[PATCH bpf-next 0/3] bpf: allow cgroup progs to export custom errnos to userspace

bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: YiFei Zhu <zhuyifei1999@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Stanislav Fomichev <sdf@google.com>,
	YiFei Zhu <zhuyifei@google.com>
Subject: [PATCH bpf-next 0/3] bpf: allow cgroup progs to export custom errnos to userspace
Date: Wed,  6 Oct 2021 09:02:39 -0700	[thread overview]
Message-ID: <cover.1633535940.git.zhuyifei@google.com> (raw)

From: YiFei Zhu <zhuyifei@google.com>

Right now, most cgroup hooks are best used for permission checks. They
can only reject a syscall with -EPERM, so a cause of a rejection, if
the rejected by eBPF cgroup hooks, is ambiguous to userspace.
Additionally, if the syscalls are implemented in eBPF, all permission
checks and the implementation has to happen within the same filter,
as programs executed later in the series of progs are unaware of the
return values return by the previous progs.

This patch series adds a helper, bpf_export_errno, that allows hooks
to get/set the errno exported by eBPF to userspace. Invoking the helper
with a positive errno will set the exported errno, and invoking the
helper with zero will return the previously set errno. This means
that an errno, once set, can be overridden but cannot be unset. This
also allows later progs to retrieve errnos set by previous progs.

For legacy programs that rejects a syscall without setting the exported
errno, for backwards compatibility, if a prog rejects without itself
or a prior prog setting errno, the errno is set by the kernel to -EPERM.

Tests have been added in this series to test the behavior of the helper
with cgroup setsockopt getsockopt hooks.

Patch 1 changes the API of macros to prepare for the next patch and
  should be a no-op.
Patch 2 implements the helper and the tracking of errno.
Patch 3 tests the behaviors of the helper.

YiFei Zhu (3):
  bpf: Make BPF_PROG_RUN_ARRAY return -errno instead of allow boolean
  bpf: Add cgroup helper bpf_export_errno to get/set exported errno
    value
  selftests/bpf: Test bpf_export_errno behavior with cgroup/sockopt

 include/linux/bpf.h                           |  27 +-
 include/uapi/linux/bpf.h                      |  14 +
 kernel/bpf/cgroup.c                           |  65 ++-
 security/device_cgroup.c                      |   2 +-
 tools/include/uapi/linux/bpf.h                |  14 +
 .../bpf/prog_tests/cgroup_export_errno.c      | 472 ++++++++++++++++++
 .../progs/cgroup_export_errno_getsockopt.c    |  45 ++
 .../progs/cgroup_export_errno_setsockopt.c    |  52 ++
 8 files changed, 651 insertions(+), 40 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup_export_errno.c
 create mode 100644 tools/testing/selftests/bpf/progs/cgroup_export_errno_getsockopt.c
 create mode 100644 tools/testing/selftests/bpf/progs/cgroup_export_errno_setsockopt.c

--
2.33.0

next             reply	other threads:[~2021-10-06 16:03 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-06 16:02 YiFei Zhu [this message]
2021-10-06 16:02 ` [PATCH bpf-next 1/3] bpf: Make BPF_PROG_RUN_ARRAY return -errno instead of allow boolean YiFei Zhu
2021-10-07  0:36   ` Song Liu
2021-10-06 16:02 ` [PATCH bpf-next 2/3] bpf: Add cgroup helper bpf_export_errno to get/set exported errno value YiFei Zhu
2021-10-07  0:41   ` Song Liu
2021-10-07  5:59     ` Song Liu
2021-10-07 15:11       ` sdf
2021-10-07 16:23         ` YiFei Zhu
2021-10-07 16:34           ` Song Liu
2021-10-08 20:49             ` YiFei Zhu
2021-10-08 21:00               ` Stanislav Fomichev
2021-10-20 23:28   ` Andrii Nakryiko
2021-10-26  0:06     ` YiFei Zhu
2021-10-26 15:44       ` Stanislav Fomichev
2021-10-26 20:50         ` YiFei Zhu
2021-10-26 21:26           ` Stanislav Fomichev
2021-11-01 10:23             ` YiFei Zhu
2021-10-06 16:02 ` [PATCH bpf-next 3/3] selftests/bpf: Test bpf_export_errno behavior with cgroup/sockopt YiFei Zhu
2021-10-18 17:51   ` Song Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1633535940.git.zhuyifei@google.com \
    --to=zhuyifei1999@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=sdf@google.com \
    --cc=zhuyifei@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).