Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de9cbbaa authored by Roman Gushchin's avatar Roman Gushchin Committed by Daniel Borkmann
Browse files

bpf: introduce cgroup storage maps 



This commit introduces BPF_MAP_TYPE_CGROUP_STORAGE maps:
a special type of maps which are implementing the cgroup storage.

>From the userspace point of view it's almost a generic
hash map with the (cgroup inode id, attachment type) pair
used as a key.

The only difference is that some operations are restricted:
  1) a user can't create new entries,
  2) a user can't remove existing entries.

The lookup from userspace is o(log(n)).

Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent 0a4c58f5

include/linux/bpf-cgroup.h

+38 −0
Original line number Original line Diff line number Diff line
@@ -4,19 +4,39 @@ 




#include <linux/errno.h>

#include <linux/errno.h>

#include <linux/jump_label.h>

#include <linux/jump_label.h>

#include <linux/rbtree.h>

#include <uapi/linux/bpf.h>

#include <uapi/linux/bpf.h>





struct sock;

struct sock;

struct sockaddr;

struct sockaddr;

struct cgroup;

struct cgroup;

struct sk_buff;

struct sk_buff;

struct bpf_map;

struct bpf_prog;

struct bpf_sock_ops_kern;

struct bpf_sock_ops_kern;

struct bpf_cgroup_storage;





#ifdef CONFIG_CGROUP_BPF

#ifdef CONFIG_CGROUP_BPF





extern struct static_key_false cgroup_bpf_enabled_key;

extern struct static_key_false cgroup_bpf_enabled_key;

#define cgroup_bpf_enabled static_branch_unlikely(&cgroup_bpf_enabled_key)

#define cgroup_bpf_enabled static_branch_unlikely(&cgroup_bpf_enabled_key)





struct bpf_cgroup_storage_map;



struct bpf_storage_buffer {

	struct rcu_head rcu;

	char data[0];

};



struct bpf_cgroup_storage {

	struct bpf_storage_buffer *buf;

	struct bpf_cgroup_storage_map *map;

	struct bpf_cgroup_storage_key key;

	struct list_head list;

	struct rb_node node;

	struct rcu_head rcu;

};



struct bpf_prog_list {

struct bpf_prog_list {

	struct list_head node;

	struct list_head node;

	struct bpf_prog *prog;

	struct bpf_prog *prog;
@@ -77,6 +97,15 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, 
int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,

int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,

				      short access, enum bpf_attach_type type);

				      short access, enum bpf_attach_type type);





struct bpf_cgroup_storage *bpf_cgroup_storage_alloc(struct bpf_prog *prog);

void bpf_cgroup_storage_free(struct bpf_cgroup_storage *storage);

void bpf_cgroup_storage_link(struct bpf_cgroup_storage *storage,

			     struct cgroup *cgroup,

			     enum bpf_attach_type type);

void bpf_cgroup_storage_unlink(struct bpf_cgroup_storage *storage);

int bpf_cgroup_storage_assign(struct bpf_prog *prog, struct bpf_map *map);

void bpf_cgroup_storage_release(struct bpf_prog *prog, struct bpf_map *map);



/* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */

/* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */

#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb)			      \

#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb)			      \

({									      \

({									      \
@@ -221,6 +250,15 @@ static inline int cgroup_bpf_prog_query(const union bpf_attr *attr, 
	return -EINVAL;

	return -EINVAL;

}

}





static inline int bpf_cgroup_storage_assign(struct bpf_prog *prog,

					    struct bpf_map *map) { return 0; }

static inline void bpf_cgroup_storage_release(struct bpf_prog *prog,

					      struct bpf_map *map) {}

static inline struct bpf_cgroup_storage *bpf_cgroup_storage_alloc(

	struct bpf_prog *prog) { return 0; }

static inline void bpf_cgroup_storage_free(

	struct bpf_cgroup_storage *storage) {}



#define cgroup_bpf_enabled (0)

#define cgroup_bpf_enabled (0)

#define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0)

#define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0)

#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; })

include/linux/bpf.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -282,6 +282,7 @@ struct bpf_prog_aux { 
	struct bpf_prog *prog;

	struct bpf_prog *prog;

	struct user_struct *user;

	struct user_struct *user;

	u64 load_time; /* ns since boottime */

	u64 load_time; /* ns since boottime */

	struct bpf_map *cgroup_storage;

	char name[BPF_OBJ_NAME_LEN];

	char name[BPF_OBJ_NAME_LEN];

#ifdef CONFIG_SECURITY

#ifdef CONFIG_SECURITY

	void *security;

	void *security;

include/linux/bpf_types.h

+3 −0
Original line number Original line Diff line number Diff line
@@ -37,6 +37,9 @@ BPF_MAP_TYPE(BPF_MAP_TYPE_PERF_EVENT_ARRAY, perf_event_array_map_ops) 
#ifdef CONFIG_CGROUPS

#ifdef CONFIG_CGROUPS

BPF_MAP_TYPE(BPF_MAP_TYPE_CGROUP_ARRAY, cgroup_array_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_CGROUP_ARRAY, cgroup_array_map_ops)

#endif

#endif

#ifdef CONFIG_CGROUP_BPF

BPF_MAP_TYPE(BPF_MAP_TYPE_CGROUP_STORAGE, cgroup_storage_map_ops)

#endif

BPF_MAP_TYPE(BPF_MAP_TYPE_HASH, htab_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_HASH, htab_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_HASH, htab_percpu_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_HASH, htab_percpu_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_LRU_HASH, htab_lru_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_LRU_HASH, htab_lru_map_ops)

include/uapi/linux/bpf.h

+6 −0
Original line number Original line Diff line number Diff line
@@ -75,6 +75,11 @@ struct bpf_lpm_trie_key { 
	__u8	data[0];	/* Arbitrary size */

	__u8	data[0];	/* Arbitrary size */

};

};





struct bpf_cgroup_storage_key {

	__u64	cgroup_inode_id;	/* cgroup inode id */

	__u32	attach_type;		/* program attach type */

};



/* BPF syscall commands, see bpf(2) man-page for details. */

/* BPF syscall commands, see bpf(2) man-page for details. */

enum bpf_cmd {

enum bpf_cmd {

	BPF_MAP_CREATE,

	BPF_MAP_CREATE,
@@ -120,6 +125,7 @@ enum bpf_map_type { 
	BPF_MAP_TYPE_CPUMAP,

	BPF_MAP_TYPE_CPUMAP,

	BPF_MAP_TYPE_XSKMAP,

	BPF_MAP_TYPE_XSKMAP,

	BPF_MAP_TYPE_SOCKHASH,

	BPF_MAP_TYPE_SOCKHASH,

	BPF_MAP_TYPE_CGROUP_STORAGE,

};

};





enum bpf_prog_type {

enum bpf_prog_type {

kernel/bpf/Makefile

+1 −0
Original line number Original line Diff line number Diff line
@@ -3,6 +3,7 @@ obj-y := core.o 




obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o

obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o

obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o

obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o

obj-$(CONFIG_BPF_SYSCALL) += local_storage.o

obj-$(CONFIG_BPF_SYSCALL) += disasm.o

obj-$(CONFIG_BPF_SYSCALL) += disasm.o

obj-$(CONFIG_BPF_SYSCALL) += btf.o

obj-$(CONFIG_BPF_SYSCALL) += btf.o

ifeq ($(CONFIG_NET),y)

ifeq ($(CONFIG_NET),y)