1 // SPDX-License-Identifier: GPL-2.0-only
3 * Functions to manage eBPF programs attached to cgroups
5 * Copyright (c) 2016 Daniel Mack
8 #include <linux/kernel.h>
9 #include <linux/atomic.h>
10 #include <linux/cgroup.h>
11 #include <linux/filter.h>
12 #include <linux/slab.h>
13 #include <linux/sysctl.h>
14 #include <linux/string.h>
15 #include <linux/bpf.h>
16 #include <linux/bpf-cgroup.h>
18 #include <net/bpf_sk_storage.h>
20 #include "../cgroup/cgroup-internal.h"
22 DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
23 EXPORT_SYMBOL(cgroup_bpf_enabled_key);
25 void cgroup_bpf_offline(struct cgroup *cgrp)
28 percpu_ref_kill(&cgrp->bpf.refcnt);
32 * cgroup_bpf_release() - put references of all bpf programs and
33 * release all cgroup bpf data
34 * @work: work structure embedded into the cgroup to modify
36 static void cgroup_bpf_release(struct work_struct *work)
38 struct cgroup *cgrp = container_of(work, struct cgroup,
40 enum bpf_cgroup_storage_type stype;
41 struct bpf_prog_array *old_array;
44 mutex_lock(&cgroup_mutex);
46 for (type = 0; type < ARRAY_SIZE(cgrp->bpf.progs); type++) {
47 struct list_head *progs = &cgrp->bpf.progs[type];
48 struct bpf_prog_list *pl, *tmp;
50 list_for_each_entry_safe(pl, tmp, progs, node) {
52 bpf_prog_put(pl->prog);
53 for_each_cgroup_storage_type(stype) {
54 bpf_cgroup_storage_unlink(pl->storage[stype]);
55 bpf_cgroup_storage_free(pl->storage[stype]);
58 static_branch_dec(&cgroup_bpf_enabled_key);
60 old_array = rcu_dereference_protected(
61 cgrp->bpf.effective[type],
62 lockdep_is_held(&cgroup_mutex));
63 bpf_prog_array_free(old_array);
66 mutex_unlock(&cgroup_mutex);
68 percpu_ref_exit(&cgrp->bpf.refcnt);
73 * cgroup_bpf_release_fn() - callback used to schedule releasing
75 * @ref: percpu ref counter structure
77 static void cgroup_bpf_release_fn(struct percpu_ref *ref)
79 struct cgroup *cgrp = container_of(ref, struct cgroup, bpf.refcnt);
81 INIT_WORK(&cgrp->bpf.release_work, cgroup_bpf_release);
82 queue_work(system_wq, &cgrp->bpf.release_work);
85 /* count number of elements in the list.
86 * it's slow but the list cannot be long
88 static u32 prog_list_length(struct list_head *head)
90 struct bpf_prog_list *pl;
93 list_for_each_entry(pl, head, node) {
101 /* if parent has non-overridable prog attached,
102 * disallow attaching new programs to the descendent cgroup.
103 * if parent has overridable or multi-prog, allow attaching
105 static bool hierarchy_allows_attach(struct cgroup *cgrp,
106 enum bpf_attach_type type,
111 p = cgroup_parent(cgrp);
115 u32 flags = p->bpf.flags[type];
118 if (flags & BPF_F_ALLOW_MULTI)
120 cnt = prog_list_length(&p->bpf.progs[type]);
121 WARN_ON_ONCE(cnt > 1);
123 return !!(flags & BPF_F_ALLOW_OVERRIDE);
124 p = cgroup_parent(p);
129 /* compute a chain of effective programs for a given cgroup:
130 * start from the list of programs in this cgroup and add
131 * all parent programs.
132 * Note that parent's F_ALLOW_OVERRIDE-type program is yielding
133 * to programs in this cgroup
135 static int compute_effective_progs(struct cgroup *cgrp,
136 enum bpf_attach_type type,
137 struct bpf_prog_array **array)
139 enum bpf_cgroup_storage_type stype;
140 struct bpf_prog_array *progs;
141 struct bpf_prog_list *pl;
142 struct cgroup *p = cgrp;
145 /* count number of effective programs by walking parents */
147 if (cnt == 0 || (p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
148 cnt += prog_list_length(&p->bpf.progs[type]);
149 p = cgroup_parent(p);
152 progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
156 /* populate the array with effective progs */
160 if (cnt > 0 && !(p->bpf.flags[type] & BPF_F_ALLOW_MULTI))
163 list_for_each_entry(pl, &p->bpf.progs[type], node) {
167 progs->items[cnt].prog = pl->prog;
168 for_each_cgroup_storage_type(stype)
169 progs->items[cnt].cgroup_storage[stype] =
173 } while ((p = cgroup_parent(p)));
179 static void activate_effective_progs(struct cgroup *cgrp,
180 enum bpf_attach_type type,
181 struct bpf_prog_array *old_array)
183 rcu_swap_protected(cgrp->bpf.effective[type], old_array,
184 lockdep_is_held(&cgroup_mutex));
185 /* free prog array after grace period, since __cgroup_bpf_run_*()
186 * might be still walking the array
188 bpf_prog_array_free(old_array);
192 * cgroup_bpf_inherit() - inherit effective programs from parent
193 * @cgrp: the cgroup to modify
195 int cgroup_bpf_inherit(struct cgroup *cgrp)
197 /* has to use marco instead of const int, since compiler thinks
198 * that array below is variable length
200 #define NR ARRAY_SIZE(cgrp->bpf.effective)
201 struct bpf_prog_array *arrays[NR] = {};
204 ret = percpu_ref_init(&cgrp->bpf.refcnt, cgroup_bpf_release_fn, 0,
209 for (i = 0; i < NR; i++)
210 INIT_LIST_HEAD(&cgrp->bpf.progs[i]);
212 for (i = 0; i < NR; i++)
213 if (compute_effective_progs(cgrp, i, &arrays[i]))
216 for (i = 0; i < NR; i++)
217 activate_effective_progs(cgrp, i, arrays[i]);
221 for (i = 0; i < NR; i++)
222 bpf_prog_array_free(arrays[i]);
224 percpu_ref_exit(&cgrp->bpf.refcnt);
229 static int update_effective_progs(struct cgroup *cgrp,
230 enum bpf_attach_type type)
232 struct cgroup_subsys_state *css;
235 /* allocate and recompute effective prog arrays */
236 css_for_each_descendant_pre(css, &cgrp->self) {
237 struct cgroup *desc = container_of(css, struct cgroup, self);
239 if (percpu_ref_is_zero(&desc->bpf.refcnt))
242 err = compute_effective_progs(desc, type, &desc->bpf.inactive);
247 /* all allocations were successful. Activate all prog arrays */
248 css_for_each_descendant_pre(css, &cgrp->self) {
249 struct cgroup *desc = container_of(css, struct cgroup, self);
251 if (percpu_ref_is_zero(&desc->bpf.refcnt)) {
252 if (unlikely(desc->bpf.inactive)) {
253 bpf_prog_array_free(desc->bpf.inactive);
254 desc->bpf.inactive = NULL;
259 activate_effective_progs(desc, type, desc->bpf.inactive);
260 desc->bpf.inactive = NULL;
266 /* oom while computing effective. Free all computed effective arrays
267 * since they were not activated
269 css_for_each_descendant_pre(css, &cgrp->self) {
270 struct cgroup *desc = container_of(css, struct cgroup, self);
272 bpf_prog_array_free(desc->bpf.inactive);
273 desc->bpf.inactive = NULL;
279 #define BPF_CGROUP_MAX_PROGS 64
282 * __cgroup_bpf_attach() - Attach the program to a cgroup, and
283 * propagate the change to descendants
284 * @cgrp: The cgroup which descendants to traverse
285 * @prog: A program to attach
286 * @type: Type of attach operation
287 * @flags: Option flags
289 * Must be called with cgroup_mutex held.
291 int __cgroup_bpf_attach(struct cgroup *cgrp, struct bpf_prog *prog,
292 enum bpf_attach_type type, u32 flags)
294 struct list_head *progs = &cgrp->bpf.progs[type];
295 struct bpf_prog *old_prog = NULL;
296 struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE],
297 *old_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {NULL};
298 enum bpf_cgroup_storage_type stype;
299 struct bpf_prog_list *pl;
300 bool pl_was_allocated;
303 if ((flags & BPF_F_ALLOW_OVERRIDE) && (flags & BPF_F_ALLOW_MULTI))
304 /* invalid combination */
307 if (!hierarchy_allows_attach(cgrp, type, flags))
310 if (!list_empty(progs) && cgrp->bpf.flags[type] != flags)
311 /* Disallow attaching non-overridable on top
312 * of existing overridable in this cgroup.
313 * Disallow attaching multi-prog if overridable or none
317 if (prog_list_length(progs) >= BPF_CGROUP_MAX_PROGS)
320 for_each_cgroup_storage_type(stype) {
321 storage[stype] = bpf_cgroup_storage_alloc(prog, stype);
322 if (IS_ERR(storage[stype])) {
323 storage[stype] = NULL;
324 for_each_cgroup_storage_type(stype)
325 bpf_cgroup_storage_free(storage[stype]);
330 if (flags & BPF_F_ALLOW_MULTI) {
331 list_for_each_entry(pl, progs, node) {
332 if (pl->prog == prog) {
333 /* disallow attaching the same prog twice */
334 for_each_cgroup_storage_type(stype)
335 bpf_cgroup_storage_free(storage[stype]);
340 pl = kmalloc(sizeof(*pl), GFP_KERNEL);
342 for_each_cgroup_storage_type(stype)
343 bpf_cgroup_storage_free(storage[stype]);
347 pl_was_allocated = true;
349 for_each_cgroup_storage_type(stype)
350 pl->storage[stype] = storage[stype];
351 list_add_tail(&pl->node, progs);
353 if (list_empty(progs)) {
354 pl = kmalloc(sizeof(*pl), GFP_KERNEL);
356 for_each_cgroup_storage_type(stype)
357 bpf_cgroup_storage_free(storage[stype]);
360 pl_was_allocated = true;
361 list_add_tail(&pl->node, progs);
363 pl = list_first_entry(progs, typeof(*pl), node);
365 for_each_cgroup_storage_type(stype) {
366 old_storage[stype] = pl->storage[stype];
367 bpf_cgroup_storage_unlink(old_storage[stype]);
369 pl_was_allocated = false;
372 for_each_cgroup_storage_type(stype)
373 pl->storage[stype] = storage[stype];
376 cgrp->bpf.flags[type] = flags;
378 err = update_effective_progs(cgrp, type);
382 static_branch_inc(&cgroup_bpf_enabled_key);
383 for_each_cgroup_storage_type(stype) {
384 if (!old_storage[stype])
386 bpf_cgroup_storage_free(old_storage[stype]);
389 bpf_prog_put(old_prog);
390 static_branch_dec(&cgroup_bpf_enabled_key);
392 for_each_cgroup_storage_type(stype)
393 bpf_cgroup_storage_link(storage[stype], cgrp, type);
397 /* and cleanup the prog list */
399 for_each_cgroup_storage_type(stype) {
400 bpf_cgroup_storage_free(pl->storage[stype]);
401 pl->storage[stype] = old_storage[stype];
402 bpf_cgroup_storage_link(old_storage[stype], cgrp, type);
404 if (pl_was_allocated) {
412 * __cgroup_bpf_detach() - Detach the program from a cgroup, and
413 * propagate the change to descendants
414 * @cgrp: The cgroup which descendants to traverse
415 * @prog: A program to detach or NULL
416 * @type: Type of detach operation
418 * Must be called with cgroup_mutex held.
420 int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
421 enum bpf_attach_type type)
423 struct list_head *progs = &cgrp->bpf.progs[type];
424 enum bpf_cgroup_storage_type stype;
425 u32 flags = cgrp->bpf.flags[type];
426 struct bpf_prog *old_prog = NULL;
427 struct bpf_prog_list *pl;
430 if (flags & BPF_F_ALLOW_MULTI) {
432 /* to detach MULTI prog the user has to specify valid FD
433 * of the program to be detached
437 if (list_empty(progs))
438 /* report error when trying to detach and nothing is attached */
442 if (flags & BPF_F_ALLOW_MULTI) {
443 /* find the prog and detach it */
444 list_for_each_entry(pl, progs, node) {
445 if (pl->prog != prog)
448 /* mark it deleted, so it's ignored while
449 * recomputing effective
457 /* to maintain backward compatibility NONE and OVERRIDE cgroups
458 * allow detaching with invalid FD (prog==NULL)
460 pl = list_first_entry(progs, typeof(*pl), node);
465 err = update_effective_progs(cgrp, type);
469 /* now can actually delete it from this cgroup list */
471 for_each_cgroup_storage_type(stype) {
472 bpf_cgroup_storage_unlink(pl->storage[stype]);
473 bpf_cgroup_storage_free(pl->storage[stype]);
476 if (list_empty(progs))
477 /* last program was detached, reset flags to zero */
478 cgrp->bpf.flags[type] = 0;
480 bpf_prog_put(old_prog);
481 static_branch_dec(&cgroup_bpf_enabled_key);
485 /* and restore back old_prog */
490 /* Must be called with cgroup_mutex held to avoid races. */
491 int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
492 union bpf_attr __user *uattr)
494 __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids);
495 enum bpf_attach_type type = attr->query.attach_type;
496 struct list_head *progs = &cgrp->bpf.progs[type];
497 u32 flags = cgrp->bpf.flags[type];
498 struct bpf_prog_array *effective;
501 effective = rcu_dereference_protected(cgrp->bpf.effective[type],
502 lockdep_is_held(&cgroup_mutex));
504 if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE)
505 cnt = bpf_prog_array_length(effective);
507 cnt = prog_list_length(progs);
509 if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
511 if (copy_to_user(&uattr->query.prog_cnt, &cnt, sizeof(cnt)))
513 if (attr->query.prog_cnt == 0 || !prog_ids || !cnt)
514 /* return early if user requested only program count + flags */
516 if (attr->query.prog_cnt < cnt) {
517 cnt = attr->query.prog_cnt;
521 if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) {
522 return bpf_prog_array_copy_to_user(effective, prog_ids, cnt);
524 struct bpf_prog_list *pl;
528 list_for_each_entry(pl, progs, node) {
529 id = pl->prog->aux->id;
530 if (copy_to_user(prog_ids + i, &id, sizeof(id)))
539 int cgroup_bpf_prog_attach(const union bpf_attr *attr,
540 enum bpf_prog_type ptype, struct bpf_prog *prog)
545 cgrp = cgroup_get_from_fd(attr->target_fd);
547 return PTR_ERR(cgrp);
549 ret = cgroup_bpf_attach(cgrp, prog, attr->attach_type,
555 int cgroup_bpf_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype)
557 struct bpf_prog *prog;
561 cgrp = cgroup_get_from_fd(attr->target_fd);
563 return PTR_ERR(cgrp);
565 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
569 ret = cgroup_bpf_detach(cgrp, prog, attr->attach_type, 0);
577 int cgroup_bpf_prog_query(const union bpf_attr *attr,
578 union bpf_attr __user *uattr)
583 cgrp = cgroup_get_from_fd(attr->query.target_fd);
585 return PTR_ERR(cgrp);
587 ret = cgroup_bpf_query(cgrp, attr, uattr);
594 * __cgroup_bpf_run_filter_skb() - Run a program for packet filtering
595 * @sk: The socket sending or receiving traffic
596 * @skb: The skb that is being sent or received
597 * @type: The type of program to be exectuted
599 * If no socket is passed, or the socket is not of type INET or INET6,
600 * this function does nothing and returns 0.
602 * The program type passed in via @type must be suitable for network
603 * filtering. No further check is performed to assert that.
605 * For egress packets, this function can return:
606 * NET_XMIT_SUCCESS (0) - continue with packet output
607 * NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr
608 * NET_XMIT_CN (2) - continue with packet output and notify TCP
610 * -EPERM - drop packet
612 * For ingress packets, this function will return -EPERM if any
613 * attached program was found and if it returned != 1 during execution.
614 * Otherwise 0 is returned.
616 int __cgroup_bpf_run_filter_skb(struct sock *sk,
618 enum bpf_attach_type type)
620 unsigned int offset = skb->data - skb_network_header(skb);
621 struct sock *save_sk;
622 void *saved_data_end;
626 if (!sk || !sk_fullsock(sk))
629 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
632 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
635 __skb_push(skb, offset);
637 /* compute pointers for the bpf prog */
638 bpf_compute_and_save_data_end(skb, &saved_data_end);
640 if (type == BPF_CGROUP_INET_EGRESS) {
641 ret = BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY(
642 cgrp->bpf.effective[type], skb, __bpf_prog_run_save_cb);
644 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb,
645 __bpf_prog_run_save_cb);
646 ret = (ret == 1 ? 0 : -EPERM);
648 bpf_restore_data_end(skb, saved_data_end);
649 __skb_pull(skb, offset);
654 EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);
657 * __cgroup_bpf_run_filter_sk() - Run a program on a sock
658 * @sk: sock structure to manipulate
659 * @type: The type of program to be exectuted
661 * socket is passed is expected to be of type INET or INET6.
663 * The program type passed in via @type must be suitable for sock
664 * filtering. No further check is performed to assert that.
666 * This function will return %-EPERM if any if an attached program was found
667 * and if it returned != 1 during execution. In all other cases, 0 is returned.
669 int __cgroup_bpf_run_filter_sk(struct sock *sk,
670 enum bpf_attach_type type)
672 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
675 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sk, BPF_PROG_RUN);
676 return ret == 1 ? 0 : -EPERM;
678 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk);
681 * __cgroup_bpf_run_filter_sock_addr() - Run a program on a sock and
682 * provided by user sockaddr
683 * @sk: sock struct that will use sockaddr
684 * @uaddr: sockaddr struct provided by user
685 * @type: The type of program to be exectuted
686 * @t_ctx: Pointer to attach type specific context
688 * socket is expected to be of type INET or INET6.
690 * This function will return %-EPERM if an attached program is found and
691 * returned value != 1 during execution. In all other cases, 0 is returned.
693 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk,
694 struct sockaddr *uaddr,
695 enum bpf_attach_type type,
698 struct bpf_sock_addr_kern ctx = {
703 struct sockaddr_storage unspec;
707 /* Check socket family since not all sockets represent network
708 * endpoint (e.g. AF_UNIX).
710 if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
714 memset(&unspec, 0, sizeof(unspec));
715 ctx.uaddr = (struct sockaddr *)&unspec;
718 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
719 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
721 return ret == 1 ? 0 : -EPERM;
723 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_addr);
726 * __cgroup_bpf_run_filter_sock_ops() - Run a program on a sock
727 * @sk: socket to get cgroup from
728 * @sock_ops: bpf_sock_ops_kern struct to pass to program. Contains
729 * sk with connection information (IP addresses, etc.) May not contain
730 * cgroup info if it is a req sock.
731 * @type: The type of program to be exectuted
733 * socket passed is expected to be of type INET or INET6.
735 * The program type passed in via @type must be suitable for sock_ops
736 * filtering. No further check is performed to assert that.
738 * This function will return %-EPERM if any if an attached program was found
739 * and if it returned != 1 during execution. In all other cases, 0 is returned.
741 int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
742 struct bpf_sock_ops_kern *sock_ops,
743 enum bpf_attach_type type)
745 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
748 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], sock_ops,
750 return ret == 1 ? 0 : -EPERM;
752 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);
754 int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
755 short access, enum bpf_attach_type type)
758 struct bpf_cgroup_dev_ctx ctx = {
759 .access_type = (access << 16) | dev_type,
766 cgrp = task_dfl_cgroup(current);
767 allow = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx,
773 EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);
775 static const struct bpf_func_proto *
776 cgroup_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
779 case BPF_FUNC_map_lookup_elem:
780 return &bpf_map_lookup_elem_proto;
781 case BPF_FUNC_map_update_elem:
782 return &bpf_map_update_elem_proto;
783 case BPF_FUNC_map_delete_elem:
784 return &bpf_map_delete_elem_proto;
785 case BPF_FUNC_map_push_elem:
786 return &bpf_map_push_elem_proto;
787 case BPF_FUNC_map_pop_elem:
788 return &bpf_map_pop_elem_proto;
789 case BPF_FUNC_map_peek_elem:
790 return &bpf_map_peek_elem_proto;
791 case BPF_FUNC_get_current_uid_gid:
792 return &bpf_get_current_uid_gid_proto;
793 case BPF_FUNC_get_local_storage:
794 return &bpf_get_local_storage_proto;
795 case BPF_FUNC_get_current_cgroup_id:
796 return &bpf_get_current_cgroup_id_proto;
797 case BPF_FUNC_trace_printk:
798 if (capable(CAP_SYS_ADMIN))
799 return bpf_get_trace_printk_proto();
806 static const struct bpf_func_proto *
807 cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
809 return cgroup_base_func_proto(func_id, prog);
812 static bool cgroup_dev_is_valid_access(int off, int size,
813 enum bpf_access_type type,
814 const struct bpf_prog *prog,
815 struct bpf_insn_access_aux *info)
817 const int size_default = sizeof(__u32);
819 if (type == BPF_WRITE)
822 if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))
824 /* The verifier guarantees that size > 0. */
829 case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
830 bpf_ctx_record_field_size(info, size_default);
831 if (!bpf_ctx_narrow_access_ok(off, size, size_default))
835 if (size != size_default)
842 const struct bpf_prog_ops cg_dev_prog_ops = {
845 const struct bpf_verifier_ops cg_dev_verifier_ops = {
846 .get_func_proto = cgroup_dev_func_proto,
847 .is_valid_access = cgroup_dev_is_valid_access,
851 * __cgroup_bpf_run_filter_sysctl - Run a program on sysctl
853 * @head: sysctl table header
854 * @table: sysctl table
855 * @write: sysctl is being read (= 0) or written (= 1)
856 * @buf: pointer to buffer passed by user space
857 * @pcount: value-result argument: value is size of buffer pointed to by @buf,
858 * result is size of @new_buf if program set new value, initial value
860 * @ppos: value-result argument: value is position at which read from or write
861 * to sysctl is happening, result is new position if program overrode it,
862 * initial value otherwise
863 * @new_buf: pointer to pointer to new buffer that will be allocated if program
864 * overrides new value provided by user space on sysctl write
865 * NOTE: it's caller responsibility to free *new_buf if it was set
866 * @type: type of program to be executed
868 * Program is run when sysctl is being accessed, either read or written, and
869 * can allow or deny such access.
871 * This function will return %-EPERM if an attached program is found and
872 * returned value != 1 during execution. In all other cases 0 is returned.
874 int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head,
875 struct ctl_table *table, int write,
876 void __user *buf, size_t *pcount,
877 loff_t *ppos, void **new_buf,
878 enum bpf_attach_type type)
880 struct bpf_sysctl_kern ctx = {
886 .cur_len = PAGE_SIZE,
894 ctx.cur_val = kmalloc_track_caller(ctx.cur_len, GFP_KERNEL);
901 if (table->proc_handler(table, 0, (void __user *)ctx.cur_val,
902 &ctx.cur_len, &pos)) {
903 /* Let BPF program decide how to proceed. */
908 /* Let BPF program decide how to proceed. */
912 if (write && buf && *pcount) {
913 /* BPF program should be able to override new value with a
914 * buffer bigger than provided by user.
916 ctx.new_val = kmalloc_track_caller(PAGE_SIZE, GFP_KERNEL);
917 ctx.new_len = min_t(size_t, PAGE_SIZE, *pcount);
919 copy_from_user(ctx.new_val, buf, ctx.new_len))
920 /* Let BPF program decide how to proceed. */
925 cgrp = task_dfl_cgroup(current);
926 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx, BPF_PROG_RUN);
931 if (ret == 1 && ctx.new_updated) {
932 *new_buf = ctx.new_val;
933 *pcount = ctx.new_len;
938 return ret == 1 ? 0 : -EPERM;
940 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sysctl);
942 static bool __cgroup_bpf_prog_array_is_empty(struct cgroup *cgrp,
943 enum bpf_attach_type attach_type)
945 struct bpf_prog_array *prog_array;
949 prog_array = rcu_dereference(cgrp->bpf.effective[attach_type]);
950 empty = bpf_prog_array_is_empty(prog_array);
956 static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen)
958 if (unlikely(max_optlen > PAGE_SIZE) || max_optlen < 0)
961 ctx->optval = kzalloc(max_optlen, GFP_USER);
965 ctx->optval_end = ctx->optval + max_optlen;
966 ctx->optlen = max_optlen;
971 static void sockopt_free_buf(struct bpf_sockopt_kern *ctx)
976 int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
977 int *optname, char __user *optval,
978 int *optlen, char **kernel_optval)
980 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
981 struct bpf_sockopt_kern ctx = {
988 /* Opportunistic check to see whether we have any BPF program
989 * attached to the hook so we don't waste time allocating
990 * memory and locking the socket.
992 if (!cgroup_bpf_enabled ||
993 __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_SETSOCKOPT))
996 ret = sockopt_alloc_buf(&ctx, *optlen);
1000 if (copy_from_user(ctx.optval, optval, *optlen) != 0) {
1006 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_SETSOCKOPT],
1007 &ctx, BPF_PROG_RUN);
1015 if (ctx.optlen == -1) {
1016 /* optlen set to -1, bypass kernel */
1018 } else if (ctx.optlen > *optlen || ctx.optlen < -1) {
1019 /* optlen is out of bounds */
1022 /* optlen within bounds, run kernel handler */
1025 /* export any potential modifications */
1027 *optname = ctx.optname;
1028 *optlen = ctx.optlen;
1029 *kernel_optval = ctx.optval;
1034 sockopt_free_buf(&ctx);
1037 EXPORT_SYMBOL(__cgroup_bpf_run_filter_setsockopt);
1039 int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
1040 int optname, char __user *optval,
1041 int __user *optlen, int max_optlen,
1044 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
1045 struct bpf_sockopt_kern ctx = {
1053 /* Opportunistic check to see whether we have any BPF program
1054 * attached to the hook so we don't waste time allocating
1055 * memory and locking the socket.
1057 if (!cgroup_bpf_enabled ||
1058 __cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_GETSOCKOPT))
1061 ret = sockopt_alloc_buf(&ctx, max_optlen);
1066 /* If kernel getsockopt finished successfully,
1067 * copy whatever was returned to the user back
1068 * into our temporary buffer. Set optlen to the
1069 * one that kernel returned as well to let
1070 * BPF programs inspect the value.
1073 if (get_user(ctx.optlen, optlen)) {
1078 if (ctx.optlen > max_optlen)
1079 ctx.optlen = max_optlen;
1081 if (copy_from_user(ctx.optval, optval, ctx.optlen) != 0) {
1088 ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT],
1089 &ctx, BPF_PROG_RUN);
1097 if (ctx.optlen > max_optlen) {
1102 /* BPF programs only allowed to set retval to 0, not some
1105 if (ctx.retval != 0 && ctx.retval != retval) {
1110 if (copy_to_user(optval, ctx.optval, ctx.optlen) ||
1111 put_user(ctx.optlen, optlen)) {
1119 sockopt_free_buf(&ctx);
1122 EXPORT_SYMBOL(__cgroup_bpf_run_filter_getsockopt);
1124 static ssize_t sysctl_cpy_dir(const struct ctl_dir *dir, char **bufp,
1127 ssize_t tmp_ret = 0, ret;
1129 if (dir->header.parent) {
1130 tmp_ret = sysctl_cpy_dir(dir->header.parent, bufp, lenp);
1135 ret = strscpy(*bufp, dir->header.ctl_table[0].procname, *lenp);
1142 /* Avoid leading slash. */
1146 tmp_ret = strscpy(*bufp, "/", *lenp);
1152 return ret + tmp_ret;
1155 BPF_CALL_4(bpf_sysctl_get_name, struct bpf_sysctl_kern *, ctx, char *, buf,
1156 size_t, buf_len, u64, flags)
1158 ssize_t tmp_ret = 0, ret;
1163 if (!(flags & BPF_F_SYSCTL_BASE_NAME)) {
1166 tmp_ret = sysctl_cpy_dir(ctx->head->parent, &buf, &buf_len);
1171 ret = strscpy(buf, ctx->table->procname, buf_len);
1173 return ret < 0 ? ret : tmp_ret + ret;
1176 static const struct bpf_func_proto bpf_sysctl_get_name_proto = {
1177 .func = bpf_sysctl_get_name,
1179 .ret_type = RET_INTEGER,
1180 .arg1_type = ARG_PTR_TO_CTX,
1181 .arg2_type = ARG_PTR_TO_MEM,
1182 .arg3_type = ARG_CONST_SIZE,
1183 .arg4_type = ARG_ANYTHING,
1186 static int copy_sysctl_value(char *dst, size_t dst_len, char *src,
1195 if (!src || !src_len) {
1196 memset(dst, 0, dst_len);
1200 memcpy(dst, src, min(dst_len, src_len));
1202 if (dst_len > src_len) {
1203 memset(dst + src_len, '\0', dst_len - src_len);
1207 dst[dst_len - 1] = '\0';
1212 BPF_CALL_3(bpf_sysctl_get_current_value, struct bpf_sysctl_kern *, ctx,
1213 char *, buf, size_t, buf_len)
1215 return copy_sysctl_value(buf, buf_len, ctx->cur_val, ctx->cur_len);
1218 static const struct bpf_func_proto bpf_sysctl_get_current_value_proto = {
1219 .func = bpf_sysctl_get_current_value,
1221 .ret_type = RET_INTEGER,
1222 .arg1_type = ARG_PTR_TO_CTX,
1223 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
1224 .arg3_type = ARG_CONST_SIZE,
1227 BPF_CALL_3(bpf_sysctl_get_new_value, struct bpf_sysctl_kern *, ctx, char *, buf,
1232 memset(buf, '\0', buf_len);
1235 return copy_sysctl_value(buf, buf_len, ctx->new_val, ctx->new_len);
1238 static const struct bpf_func_proto bpf_sysctl_get_new_value_proto = {
1239 .func = bpf_sysctl_get_new_value,
1241 .ret_type = RET_INTEGER,
1242 .arg1_type = ARG_PTR_TO_CTX,
1243 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
1244 .arg3_type = ARG_CONST_SIZE,
1247 BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
1248 const char *, buf, size_t, buf_len)
1250 if (!ctx->write || !ctx->new_val || !ctx->new_len || !buf || !buf_len)
1253 if (buf_len > PAGE_SIZE - 1)
1256 memcpy(ctx->new_val, buf, buf_len);
1257 ctx->new_len = buf_len;
1258 ctx->new_updated = 1;
1263 static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = {
1264 .func = bpf_sysctl_set_new_value,
1266 .ret_type = RET_INTEGER,
1267 .arg1_type = ARG_PTR_TO_CTX,
1268 .arg2_type = ARG_PTR_TO_MEM,
1269 .arg3_type = ARG_CONST_SIZE,
1272 static const struct bpf_func_proto *
1273 sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
1276 case BPF_FUNC_strtol:
1277 return &bpf_strtol_proto;
1278 case BPF_FUNC_strtoul:
1279 return &bpf_strtoul_proto;
1280 case BPF_FUNC_sysctl_get_name:
1281 return &bpf_sysctl_get_name_proto;
1282 case BPF_FUNC_sysctl_get_current_value:
1283 return &bpf_sysctl_get_current_value_proto;
1284 case BPF_FUNC_sysctl_get_new_value:
1285 return &bpf_sysctl_get_new_value_proto;
1286 case BPF_FUNC_sysctl_set_new_value:
1287 return &bpf_sysctl_set_new_value_proto;
1289 return cgroup_base_func_proto(func_id, prog);
1293 static bool sysctl_is_valid_access(int off, int size, enum bpf_access_type type,
1294 const struct bpf_prog *prog,
1295 struct bpf_insn_access_aux *info)
1297 const int size_default = sizeof(__u32);
1299 if (off < 0 || off + size > sizeof(struct bpf_sysctl) || off % size)
1303 case offsetof(struct bpf_sysctl, write):
1304 if (type != BPF_READ)
1306 bpf_ctx_record_field_size(info, size_default);
1307 return bpf_ctx_narrow_access_ok(off, size, size_default);
1308 case offsetof(struct bpf_sysctl, file_pos):
1309 if (type == BPF_READ) {
1310 bpf_ctx_record_field_size(info, size_default);
1311 return bpf_ctx_narrow_access_ok(off, size, size_default);
1313 return size == size_default;
1320 static u32 sysctl_convert_ctx_access(enum bpf_access_type type,
1321 const struct bpf_insn *si,
1322 struct bpf_insn *insn_buf,
1323 struct bpf_prog *prog, u32 *target_size)
1325 struct bpf_insn *insn = insn_buf;
1328 case offsetof(struct bpf_sysctl, write):
1329 *insn++ = BPF_LDX_MEM(
1330 BPF_SIZE(si->code), si->dst_reg, si->src_reg,
1331 bpf_target_off(struct bpf_sysctl_kern, write,
1332 FIELD_SIZEOF(struct bpf_sysctl_kern,
1336 case offsetof(struct bpf_sysctl, file_pos):
1337 /* ppos is a pointer so it should be accessed via indirect
1338 * loads and stores. Also for stores additional temporary
1339 * register is used since neither src_reg nor dst_reg can be
1342 if (type == BPF_WRITE) {
1343 int treg = BPF_REG_9;
1345 if (si->src_reg == treg || si->dst_reg == treg)
1347 if (si->src_reg == treg || si->dst_reg == treg)
1349 *insn++ = BPF_STX_MEM(
1350 BPF_DW, si->dst_reg, treg,
1351 offsetof(struct bpf_sysctl_kern, tmp_reg));
1352 *insn++ = BPF_LDX_MEM(
1353 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
1355 offsetof(struct bpf_sysctl_kern, ppos));
1356 *insn++ = BPF_STX_MEM(
1357 BPF_SIZEOF(u32), treg, si->src_reg, 0);
1358 *insn++ = BPF_LDX_MEM(
1359 BPF_DW, treg, si->dst_reg,
1360 offsetof(struct bpf_sysctl_kern, tmp_reg));
1362 *insn++ = BPF_LDX_MEM(
1363 BPF_FIELD_SIZEOF(struct bpf_sysctl_kern, ppos),
1364 si->dst_reg, si->src_reg,
1365 offsetof(struct bpf_sysctl_kern, ppos));
1366 *insn++ = BPF_LDX_MEM(
1367 BPF_SIZE(si->code), si->dst_reg, si->dst_reg, 0);
1369 *target_size = sizeof(u32);
1373 return insn - insn_buf;
1376 const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
1377 .get_func_proto = sysctl_func_proto,
1378 .is_valid_access = sysctl_is_valid_access,
1379 .convert_ctx_access = sysctl_convert_ctx_access,
1382 const struct bpf_prog_ops cg_sysctl_prog_ops = {
1385 static const struct bpf_func_proto *
1386 cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
1389 case BPF_FUNC_sk_storage_get:
1390 return &bpf_sk_storage_get_proto;
1391 case BPF_FUNC_sk_storage_delete:
1392 return &bpf_sk_storage_delete_proto;
1394 case BPF_FUNC_tcp_sock:
1395 return &bpf_tcp_sock_proto;
1398 return cgroup_base_func_proto(func_id, prog);
1402 static bool cg_sockopt_is_valid_access(int off, int size,
1403 enum bpf_access_type type,
1404 const struct bpf_prog *prog,
1405 struct bpf_insn_access_aux *info)
1407 const int size_default = sizeof(__u32);
1409 if (off < 0 || off >= sizeof(struct bpf_sockopt))
1412 if (off % size != 0)
1415 if (type == BPF_WRITE) {
1417 case offsetof(struct bpf_sockopt, retval):
1418 if (size != size_default)
1420 return prog->expected_attach_type ==
1421 BPF_CGROUP_GETSOCKOPT;
1422 case offsetof(struct bpf_sockopt, optname):
1424 case offsetof(struct bpf_sockopt, level):
1425 if (size != size_default)
1427 return prog->expected_attach_type ==
1428 BPF_CGROUP_SETSOCKOPT;
1429 case offsetof(struct bpf_sockopt, optlen):
1430 return size == size_default;
1437 case offsetof(struct bpf_sockopt, sk):
1438 if (size != sizeof(__u64))
1440 info->reg_type = PTR_TO_SOCKET;
1442 case offsetof(struct bpf_sockopt, optval):
1443 if (size != sizeof(__u64))
1445 info->reg_type = PTR_TO_PACKET;
1447 case offsetof(struct bpf_sockopt, optval_end):
1448 if (size != sizeof(__u64))
1450 info->reg_type = PTR_TO_PACKET_END;
1452 case offsetof(struct bpf_sockopt, retval):
1453 if (size != size_default)
1455 return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
1457 if (size != size_default)
1464 #define CG_SOCKOPT_ACCESS_FIELD(T, F) \
1465 T(BPF_FIELD_SIZEOF(struct bpf_sockopt_kern, F), \
1466 si->dst_reg, si->src_reg, \
1467 offsetof(struct bpf_sockopt_kern, F))
1469 static u32 cg_sockopt_convert_ctx_access(enum bpf_access_type type,
1470 const struct bpf_insn *si,
1471 struct bpf_insn *insn_buf,
1472 struct bpf_prog *prog,
1475 struct bpf_insn *insn = insn_buf;
1478 case offsetof(struct bpf_sockopt, sk):
1479 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, sk);
1481 case offsetof(struct bpf_sockopt, level):
1482 if (type == BPF_WRITE)
1483 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, level);
1485 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, level);
1487 case offsetof(struct bpf_sockopt, optname):
1488 if (type == BPF_WRITE)
1489 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optname);
1491 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optname);
1493 case offsetof(struct bpf_sockopt, optlen):
1494 if (type == BPF_WRITE)
1495 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, optlen);
1497 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optlen);
1499 case offsetof(struct bpf_sockopt, retval):
1500 if (type == BPF_WRITE)
1501 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_STX_MEM, retval);
1503 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, retval);
1505 case offsetof(struct bpf_sockopt, optval):
1506 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval);
1508 case offsetof(struct bpf_sockopt, optval_end):
1509 *insn++ = CG_SOCKOPT_ACCESS_FIELD(BPF_LDX_MEM, optval_end);
1513 return insn - insn_buf;
1516 static int cg_sockopt_get_prologue(struct bpf_insn *insn_buf,
1518 const struct bpf_prog *prog)
1520 /* Nothing to do for sockopt argument. The data is kzalloc'ated.
1525 const struct bpf_verifier_ops cg_sockopt_verifier_ops = {
1526 .get_func_proto = cg_sockopt_func_proto,
1527 .is_valid_access = cg_sockopt_is_valid_access,
1528 .convert_ctx_access = cg_sockopt_convert_ctx_access,
1529 .gen_prologue = cg_sockopt_get_prologue,
1532 const struct bpf_prog_ops cg_sockopt_prog_ops = {