From: Daniel Mack <daniel@zonque.org>
To: htejun@fb.com, daniel@iogearbox.net, ast@fb.com
Cc: davem@davemloft.net, kafai@fb.com, fw@strlen.de,
pablo@netfilter.org, harald@redhat.com, netdev@vger.kernel.org,
sargun@sargun.me, Daniel Mack <daniel@zonque.org>
Subject: [PATCH v3 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands
Date: Fri, 26 Aug 2016 21:58:49 +0200 [thread overview]
Message-ID: <1472241532-11682-4-git-send-email-daniel@zonque.org> (raw)
In-Reply-To: <1472241532-11682-1-git-send-email-daniel@zonque.org>
Extend the bpf(2) syscall by two new commands, BPF_PROG_ATTACH and
BPF_PROG_DETACH which allow attaching and detaching eBPF programs
to a target.
On the API level, the target could be anything that has an fd in
userspace, hence the name of the field in union bpf_attr is called
'target_fd'.
When called with BPF_ATTACH_TYPE_CGROUP_INET_{E,IN}GRESS, the target is
expected to be a valid file descriptor of a cgroup v2 directory which
has the bpf controller enabled. These are the only use-cases
implemented by this patch at this point, but more can be added.
If a program of the given type already exists in the given cgroup,
the program is swapped automically, so userspace does not have to drop
an existing program first before installing a new one, which would
otherwise leave a gap in which no program is attached.
For more information on the propagation logic to subcgroups, please
refer to the bpf cgroup controller implementation.
The API is guarded by CAP_NET_ADMIN.
Signed-off-by: Daniel Mack <daniel@zonque.org>
syscall
---
include/uapi/linux/bpf.h | 9 ++++++
kernel/bpf/syscall.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 92 insertions(+)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 1d5db42..4cc2dcf 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -73,6 +73,8 @@ enum bpf_cmd {
BPF_PROG_LOAD,
BPF_OBJ_PIN,
BPF_OBJ_GET,
+ BPF_PROG_ATTACH,
+ BPF_PROG_DETACH,
};
enum bpf_map_type {
@@ -147,6 +149,13 @@ union bpf_attr {
__aligned_u64 pathname;
__u32 bpf_fd;
};
+
+ struct { /* anonymous struct used by BPF_PROG_ATTACH/DETACH commands */
+ __u32 target_fd; /* container object to attach to */
+ __u32 attach_bpf_fd; /* eBPF program to attach */
+ __u32 attach_type; /* BPF_ATTACH_TYPE_* */
+ __u64 attach_flags;
+ };
} __attribute__((aligned(8)));
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 228f962..cc4d603 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -822,6 +822,79 @@ static int bpf_obj_get(const union bpf_attr *attr)
return bpf_obj_get_user(u64_to_ptr(attr->pathname));
}
+#ifdef CONFIG_CGROUP_BPF
+static int bpf_prog_attach(const union bpf_attr *attr)
+{
+ struct bpf_prog *prog;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
+ /* Flags are unused for now */
+ if (attr->attach_flags != 0)
+ return -EINVAL;
+
+ switch (attr->attach_type) {
+ case BPF_ATTACH_TYPE_CGROUP_INET_INGRESS:
+ case BPF_ATTACH_TYPE_CGROUP_INET_EGRESS: {
+ struct cgroup *cgrp;
+
+ prog = bpf_prog_get_type(attr->attach_bpf_fd,
+ BPF_PROG_TYPE_CGROUP_SOCKET_FILTER);
+ if (IS_ERR(prog))
+ return PTR_ERR(prog);
+
+ cgrp = cgroup_get_from_fd(attr->target_fd);
+ if (IS_ERR(cgrp)) {
+ bpf_prog_put(prog);
+ return PTR_ERR(cgrp);
+ }
+
+ cgroup_bpf_update(cgrp, prog, attr->attach_type);
+ cgroup_put(cgrp);
+
+ break;
+ }
+
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int bpf_prog_detach(const union bpf_attr *attr)
+{
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
+ /* Flags are unused for now */
+ if (attr->attach_flags != 0)
+ return -EINVAL;
+
+ switch (attr->attach_type) {
+ case BPF_ATTACH_TYPE_CGROUP_INET_INGRESS:
+ case BPF_ATTACH_TYPE_CGROUP_INET_EGRESS: {
+ struct cgroup *cgrp;
+
+ cgrp = cgroup_get_from_fd(attr->target_fd);
+ if (IS_ERR(cgrp))
+ return PTR_ERR(cgrp);
+
+ cgroup_bpf_update(cgrp, NULL, attr->attach_type);
+ cgroup_put(cgrp);
+
+ break;
+ }
+
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+#endif /* CONFIG_CGROUP_BPF */
+
SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
{
union bpf_attr attr = {};
@@ -888,6 +961,16 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
case BPF_OBJ_GET:
err = bpf_obj_get(&attr);
break;
+
+#ifdef CONFIG_CGROUP_BPF
+ case BPF_PROG_ATTACH:
+ err = bpf_prog_attach(&attr);
+ break;
+ case BPF_PROG_DETACH:
+ err = bpf_prog_detach(&attr);
+ break;
+#endif
+
default:
err = -EINVAL;
break;
--
2.5.5
next prev parent reply other threads:[~2016-08-26 19:59 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 19:58 [PATCH v3 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-08-26 19:58 ` [PATCH v3 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-08-29 22:14 ` Daniel Borkmann
2016-09-05 12:48 ` Daniel Mack
2016-08-26 19:58 ` [PATCH v3 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-08-27 0:03 ` Alexei Starovoitov
2016-09-05 12:47 ` Daniel Mack
2016-08-29 22:42 ` Daniel Borkmann
2016-09-05 12:50 ` Daniel Mack
2016-08-29 23:04 ` Sargun Dhillon
2016-09-05 14:49 ` Daniel Mack
2016-09-05 21:40 ` Sargun Dhillon
2016-09-05 22:39 ` Alexei Starovoitov
2016-08-26 19:58 ` Daniel Mack [this message]
2016-08-27 0:08 ` [PATCH v3 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Alexei Starovoitov
2016-09-05 12:56 ` Daniel Mack
2016-09-05 15:30 ` David Laight
2016-09-05 15:40 ` Daniel Mack
2016-09-05 17:29 ` Joe Perches
2016-08-29 23:00 ` Daniel Borkmann
2016-09-05 12:54 ` Daniel Mack
2016-09-05 13:56 ` Daniel Borkmann
2016-09-05 14:09 ` Daniel Mack
2016-09-05 17:09 ` Daniel Borkmann
2016-09-05 18:32 ` Alexei Starovoitov
2016-09-05 18:43 ` Daniel Mack
2016-08-26 19:58 ` [PATCH v3 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-08-29 23:15 ` Daniel Borkmann
2016-08-26 19:58 ` [PATCH v3 5/6] net: core: run cgroup eBPF egress programs Daniel Mack
2016-08-29 22:03 ` Daniel Borkmann
2016-08-29 22:23 ` Sargun Dhillon
2016-09-05 14:22 ` Daniel Mack
2016-09-06 17:14 ` Daniel Borkmann
2016-08-26 19:58 ` [PATCH v3 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
2016-08-27 13:00 ` [PATCH v3 0/6] Add eBPF hooks for cgroups Rami Rosen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472241532-11682-4-git-send-email-daniel@zonque.org \
--to=daniel@zonque.org \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=htejun@fb.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.