos = css_rightmost_descendant(pos); 106 else 107 rcu_assign_pointer(desc->bpf.effective[type], 108 effective); 109 } 110 111 if (prog) 112 static_branch_inc(&cgroup_bpf_enabled_key); 113 114 if (old_prog) { 115 bpf_prog_put(old_prog); 116 static_branch_dec(&cgroup_bpf_enabled_key); 117 } 118 } 119 120 /** 121 * __cgroup_bpf_run_filter() - Run a program for packet filtering 122 * @sk: The socken sending or receiving traffic 123 * @skb: The skb that is being sent or received 124 * @type: The type of program to be exectuted 125 * 126 * If no socket is passed, or the socket is not of type INET or INET6, 127 * this function does nothing and returns 0. 128 * 129 * The program type passed in via @type must be suitable for network 130 * filtering. No further check is performed to assert that. 131 * 132 * This function will return %-EPERM if any if an attached program was found 133 * and if it returned != 1 during execution. In all other cases, 0 is returned. 134 */ 135 int __cgroup_bpf_run_filter(struct sock *sk, 136 struct sk_buff *skb, 137 enum bpf_attach_type type) 138 { 139 struct bpf_prog *prog; 140 struct cgroup *cgrp; 141 int ret = 0; 142 143 if (!sk || !sk_fullsock(sk)) 144 return 0; 145 146 if (sk->sk_family != AF_INET && 147 sk->sk_family != AF_INET6) 148 return 0; 149 150 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); 151 152 rcu_read_lock(); 153 154 prog = rcu_dereference(cgrp->bpf.effective[type]); 155 if (prog) { 156 unsigned int offset = skb->data - skb_network_header(skb); 157 158 __skb_push(skb, offset); 159 ret = bpf_prog_run_save_cb(prog, skb) == 1 ? 0 : -EPERM; 160 __skb_pull(skb, offset); 161 } 162 163 rcu_read_unlock(); 164 165 return ret; 166 } 167 EXPORT_SYMBOL(__cgroup_bpf_run_filter); 168