Merge branch 'eBPF-based-device-cgroup-controller'

				     struct bpf_sock_ops_kern *sock_ops,

				     enum bpf_attach_type type);

int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,

				      short access, enum bpf_attach_type type);

/* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */

#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb)			      \

({									      \

	}								       \

	__ret;								       \

})

#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access)	      \

({									      \

	int __ret = 0;							      \

	if (cgroup_bpf_enabled)						      \

		__ret = __cgroup_bpf_check_dev_permission(type, major, minor, \

							  access,	      \

							  BPF_CGROUP_DEVICE); \

									      \

	__ret;								      \

})

#else

struct cgroup_bpf {};

#define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; })

#define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; })

#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; })

#endif /* CONFIG_CGROUP_BPF */

BPF_PROG_TYPE(BPF_PROG_TYPE_TRACEPOINT, tracepoint)

BPF_PROG_TYPE(BPF_PROG_TYPE_PERF_EVENT, perf_event)

#endif

#ifdef CONFIG_CGROUP_BPF

BPF_PROG_TYPE(BPF_PROG_TYPE_CGROUP_DEVICE, cg_dev)

#endif

BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_ARRAY, percpu_array_map_ops)

/* SPDX-License-Identifier: GPL-2.0 */

#include <linux/fs.h>

#include <linux/bpf-cgroup.h>

#define DEVCG_ACC_MKNOD 1

#define DEVCG_ACC_READ  2

#define DEVCG_ACC_WRITE 4

#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE)

#define DEVCG_DEV_BLOCK 1

#define DEVCG_DEV_CHAR  2

#define DEVCG_DEV_ALL   4  /* this represents all devices */

#ifdef CONFIG_CGROUP_DEVICE

extern int __devcgroup_inode_permission(struct inode *inode, int mask);

extern int devcgroup_inode_mknod(int mode, dev_t dev);

extern int __devcgroup_check_permission(short type, u32 major, u32 minor,

					short access);

#else

static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,

					       short access)

{ return 0; }

#endif

#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)

static inline int devcgroup_check_permission(short type, u32 major, u32 minor,

					     short access)

{

	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);

	if (rc)

		return -EPERM;

	return __devcgroup_check_permission(type, major, minor, access);

}

static inline int devcgroup_inode_permission(struct inode *inode, int mask)

{

	short type, access = 0;

	if (likely(!inode->i_rdev))

		return 0;

	if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode))

	if (S_ISBLK(inode->i_mode))

		type = DEVCG_DEV_BLOCK;

	else if (S_ISCHR(inode->i_mode))

		type = DEVCG_DEV_CHAR;

	else

		return 0;

	if (mask & MAY_WRITE)

		access |= DEVCG_ACC_WRITE;

	if (mask & MAY_READ)

		access |= DEVCG_ACC_READ;

	return devcgroup_check_permission(type, imajor(inode), iminor(inode),

					  access);

}

static inline int devcgroup_inode_mknod(int mode, dev_t dev)

{

	short type;

	if (!S_ISBLK(mode) && !S_ISCHR(mode))

		return 0;

	return __devcgroup_inode_permission(inode, mask);

	if (S_ISBLK(mode))

		type = DEVCG_DEV_BLOCK;

	else

		type = DEVCG_DEV_CHAR;

	return devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),

					  DEVCG_ACC_MKNOD);

}

#else

static inline int devcgroup_inode_permission(struct inode *inode, int mask)

{ return 0; }

	BPF_PROG_TYPE_LWT_XMIT,

	BPF_PROG_TYPE_SOCK_OPS,

	BPF_PROG_TYPE_SK_SKB,

	BPF_PROG_TYPE_CGROUP_DEVICE,

};

enum bpf_attach_type {

	BPF_CGROUP_SOCK_OPS,

	BPF_SK_SKB_STREAM_PARSER,

	BPF_SK_SKB_STREAM_VERDICT,

	BPF_CGROUP_DEVICE,

	__MAX_BPF_ATTACH_TYPE

};

	__u64 running;

};

#define BPF_DEVCG_ACC_MKNOD	(1ULL << 0)

#define BPF_DEVCG_ACC_READ	(1ULL << 1)

#define BPF_DEVCG_ACC_WRITE	(1ULL << 2)

#define BPF_DEVCG_DEV_BLOCK	(1ULL << 0)

#define BPF_DEVCG_DEV_CHAR	(1ULL << 1)

struct bpf_cgroup_dev_ctx {

	__u32 access_type; /* (access << 16) | type */

	__u32 major;

	__u32 minor;

};

#endif /* _UAPI__LINUX_BPF_H__ */

	return ret == 1 ? 0 : -EPERM;

}

EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);

int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,

				      short access, enum bpf_attach_type type)

{

	struct cgroup *cgrp;

	struct bpf_cgroup_dev_ctx ctx = {

		.access_type = (access << 16) | dev_type,

		.major = major,

		.minor = minor,

	};

	int allow = 1;

	rcu_read_lock();

	cgrp = task_dfl_cgroup(current);

	allow = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx,

				   BPF_PROG_RUN);

	rcu_read_unlock();

	return !allow;

}

EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);

static const struct bpf_func_proto *

cgroup_dev_func_proto(enum bpf_func_id func_id)

{

	switch (func_id) {

	case BPF_FUNC_map_lookup_elem:

		return &bpf_map_lookup_elem_proto;

	case BPF_FUNC_map_update_elem:

		return &bpf_map_update_elem_proto;

	case BPF_FUNC_map_delete_elem:

		return &bpf_map_delete_elem_proto;

	case BPF_FUNC_get_current_uid_gid:

		return &bpf_get_current_uid_gid_proto;

	case BPF_FUNC_trace_printk:

		if (capable(CAP_SYS_ADMIN))

			return bpf_get_trace_printk_proto();

	default:

		return NULL;

	}

}

static bool cgroup_dev_is_valid_access(int off, int size,

				       enum bpf_access_type type,

				       struct bpf_insn_access_aux *info)

{

	if (type == BPF_WRITE)

		return false;

	if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))

		return false;

	/* The verifier guarantees that size > 0. */

	if (off % size != 0)

		return false;

	if (size != sizeof(__u32))

		return false;

	return true;

}

const struct bpf_prog_ops cg_dev_prog_ops = {

};

const struct bpf_verifier_ops cg_dev_verifier_ops = {

	.get_func_proto		= cgroup_dev_func_proto,

	.is_valid_access	= cgroup_dev_is_valid_access,

};