[PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id()
@ 2018-09-27 21:37 Yonghong Song
  2018-09-28  9:11 ` Alexei Starovoitov
  2018-09-28  9:53 ` Roman Gushchin
  0 siblings, 2 replies; 4+ messages in thread
From: Yonghong Song @ 2018-09-27 21:37 UTC (permalink / raw)
  To: ast, daniel, netdev, guro; +Cc: kernel-team

Currently, helper bpf_get_current_cgroup_id() is not permitted
for CGROUP_DEVICE type of programs. If the helper is used
in such cases, the verifier will log the following error:

  0: (bf) r6 = r1
  1: (69) r7 = *(u16 *)(r6 +0)
  2: (85) call bpf_get_current_cgroup_id#80
  unknown func bpf_get_current_cgroup_id#80

The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE
type of programs in order to customize action based on cgroup id.
This patch added such a support.

Cc: Roman Gushchin <guro@fb.com>
Signed-off-by: Yonghong Song <yhs@fb.com>
---
 kernel/bpf/cgroup.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 065c3d9ff8eb..00f6ed2e4f9a 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -707,6 +707,8 @@ cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_get_current_uid_gid_proto;
 	case BPF_FUNC_get_local_storage:
 		return &bpf_get_local_storage_proto;
+	case BPF_FUNC_get_current_cgroup_id:
+		return &bpf_get_current_cgroup_id_proto;
 	case BPF_FUNC_trace_printk:
 		if (capable(CAP_SYS_ADMIN))
 			return bpf_get_trace_printk_proto();
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id()
  2018-09-27 21:37 [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id() Yonghong Song
@ 2018-09-28  9:11 ` Alexei Starovoitov
  2018-09-28  9:53 ` Roman Gushchin
  1 sibling, 0 replies; 4+ messages in thread
From: Alexei Starovoitov @ 2018-09-28  9:11 UTC (permalink / raw)
  To: Yonghong Song; +Cc: ast, daniel, netdev, guro, kernel-team

On Thu, Sep 27, 2018 at 02:37:30PM -0700, Yonghong Song wrote:
> Currently, helper bpf_get_current_cgroup_id() is not permitted
> for CGROUP_DEVICE type of programs. If the helper is used
> in such cases, the verifier will log the following error:
> 
>   0: (bf) r6 = r1
>   1: (69) r7 = *(u16 *)(r6 +0)
>   2: (85) call bpf_get_current_cgroup_id#80
>   unknown func bpf_get_current_cgroup_id#80
> 
> The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE
> type of programs in order to customize action based on cgroup id.
> This patch added such a support.
> 
> Cc: Roman Gushchin <guro@fb.com>
> Signed-off-by: Yonghong Song <yhs@fb.com>

Acked-by: Alexei Starovoitov <ast@kernel.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id()
  2018-09-27 21:37 [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id() Yonghong Song
  2018-09-28  9:11 ` Alexei Starovoitov
@ 2018-09-28  9:53 ` Roman Gushchin
  2018-09-28 12:16   ` Daniel Borkmann
  1 sibling, 1 reply; 4+ messages in thread
From: Roman Gushchin @ 2018-09-28  9:53 UTC (permalink / raw)
  To: Yonghong Song; +Cc: ast, daniel, netdev, kernel-team

On Thu, Sep 27, 2018 at 02:37:30PM -0700, Yonghong Song wrote:
> Currently, helper bpf_get_current_cgroup_id() is not permitted
> for CGROUP_DEVICE type of programs. If the helper is used
> in such cases, the verifier will log the following error:
> 
>   0: (bf) r6 = r1
>   1: (69) r7 = *(u16 *)(r6 +0)
>   2: (85) call bpf_get_current_cgroup_id#80
>   unknown func bpf_get_current_cgroup_id#80
> 
> The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE
> type of programs in order to customize action based on cgroup id.
> This patch added such a support.
> 
> Cc: Roman Gushchin <guro@fb.com>
> Signed-off-by: Yonghong Song <yhs@fb.com>

Acked-by: Roman Gushchin <guro@fb.com>

Thanks, Yonghong!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id()
  2018-09-28  9:53 ` Roman Gushchin
@ 2018-09-28 12:16   ` Daniel Borkmann
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Borkmann @ 2018-09-28 12:16 UTC (permalink / raw)
  To: Roman Gushchin, Yonghong Song; +Cc: ast, netdev, kernel-team

On 09/28/2018 11:53 AM, Roman Gushchin wrote:
> On Thu, Sep 27, 2018 at 02:37:30PM -0700, Yonghong Song wrote:
>> Currently, helper bpf_get_current_cgroup_id() is not permitted
>> for CGROUP_DEVICE type of programs. If the helper is used
>> in such cases, the verifier will log the following error:
>>
>>   0: (bf) r6 = r1
>>   1: (69) r7 = *(u16 *)(r6 +0)
>>   2: (85) call bpf_get_current_cgroup_id#80
>>   unknown func bpf_get_current_cgroup_id#80
>>
>> The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE
>> type of programs in order to customize action based on cgroup id.
>> This patch added such a support.
>>
>> Cc: Roman Gushchin <guro@fb.com>
>> Signed-off-by: Yonghong Song <yhs@fb.com>
> 
> Acked-by: Roman Gushchin <guro@fb.com>

Applied to bpf-next, thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-09-28 18:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-27 21:37 [PATCH bpf-next] bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id() Yonghong Song
2018-09-28  9:11 ` Alexei Starovoitov
2018-09-28  9:53 ` Roman Gushchin
2018-09-28 12:16   ` Daniel Borkmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).