1 // SPDX-License-Identifier: GPL-2.0-only
3 * Functions to manage eBPF programs attached to cgroups
5 * Copyright (c) 2016 Daniel Mack
8 #include <linux/kernel.h>
9 #include <linux/atomic.h>
10 #include <linux/cgroup.h>
11 #include <linux/filter.h>
12 #include <linux/slab.h>
13 #include <linux/sysctl.h>
14 #include <linux/string.h>
15 #include <linux/bpf.h>
16 #include <linux/bpf-cgroup.h>
18 #include <net/bpf_sk_storage.h>
20 #include "../cgroup/cgroup-internal.h"
22 DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
23 EXPORT_SYMBOL(cgroup_bpf_enabled_key);
25 void cgroup_bpf_offline(struct cgroup *cgrp)
28 percpu_ref_kill(&cgrp->bpf.refcnt);
32 * cgroup_bpf_release() - put references of all bpf programs and
33 * release all cgroup bpf data
34 * @work: work structure embedded into the cgroup to modify
36 static void cgroup_bpf_release(struct work_struct *work)
38 struct cgroup *cgrp = container_of(work, struct cgroup,
40 enum bpf_cgroup_storage_type stype;
41 struct bpf_prog_array *old_array;
44 mutex_lock(&cgroup_mutex);
46 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.progs); type++) {
47 struct list_head *progs = &cgrp->bpf.progs[type];
48 struct bpf_prog_list *pl, *tmp;
50 list_for_each_entry_safe(pl, tmp, progs, node) {
52 bpf_prog_put(pl->prog);
53 for_each_cgroup_storage_type(stype) {
54 bpf_cgroup_storage_unlink(pl->storage[stype]);
55 bpf_cgroup_storage_free(pl->storage[stype]);
58 static_branch_dec(&cgroup_bpf_enabled_key);
60 old_array = rcu_dereference_protected(
61 cgrp->bpf.effective[type],
62 lockdep_is_held(&cgroup_mutex));
63 bpf_prog_array_free(old_array);
66 mutex_unlock(&cgroup_mutex);
68 percpu_ref_exit(&cgrp->bpf.refcnt);
73 * cgroup_bpf_release_fn() - callback used to schedule releasing
75 * @ref: percpu ref counter structure
77 static void cgroup_bpf_release_fn(struct percpu_ref *ref)
79 struct cgroup *cgrp = container_of(ref, struct cgroup, bpf.refcnt);
81 INIT_WORK(&cgrp->bpf.release_work, cgroup_bpf_release);
82 queue_work(system_wq, &cgrp->bpf.release_work);
85 /* count number of elements in the list.
86 * it's slow but the list cannot be long
88 static u32 prog_list_length(struct list_head *head)
90 struct bpf_prog_list *pl;
93 list_for_each_entry(pl, head, node) {
101 /* if parent has non-overridable prog attached,
102 * disallow attaching new programs to the descendent cgroup.
103 * if parent has overridable or multi-prog, allow attaching
105 static bool hierarchy_allows_attach(struct cgroup *cgrp,
106 enum bpf_attach_type type,
111 p = cgroup_parent(cgrp);
115 u32 flags = p->bpf.flags[type];
118 if (flags & BPF_F_ALLOW_MULTI)
120 cnt = prog_list_length(&p->bpf.progs[type]);
121 WARN_ON_ONCE(cnt > 1);
123 return !!(flags & BPF_F_ALLOW_OVERRIDE);
124 p = cgroup_parent(p);
129 /* compute a chain of effective programs for a given cgroup:
130 * start from the list of programs in this cgroup and add
131 * all parent programs.
132 * Note that parent's F_ALLOW_OVERRIDE-type program is yielding
133 * to programs in this cgroup
135 static int compute_effective_progs(struct cgroup *cgrp,
136 enum bpf_attach_type type,
137 struct bpf_prog_array **array)
139 enum bpf_cgroup_storage_type stype;
140 struct bpf_prog_array *progs;
141 struct bpf_prog_list *pl;
142 struct cgroup *p = cgrp;
145 /* count number of effective programs by walking parents */
147 if (cnt == 0 || (p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
148 cnt += prog_list_length(&p->bpf.progs[type]);
149 p = cgroup_parent(p);
152 progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
156 /* populate the array with effective progs */
160 if (cnt > 0 && !(p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
163 list_for_each_entry(pl, &p->bpf.progs[type], node) {
167 progs->items[cnt].prog = pl->prog;
168 for_each_cgroup_storage_type(stype)
169 progs->items[cnt].cgroup_storage[stype] =
173 } while ((p = cgroup_parent(p)));
179 static void activate_effective_progs(struct cgroup *cgrp,
180 enum bpf_attach_type type,
181 struct bpf_prog_array *old_array)
183 old_array = rcu_replace_pointer(cgrp->bpf.effective[type], old_array,
184 lockdep_is_held(&cgroup_mutex));
185 /* free prog array after grace period, since __cgroup_bpf_run_*()
186 * might be still walking the array
188 bpf_prog_array_free(old_array);
192 * cgroup_bpf_inherit() - inherit effective programs from parent
193 * @cgrp: the cgroup to modify
195 int cgroup_bpf_inherit(struct cgroup *cgrp)
197 /* has to use marco instead of const int, since compiler thinks
198 * that array below is variable length
200 #define NR ARRAY_SIZE(cgrp->bpf.effective)
201 struct bpf_prog_array *arrays[NR] = {};
204 ret = percpu_ref_init(&cgrp->bpf.refcnt, cgroup_bpf_release_fn, 0,
209 for (i = 0; i < NR; i++)
210 INIT_LIST_HEAD(&cgrp->bpf.progs[i]);
212 for (i = 0; i < NR; i++)
213 if (compute_effective_progs(cgrp, i, &arrays[i]))
216 for (i = 0; i < NR; i++)
217 activate_effective_progs(cgrp, i, arrays[i]);
221 for (i = 0; i < NR; i++)
222 bpf_prog_array_free(arrays[i]);
224 percpu_ref_exit(&cgrp->bpf.refcnt);
229 static int update_effective_progs(struct cgroup *cgrp,
230 enum bpf_attach_type type)
232 struct cgroup_subsys_state *css;
235 /* allocate and recompute effective prog arrays */
236 css_for_each_descendant_pre(css, &cgrp->self) {
237 struct cgroup *desc = container_of(css, struct cgroup, self);
239 if (percpu_ref_is_zero(&desc->bpf.refcnt))
242 err = compute_effective_progs(desc, type, &desc->bpf.inactive);
247 /* all allocations were successful. Activate all prog arrays */
248 css_for_each_descendant_pre(css, &cgrp->self) {
249 struct cgroup *desc = container_of(css, struct cgroup, self);
251 if (percpu_ref_is_zero(&desc->bpf.refcnt)) {
252 if (unlikely(desc->bpf.inactive)) {
253 bpf_prog_array_free(desc->bpf.inactive);
254 desc->bpf.inactive = NULL;
259 activate_effective_progs(desc, type, desc->bpf.inactive);
260 desc->bpf.inactive = NULL;
266 /* oom while computing effective. Free all computed effective arrays
267 * since they were not activated
269 css_for_each_descendant_pre(css, &cgrp->self) {
270 struct cgroup *desc = container_of(css, struct cgroup, self);
272 bpf_prog_array_free(desc->bpf.inactive);
273 desc->bpf.inactive = NULL;
279 #define BPF_CGROUP_MAX_PROGS 64
282 * __cgroup_bpf_attach() - Attach the program to a cgroup, and
283 * propagate the change to descendants
284 * @cgrp: The cgroup which descendants to traverse
285 * @prog: A program to attach
286 * @type: Type of attach operation
287 * @flags: Option flags
289 * Must be called with cgroup_mutex held.
291 int __cgroup_bpf_attach(struct cgroup *cgrp, struct bpf_prog *prog,
292 enum bpf_attach_type type, u32 flags)
294 struct list_head *progs = &cgrp->bpf.progs[type];
295 struct bpf_prog *old_prog = NULL;
296 struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE],
297 *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {NULL};
298 enum bpf_cgroup_storage_type stype;
299 struct bpf_prog_list *pl;
300 bool pl_was_allocated;
303 if ((flags & BPF_F_ALLOW_OVERRIDE) && (flags & BPF_F_ALLOW_MULTI))
304 /* invalid combination */
307 if (!hierarchy_allows_attach(cgrp, type, flags))
310 if (!list_empty(progs) && cgrp->bpf.flags[type] != flags)
311 /* Disallow attaching non-overridable on top
312 * of existing overridable in this cgroup.
313 * Disallow attaching multi-prog if overridable or none
317 if (prog_list_length(progs) >= BPF_CGROUP_MAX_PROGS)
320 for_each_cgroup_storage_type(stype) {
321 storage[stype] = bpf_cgroup_storage_alloc(prog, stype);
322 if (IS_ERR(storage[stype])) {
323 storage[stype] = NULL;
324 for_each_cgroup_storage_type(stype)
325 bpf_cgroup_storage_free(storage[stype]);
330 if (flags & BPF_F_ALLOW_MULTI) {
331 list_for_each_entry(pl, progs, node) {
332 if (pl->prog == prog) {
333 /* disallow attaching the same prog twice */
334 for_each_cgroup_storage_type(stype)
335 bpf_cgroup_storage_free(storage[stype]);
340 pl = kmalloc(sizeof(*pl), GFP_KERNEL);
342 for_each_cgroup_storage_type(stype)
343 bpf_cgroup_storage_free(storage[stype]);
347 pl_was_allocated = true;
349 for_each_cgroup_storage_type(stype)
350 pl->storage[stype] = storage[stype];
351 list_add_tail(&pl->node, progs);
353 if (list_empty(progs)) {
354 pl = kmalloc(sizeof(*pl), GFP_KERNEL);
356 for_each_cgroup_storage_type(stype)
357 bpf_cgroup_storage_free(storage[stype]);
360 pl_was_allocated = true;
361 list_add_tail(&pl->node, progs);
363 pl = list_first_entry(progs, typeof(*pl), node);
365 for_each_cgroup_storage_type(stype) {
366 old_storage[stype] = pl->storage[stype];
367 bpf_cgroup_storage_unlink(old_storage[stype]);
369 pl_was_allocated = false;
372 for_each_cgroup_storage_type(stype)
373 pl->storage[stype] = storage[stype];
376 cgrp->bpf.flags[type] = flags;
378 err = update_effective_progs(cgrp, type);
382 static_branch_inc(&cgroup_bpf_enabled_key);
383 for_each_cgroup_storage_type(stype) {
384 if (!old_storage[stype])
386 bpf_cgroup_storage_free(old_storage[stype]);
389 bpf_prog_put(old_prog);
390 static_branch_dec(&cgroup_bpf_enabled_key);
392 for_each_cgroup_storage_type(stype)
393 bpf_cgroup_storage_link(storage[stype], cgrp, type);
397 /* and cleanup the prog list */
399 for_each_cgroup_storage_type(stype) {
400 bpf_cgroup_storage_free(pl->storage[stype]);
401 pl->storage[stype] = old_storage[stype];
402 bpf_cgroup_storage_link(old_storage[stype], cgrp, type);
404 if (pl_was_allocated) {
412 * __cgroup_bpf_detach() - Detach the program from a cgroup, and
413 * propagate the change to descendants
414 * @cgrp: The cgroup which descendants to traverse
415 * @prog: A program to detach or NULL
416 * @type: Type of detach operation
418 * Must be called with cgroup_mutex held.
420 int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
421 enum bpf_attach_type type)
423 struct list_head *progs = &cgrp->bpf.progs[type];
424 enum bpf_cgroup_storage_type stype;
425 u32 flags = cgrp->bpf.flags[type];
426 struct bpf_prog *old_prog = NULL;
427 struct bpf_prog_list *pl;
430 if (flags & BPF_F_ALLOW_MULTI) {
432 /* to detach MULTI prog the user has to specify valid FD
433 * of the program to be detached
437 if (list_empty(progs))
438 /* report error when trying to detach and nothing is attached */
442 if (flags & BPF_F_ALLOW_MULTI) {
443 /* find the prog and detach it */
444 list_for_each_entry(pl, progs, node) {
445 if (pl->prog != prog)
448 /* mark it deleted, so it's ignored while
449 * recomputing effective
457 /* to maintain backward compatibility NONE and OVERRIDE cgroups
458 * allow detaching with invalid FD (prog==NULL)
460 pl = list_first_entry(progs, typeof(*pl), node);
465 err = update_effective_progs(cgrp, type);
469 /* now can actually delete it from this cgroup list */
471 for_each_cgroup_storage_type(stype) {
472 bpf_cgroup_storage_unlink(pl->storage[stype]);
473 bpf_cgroup_storage_free(pl->storage[stype]);
476 if (list_empty(progs))
477 /* last program was detached, reset flags to zero */
478 cgrp->bpf.flags[type] = 0;
480 bpf_prog_put(old_prog);
481 static_branch_dec(&cgroup_bpf_enabled_key);
485 /* and restore back old_prog */
490 /* Must be called with cgroup_mutex held to avoid races. */
491 int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
492 union bpf_attr __user *uattr)
494 __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids);
495 enum bpf_attach_type type = attr->query.attach_type;
496 struct list_head *progs = &cgrp->bpf.progs[type];
497 u32 flags = cgrp->bpf.flags[type];
498 struct bpf_prog_array *effective;
501 effective = rcu_dereference_protected(cgrp->bpf.effective[type],
502 lockdep_is_held(&cgroup_mutex));
504 if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE)
505 cnt = bpf_prog_array_length(effective);
507 cnt = prog_list_length(progs);
509 if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
511 if (copy_to_user(&uattr->query.prog_cnt, &cnt, sizeof(cnt)))
513 if (attr->query.prog_cnt == 0 || !prog_ids || !cnt)
514 /* return early if user requested only program count + flags */
516 if (attr->query.prog_cnt < cnt) {
517 cnt = attr->query.prog_cnt;
521 if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) {
522 return bpf_prog_array_copy_to_user(effective, prog_ids, cnt);
524 struct bpf_prog_list *pl;
528 list_for_each_entry(pl, progs, node) {
529 id = pl->prog->aux->id;
530 if (copy_to_user(prog_ids + i, &id, sizeof(id)))
539 int cgroup_bpf_prog_attach(const union bpf_attr *attr,
540 enum bpf_prog_type ptype, struct bpf_prog *prog)
545 cgrp = cgroup_get_from_fd(attr->target_fd);
547 return PTR_ERR(cgrp);
549 ret = cgroup_bpf_attach(cgrp, prog, attr->attach_type,
555 int cgroup_bpf_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype)
557 struct bpf_prog *prog;
561 cgrp = cgroup_get_from_fd(attr->target_fd);
563 return PTR_ERR(cgrp);
565 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
569 ret = cgroup_bpf_detach(cgrp, prog, attr->attach_type, 0);
577 int cgroup_bpf_prog_query(const union bpf_attr *attr,
578 union bpf_attr __user *uattr)
583 cgrp = cgroup_get_from_fd(attr->query.target_fd);
585 return PTR_ERR(cgrp);
587 ret = cgroup_bpf_query(cgrp, attr, uattr);
594 * __cgroup_bpf_run_filter_skb() - Run a program for packet filtering
595 * @sk: The socket sending or receiving traffic
596 * @skb: The skb that is being sent or received
597 * @type: The type of program to be exectuted
599 * If no socket is passed, or the socket is not of type INET or INET6,
600 * this function does nothing and returns 0.
602 * The program type passed in via @type must be suitable for network
603 * filtering. No further check is performed to assert that.
605 * For egress packets, this function can return:
606 * NET_XMIT_SUCCESS (0) - continue with packet output
607 * NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr
608 * NET_XMIT_CN (2) - continue with packet output and notify TCP
610 * -EPERM - drop packet
612 * For ingress packets, this function will return -EPERM if any
613 * attached program was found and if it returned != 1 during execution.
614 * Otherwise 0 is returned.
616 int __cgroup_bpf_run_filter_skb(struct sock *sk,
618 enum bpf_attach_type type)
620 unsigned int offset = skb->data - skb_network_header(skb);
621 struct sock *save_sk;
622 void *saved_data_end;
626 if (!sk || !sk_fullsock(sk))
629 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
632 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
635 __skb_push(skb, offset);
637 /* compute pointers for the bpf prog */
638 bpf_compute_and_save_data_end(skb, &saved_data_end);
640 if (type == BPF_CGROUP_INET_EGRESS) {
641 ret = BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY(
642 cgrp->bpf.effective[type], skb, __bpf_prog_run_save_cb);
644 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb,
645 __bpf_prog_run_save_cb);
646 ret = (ret == 1 ? 0 : -EPERM);
648 bpf_restore_data_end(skb, saved_data_end);
649 __skb_pull(skb, offset);
654 EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);
657 * __cgroup_bpf_run_filter_sk() - Run a program on a sock
658 * @sk: sock structure to manipulate
659 * @type: The type of program to be exectuted
661 * socket is passed is expected to be of type INET or INET6.
663 * The program type passed in via @type must be suitable for sock
664 * filtering. No further check is performed to assert that.
666 * This function will return %-EPERM if any if an attached program was found
667 * and if it returned != 1 during execution. In all other cases, 0 is returned.
669 int __cgroup_bpf_run_filter_sk(struct sock *sk,
670 enum bpf_attach_type type)
672 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
675 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sk, BPF_PROG_RUN);
676 return ret == 1 ? 0 : -EPERM;
678 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
681 * __cgroup_bpf_run_filter_sock_addr() - Run a program on a sock and
682 * provided by user sockaddr
683 * @sk: sock struct that will use sockaddr
684 * @uaddr: sockaddr struct provided by user
685 * @type: The type of program to be exectuted
686 * @t_ctx: Pointer to attach type specific context
688 * socket is expected to be of type INET or INET6.
690 * This function will return %-EPERM if an attached program is found and
691 * returned value != 1 during execution. In all other cases, 0 is returned.
693 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
694 struct sockaddr *uaddr,
695 enum bpf_attach_type type,
698 struct bpf_sock_addr_kern ctx = {
703 struct sockaddr_storage unspec;
707 /* Check socket family since not all sockets represent network
708 * endpoint (e.g. AF_UNIX).
710 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
714 memset(&unspec, 0, sizeof(unspec));
715 ctx.uaddr = (struct sockaddr *)&unspec;
718 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
719 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
721 return ret == 1 ? 0 : -EPERM;
723 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_addr);
726 * __cgroup_bpf_run_filter_sock_ops() - Run a program on a sock
727 * @sk: socket to get cgroup from
728 * @sock_ops: bpf_sock_ops_kern struct to pass to program. Contains
729 * sk with connection information (IP addresses, etc.) May not contain
730 * cgroup info if it is a req sock.
731 * @type: The type of program to be exectuted
733 * socket passed is expected to be of type INET or INET6.
735 * The program type passed in via @type must be suitable for sock_ops
736 * filtering. No further check is performed to assert that.
738 * This function will return %-EPERM if any if an attached program was found
739 * and if it returned != 1 during execution. In all other cases, 0 is returned.
741 int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
742 struct bpf_sock_ops_kern *sock_ops,
743 enum bpf_attach_type type)
745 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
748 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sock_ops,
750 return ret == 1 ? 0 : -EPERM;
752 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);
754 int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
755 short access, enum bpf_attach_type type)
758 struct bpf_cgroup_dev_ctx ctx = {
759 .access_type = (access << 16) | dev_type,
766 cgrp = task_dfl_cgroup(current);
767 allow = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx,
773 EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);
775 static const struct bpf_func_proto *
776 cgroup_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
779 case BPF_FUNC_map_lookup_elem:
780 return &bpf_map_lookup_elem_proto;
781 case BPF_FUNC_map_update_elem:
782 return &bpf_map_update_elem_proto;
783 case BPF_FUNC_map_delete_elem:
784 return &bpf_map_delete_elem_proto;
785 case BPF_FUNC_map_push_elem:
786 return &bpf_map_push_elem_proto;
787 case BPF_FUNC_map_pop_elem:
788 return &bpf_map_pop_elem_proto;
789 case BPF_FUNC_map_peek_elem:
790 return &bpf_map_peek_elem_proto;
791 case BPF_FUNC_get_current_uid_gid:
792 return &bpf_get_current_uid_gid_proto;
793 case BPF_FUNC_get_local_storage:
794 return &bpf_get_local_storage_proto;
795 case BPF_FUNC_get_current_cgroup_id:
796 return &bpf_get_current_cgroup_id_proto;
797 case BPF_FUNC_trace_printk:
798 if (capable(CAP_SYS_ADMIN))
799 return bpf_get_trace_printk_proto();
806 static const struct bpf_func_proto *
807 cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
809 return cgroup_base_func_proto(func_id, prog);
812 static bool cgroup_dev_is_valid_access(int off, int size,
813 enum bpf_access_type type,
814 const struct bpf_prog *prog,
815 struct bpf_insn_access_aux *info)
817 const int size_default = sizeof(__u32);
819 if (type == BPF_WRITE)
822 if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))
824 /* The verifier guarantees that size > 0. */
829 case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
830 bpf_ctx_record_field_size(info, size_default);
831 if (!bpf_ctx_narrow_access_ok(off, size, size_default))
835 if (size != size_default)
842 const struct bpf_prog_ops cg_dev_prog_ops = {
845 const struct bpf_verifier_ops cg_dev_verifier_ops = {
846 .get_func_proto = cgroup_dev_func_proto,
847 .is_valid_access = cgroup_dev_is_valid_access,
851 * __cgroup_bpf_run_filter_sysctl - Run a program on sysctl
853 * @head: sysctl table header
854 * @table: sysctl table
855 * @write: sysctl is being read (= 0) or written (= 1)
856 * @buf: pointer to buffer passed by user space
857 * @pcount: value-result argument: value is size of buffer pointed to by @buf,
858 * result is size of @new_buf if program set new value, initial value
860 * @ppos: value-result argument: value is position at which read from or write
861 * to sysctl is happening, result is new position if program overrode it,
862 * initial value otherwise
863 * @new_buf: pointer to pointer to new buffer that will be allocated if program
864 * overrides new value provided by user space on sysctl write
865 * NOTE: it's caller responsibility to free *new_buf if it was set
866 * @type: type of program to be executed
868 * Program is run when sysctl is being accessed, either read or written, and
869 * can allow or deny such access.
871 * This function will return %-EPERM if an attached program is found and
872 * returned value != 1 during execution. In all other cases 0 is returned.
874 int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head,
875 struct ctl_table *table, int write,
876 void __user *buf, size_t *pcount,
877 loff_t *ppos, void **new_buf,
878 enum bpf_attach_type type)
880 struct bpf_sysctl_kern ctx = {
886 .cur_len = PAGE_SIZE,
894 ctx.cur_val = kmalloc_track_caller(ctx.cur_len, GFP_KERNEL);
901 if (table->proc_handler(table, 0, (void __user *)ctx.cur_val,
902 &ctx.cur_len, &pos)) {
903 /* Let BPF program decide how to proceed. */
908 /* Let BPF program decide how to proceed. */
912 if (write && buf && *pcount) {
913 /* BPF program should be able to override new value with a
914 * buffer bigger than provided by user.
916 ctx.new_val = kmalloc_track_caller(PAGE_SIZE, GFP_KERNEL);
917 ctx.new_len = min_t(size_t, PAGE_SIZE, *pcount);
919 copy_from_user(ctx.new_val, buf, ctx.new_len))
920 /* Let BPF program decide how to proceed. */
925 cgrp = task_dfl_cgroup(current);
926 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
931 if (ret == 1 && ctx.new_updated) {
932 *new_buf = ctx.new_val;
933 *pcount = ctx.new_len;
938 return ret == 1 ? 0 : -EPERM;
940 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sysctl);
943 static bool __cgroup_bpf_prog_array_is_empty(struct cgroup *cgrp,
944 enum bpf_attach_type attach_type)
946 struct bpf_prog_array *prog_array;
950 prog_array = rcu_dereference(cgrp->bpf.effective[attach_type]);
951 empty = bpf_prog_array_is_empty(prog_array);
957 static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen)
959 if (unlikely(max_optlen > PAGE_SIZE) || max_optlen < 0)
962 ctx->optval = kzalloc(max_optlen, GFP_USER);
966 ctx->optval_end = ctx->optval + max_optlen;
971 static void sockopt_free_buf(struct bpf_sockopt_kern *ctx)
976 int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
977 int *optname, char __user *optval,
978 int *optlen, char **kernel_optval)
980 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
981 struct bpf_sockopt_kern ctx = {
988 /* Opportunistic check to see whether we have any BPF program
989 * attached to the hook so we don't waste time allocating
990 * memory and locking the socket.
992 if (!cgroup_bpf_enabled ||
993 __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_SETSOCKOPT))
996 /* Allocate a bit more than the initial user buffer for
997 * BPF program. The canonical use case is overriding
998 * TCP_CONGESTION(nv) to TCP_CONGESTION(cubic).
1000 max_optlen = max_t(int, 16, *optlen);
1002 ret = sockopt_alloc_buf(&ctx, max_optlen);
1006 ctx.optlen = *optlen;
1008 if (copy_from_user(ctx.optval, optval, *optlen) != 0) {
1014 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_SETSOCKOPT],
1015 &ctx, BPF_PROG_RUN);
1023 if (ctx.optlen == -1) {
1024 /* optlen set to -1, bypass kernel */
1026 } else if (ctx.optlen > max_optlen || ctx.optlen < -1) {
1027 /* optlen is out of bounds */
1030 /* optlen within bounds, run kernel handler */
1033 /* export any potential modifications */
1035 *optname = ctx.optname;
1036 *optlen = ctx.optlen;
1037 *kernel_optval = ctx.optval;
1042 sockopt_free_buf(&ctx);
1045 EXPORT_SYMBOL(__cgroup_bpf_run_filter_setsockopt);
1047 int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
1048 int optname, char __user *optval,
1049 int __user *optlen, int max_optlen,
1052 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1053 struct bpf_sockopt_kern ctx = {
1061 /* Opportunistic check to see whether we have any BPF program
1062 * attached to the hook so we don't waste time allocating
1063 * memory and locking the socket.
1065 if (!cgroup_bpf_enabled ||
1066 __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_GETSOCKOPT))
1069 ret = sockopt_alloc_buf(&ctx, max_optlen);
1073 ctx.optlen = max_optlen;
1076 /* If kernel getsockopt finished successfully,
1077 * copy whatever was returned to the user back
1078 * into our temporary buffer. Set optlen to the
1079 * one that kernel returned as well to let
1080 * BPF programs inspect the value.
1083 if (get_user(ctx.optlen, optlen)) {
1088 if (ctx.optlen > max_optlen)
1089 ctx.optlen = max_optlen;
1091 if (copy_from_user(ctx.optval, optval, ctx.optlen) != 0) {
1098 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT],
1099 &ctx, BPF_PROG_RUN);
1107 if (ctx.optlen > max_optlen) {
1112 /* BPF programs only allowed to set retval to 0, not some
1115 if (ctx.retval != 0 && ctx.retval != retval) {
1120 if (copy_to_user(optval, ctx.optval, ctx.optlen) ||
1121 put_user(ctx.optlen, optlen)) {
1129 sockopt_free_buf(&ctx);
1132 EXPORT_SYMBOL(__cgroup_bpf_run_filter_getsockopt);
1135 static ssize_t sysctl_cpy_dir(const struct ctl_dir *dir, char **bufp,
1138 ssize_t tmp_ret = 0, ret;
1140 if (dir->header.parent) {
1141 tmp_ret = sysctl_cpy_dir(dir->header.parent, bufp, lenp);
1146 ret = strscpy(*bufp, dir->header.ctl_table[0].procname, *lenp);
1153 /* Avoid leading slash. */
1157 tmp_ret = strscpy(*bufp, "/", *lenp);
1163 return ret + tmp_ret;
1166 BPF_CALL_4(bpf_sysctl_get_name, struct bpf_sysctl_kern *, ctx, char *, buf,
1167 size_t, buf_len, u64, flags)
1169 ssize_t tmp_ret = 0, ret;
1174 if (!(flags & BPF_F_SYSCTL_BASE_NAME)) {
1177 tmp_ret = sysctl_cpy_dir(ctx->head->parent, &buf, &buf_len);
1182 ret = strscpy(buf, ctx->table->procname, buf_len);
1184 return ret < 0 ? ret : tmp_ret + ret;
1187 static const struct bpf_func_proto bpf_sysctl_get_name_proto = {
1188 .func = bpf_sysctl_get_name,
1190 .ret_type = RET_INTEGER,
1191 .arg1_type = ARG_PTR_TO_CTX,
1192 .arg2_type = ARG_PTR_TO_MEM,
1193 .arg3_type = ARG_CONST_SIZE,
1194 .arg4_type = ARG_ANYTHING,
1197 static int copy_sysctl_value(char *dst, size_t dst_len, char *src,
1206 if (!src || !src_len) {
1207 memset(dst, 0, dst_len);
1211 memcpy(dst, src, min(dst_len, src_len));
1213 if (dst_len > src_len) {
1214 memset(dst + src_len, '\0', dst_len - src_len);
1218 dst[dst_len - 1] = '\0';
1223 BPF_CALL_3(bpf_sysctl_get_current_value, struct bpf_sysctl_kern *, ctx,
1224 char *, buf, size_t, buf_len)
1226 return copy_sysctl_value(buf, buf_len, ctx->cur_val, ctx->cur_len);
1229 static const struct bpf_func_proto bpf_sysctl_get_current_value_proto = {
1230 .func = bpf_sysctl_get_current_value,
1232 .ret_type = RET_INTEGER,
1233 .arg1_type = ARG_PTR_TO_CTX,
1234 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
1235 .arg3_type = ARG_CONST_SIZE,
1238 BPF_CALL_3(bpf_sysctl_get_new_value, struct bpf_sysctl_kern *, ctx, char *, buf,
1243 memset(buf, '\0', buf_len);
1246 return copy_sysctl_value(buf, buf_len, ctx->new_val, ctx->new_len);
1249 static const struct bpf_func_proto bpf_sysctl_get_new_value_proto = {
1250 .func = bpf_sysctl_get_new_value,
1252 .ret_type = RET_INTEGER,
1253 .arg1_type = ARG_PTR_TO_CTX,
1254 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
1255 .arg3_type = ARG_CONST_SIZE,
1258 BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
1259 const char *, buf, size_t, buf_len)
1261 if (!ctx->write || !ctx->new_val || !ctx->new_len || !buf || !buf_len)
1264 if (buf_len > PAGE_SIZE - 1)
1267 memcpy(ctx->new_val, buf, buf_len);
1268 ctx->new_len = buf_len;
1269 ctx->new_updated = 1;
1274 static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = {
1275 .func = bpf_sysctl_set_new_value,
1277 .ret_type = RET_INTEGER,
1278 .arg1_type = ARG_PTR_TO_CTX,
1279 .arg2_type = ARG_PTR_TO_MEM,
1280 .arg3_type = ARG_CONST_SIZE,
1283 static const struct bpf_func_proto *
1284 sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
1287 case BPF_FUNC_strtol:
1288 return &bpf_strtol_proto;
1289 case BPF_FUNC_strtoul:
1290 return &bpf_strtoul_proto;
1291 case BPF_FUNC_sysctl_get_name:
1292 return &bpf_sysctl_get_name_proto;
1293 case BPF_FUNC_sysctl_get_current_value:
1294 return &bpf_sysctl_get_current_value_proto;
1295 case BPF_FUNC_sysctl_get_new_value:
1296 return &bpf_sysctl_get_new_value_proto;
1297 case BPF_FUNC_sysctl_set_new_value:
1298 return &bpf_sysctl_set_new_value_proto;
1300 return cgroup_base_func_proto(func_id, prog);
1304 static bool sysctl_is_valid_access(int off, int size, enum bpf_access_type type,
1305 const struct bpf_prog *prog,
1306 struct bpf_insn_access_aux *info)
1308 const int size_default = sizeof(__u32);
1310 if (off < 0 || off + size > sizeof(struct bpf_sysctl) || off % size)
1314 case bpf_ctx_range(struct bpf_sysctl, write):
1315 if (type != BPF_READ)
1317 bpf_ctx_record_field_size(info, size_default);
1318 return bpf_ctx_narrow_access_ok(off, size, size_default);
1319 case bpf_ctx_range(struct bpf_sysctl, file_pos):
1320 if (type == BPF_READ) {
1321 bpf_ctx_record_field_size(info, size_default);
1322 return bpf_ctx_narrow_access_ok(off, size, size_default);
1324 return size == size_default;
1331 static u32 sysctl_convert_ctx_access(enum bpf_access_type type,
1332 const struct bpf_insn *si,
1333 struct bpf_insn *insn_buf,
1334 struct bpf_prog *prog, u32 *target_size)
1336 struct bpf_insn *insn = insn_buf;
1340 case offsetof(struct bpf_sysctl, write):
1341 *insn++ = BPF_LDX_MEM(
1342 BPF_SIZE(si->code), si->dst_reg, si->src_reg,
1343 bpf_target_off(struct bpf_sysctl_kern, write,
1344 FIELD_SIZEOF(struct bpf_sysctl_kern,
1348 case offsetof(struct bpf_sysctl, file_pos):
1349 /* ppos is a pointer so it should be accessed via indirect
1350 * loads and stores. Also for stores additional temporary
1351 * register is used since neither src_reg nor dst_reg can be
1354 if (type == BPF_WRITE) {
1355 int treg = BPF_REG_9;
1357 if (si->src_reg == treg || si->dst_reg == treg)
1359 if (si->src_reg == treg || si->dst_reg == treg)
1361 *insn++ = BPF_STX_MEM(
1362 BPF_DW, si->dst_reg, treg,
1363 offsetof(struct bpf_sysctl_kern, tmp_reg));
1364 *insn++ = BPF_LDX_MEM(
1365 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
1367 offsetof(struct bpf_sysctl_kern, ppos));
1368 *insn++ = BPF_STX_MEM(
1369 BPF_SIZEOF(u32), treg, si->src_reg,
1370 bpf_ctx_narrow_access_offset(
1371 0, sizeof(u32), sizeof(loff_t)));
1372 *insn++ = BPF_LDX_MEM(
1373 BPF_DW, treg, si->dst_reg,
1374 offsetof(struct bpf_sysctl_kern, tmp_reg));
1376 *insn++ = BPF_LDX_MEM(
1377 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
1378 si->dst_reg, si->src_reg,
1379 offsetof(struct bpf_sysctl_kern, ppos));
1380 read_size = bpf_size_to_bytes(BPF_SIZE(si->code));
1381 *insn++ = BPF_LDX_MEM(
1382 BPF_SIZE(si->code), si->dst_reg, si->dst_reg,
1383 bpf_ctx_narrow_access_offset(
1384 0, read_size, sizeof(loff_t)));
1386 *target_size = sizeof(u32);
1390 return insn - insn_buf;
1393 const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
1394 .get_func_proto = sysctl_func_proto,
1395 .is_valid_access = sysctl_is_valid_access,
1396 .convert_ctx_access = sysctl_convert_ctx_access,
1399 const struct bpf_prog_ops cg_sysctl_prog_ops = {
1402 static const struct bpf_func_proto *
1403 cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
1407 case BPF_FUNC_sk_storage_get:
1408 return &bpf_sk_storage_get_proto;
1409 case BPF_FUNC_sk_storage_delete:
1410 return &bpf_sk_storage_delete_proto;
1413 case BPF_FUNC_tcp_sock:
1414 return &bpf_tcp_sock_proto;
1417 return cgroup_base_func_proto(func_id, prog);
1421 static bool cg_sockopt_is_valid_access(int off, int size,
1422 enum bpf_access_type type,
1423 const struct bpf_prog *prog,
1424 struct bpf_insn_access_aux *info)
1426 const int size_default = sizeof(__u32);
1428 if (off < 0 || off >= sizeof(struct bpf_sockopt))
1431 if (off % size != 0)
1434 if (type == BPF_WRITE) {
1436 case offsetof(struct bpf_sockopt, retval):
1437 if (size != size_default)
1439 return prog->expected_attach_type ==
1440 BPF_CGROUP_GETSOCKOPT;
1441 case offsetof(struct bpf_sockopt, optname):
1443 case offsetof(struct bpf_sockopt, level):
1444 if (size != size_default)
1446 return prog->expected_attach_type ==
1447 BPF_CGROUP_SETSOCKOPT;
1448 case offsetof(struct bpf_sockopt, optlen):
1449 return size == size_default;
1456 case offsetof(struct bpf_sockopt, sk):
1457 if (size != sizeof(__u64))
1459 info->reg_type = PTR_TO_SOCKET;
1461 case offsetof(struct bpf_sockopt, optval):
1462 if (size != sizeof(__u64))
1464 info->reg_type = PTR_TO_PACKET;
1466 case offsetof(struct bpf_sockopt, optval_end):
1467 if (size != sizeof(__u64))
1469 info->reg_type = PTR_TO_PACKET_END;
1471 case offsetof(struct bpf_sockopt, retval):
1472 if (size != size_default)
1474 return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
1476 if (size != size_default)
1483 #define CG_SOCKOPT_ACCESS_FIELD(T, F) \
1484 T(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, F), \
1485 si->dst_reg, si->src_reg, \
1486 offsetof(struct bpf_sockopt_kern, F))
1488 static u32 cg_sockopt_convert_ctx_access(enum bpf_access_type type,
1489 const struct bpf_insn *si,
1490 struct bpf_insn *insn_buf,
1491 struct bpf_prog *prog,
1494 struct bpf_insn *insn = insn_buf;
1497 case offsetof(struct bpf_sockopt, sk):
1498 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, sk);
1500 case offsetof(struct bpf_sockopt, level):
1501 if (type == BPF_WRITE)
1502 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, level);
1504 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, level);
1506 case offsetof(struct bpf_sockopt, optname):
1507 if (type == BPF_WRITE)
1508 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optname);
1510 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optname);
1512 case offsetof(struct bpf_sockopt, optlen):
1513 if (type == BPF_WRITE)
1514 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optlen);
1516 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optlen);
1518 case offsetof(struct bpf_sockopt, retval):
1519 if (type == BPF_WRITE)
1520 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, retval);
1522 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, retval);
1524 case offsetof(struct bpf_sockopt, optval):
1525 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval);
1527 case offsetof(struct bpf_sockopt, optval_end):
1528 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval_end);
1532 return insn - insn_buf;
1535 static int cg_sockopt_get_prologue(struct bpf_insn *insn_buf,
1537 const struct bpf_prog *prog)
1539 /* Nothing to do for sockopt argument. The data is kzalloc'ated.
1544 const struct bpf_verifier_ops cg_sockopt_verifier_ops = {
1545 .get_func_proto = cg_sockopt_func_proto,
1546 .is_valid_access = cg_sockopt_is_valid_access,
1547 .convert_ctx_access = cg_sockopt_convert_ctx_access,
1548 .gen_prologue = cg_sockopt_get_prologue,
1551 const struct bpf_prog_ops cg_sockopt_prog_ops = {
projects / linux-2.6-block.git / blob