Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/805995/?format=api
{ "id": 805995, "url": "http://patchwork.ozlabs.org/api/patches/805995/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/1503687941-626-2-git-send-email-dsahern@gmail.com/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1503687941-626-2-git-send-email-dsahern@gmail.com>", "list_archive_url": null, "date": "2017-08-25T19:05:34", "name": "[v2,net-next,1/8] bpf: Add support for recursively running cgroup sock filters", "commit_ref": null, "pull_url": null, "state": "deferred", "archived": true, "hash": "cc694d271fc2fa8bac8d21eaeb690f21b90db766", "submitter": { "id": 6918, "url": "http://patchwork.ozlabs.org/api/people/6918/?format=api", "name": "David Ahern", "email": "dsahern@gmail.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/1503687941-626-2-git-send-email-dsahern@gmail.com/mbox/", "series": [], "comments": "http://patchwork.ozlabs.org/api/patches/805995/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/805995/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"Td1TRn7a\"; dkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xf9c5655pz9t1m\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 26 Aug 2017 05:05:57 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1758130AbdHYTFy (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 25 Aug 2017 15:05:54 -0400", "from mail-pg0-f67.google.com ([74.125.83.67]:35620 \"EHLO\n\tmail-pg0-f67.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1756602AbdHYTFu (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Fri, 25 Aug 2017 15:05:50 -0400", "by mail-pg0-f67.google.com with SMTP id r133so904422pgr.2\n\tfor <netdev@vger.kernel.org>; Fri, 25 Aug 2017 12:05:50 -0700 (PDT)", "from kenny.it.cumulusnetworks.com. (fw.cumulusnetworks.com.\n\t[216.129.126.126]) by smtp.googlemail.com with ESMTPSA id\n\t16sm16642137pfn.188.2017.08.25.12.05.48\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tFri, 25 Aug 2017 12:05:49 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=Fmn9KrAOFZ4Pqy5vm9EaHhCxAzWKQCHAIW4I2lT8fIw=;\n\tb=Td1TRn7awb00Dv0YxH+qJF5sUEGuJvlg4nECh0R4ymoxK7NB0byjr23gkmOyRubjhd\n\tLB7VEM1ckC7OU3dyzhDhFHsLNOZfhl0eVxJh5HZC9rIjzT2CGlHFE/IjokgeWHBsdo8r\n\tSZT7j0o7i6CqrCiqgQq6wceme6rqTzQammNbq2M7sA4tcTHBMAv7VohDOBlUa4XBxShf\n\tIORuITuUvs8tpcgkitdA3954q2Sk67tgevVu/+vEqXPyyX8SD0aKhgEwvu1AChXMQsiK\n\tWC1dTiB5K4qbxxXvPNeuCNXOnq6zXJta2ACcPe3cmiV2fBXyc8qj5wgnGSPetJeb5Haa\n\tuj8g==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=Fmn9KrAOFZ4Pqy5vm9EaHhCxAzWKQCHAIW4I2lT8fIw=;\n\tb=P6nzT39yrntdMK86qkVabeIFyTwp4AhKm34k7dBRtv7Nvw6NFUEPt3tolqoV1W/n3u\n\tgyOg0H4BiBoh9FJlFVmVTUDjDMRimFyNllcc1cDcAdGv3144TVjG7QgeiwJ3ZwBrJ8XK\n\tEgpel15t4gF8APiH44c3r4ULvGmiYdlC1YhvhE5uZk63kswY8SNsMV0tGw/N7uUmBj1x\n\t5uYBGSaxuIS3oK5OVTyhFK2v4Tznt8GWF98tkk250yX0ElAvbHXb/1nUqsCvMoW6e+Oq\n\tAuaypdplbtfst7JcYKbfcfF7K6v2C5mjymAioWEERq78jZTGVpVyVYJOuboXrfLZolio\n\trhnQ==", "X-Gm-Message-State": "AHYfb5imslMbnl90Bv0rhUZSvatXjTHpuyqaJiHXpBRmeNtpNO+zA56O\n\tgxJ001N2ugkZb4fJ", "X-Received": "by 10.84.195.36 with SMTP id i33mr11790368pld.314.1503687949998; \n\tFri, 25 Aug 2017 12:05:49 -0700 (PDT)", "From": "David Ahern <dsahern@gmail.com>", "To": "netdev@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org,\n\ttj@kernel.org, davem@davemloft.net", "Cc": "David Ahern <dsahern@gmail.com>", "Subject": "[PATCH v2 net-next 1/8] bpf: Add support for recursively running\n\tcgroup sock filters", "Date": "Fri, 25 Aug 2017 12:05:34 -0700", "Message-Id": "<1503687941-626-2-git-send-email-dsahern@gmail.com>", "X-Mailer": "git-send-email 2.1.4", "In-Reply-To": "<1503687941-626-1-git-send-email-dsahern@gmail.com>", "References": "<1503687941-626-1-git-send-email-dsahern@gmail.com>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "Add support for recursively applying sock filters attached to a cgroup.\nFor now, start with the inner cgroup attached to the socket and work back\nto the root or first cgroup without the recursive flag set. Once the\nrecursive flag is set for a cgroup all descendant group's must have the\nflag as well.\n\nSigned-off-by: David Ahern <dsahern@gmail.com>\n---\n include/linux/bpf-cgroup.h | 10 ++++++----\n include/uapi/linux/bpf.h | 9 +++++++++\n kernel/bpf/cgroup.c | 29 ++++++++++++++++++++++-------\n kernel/bpf/syscall.c | 6 +++---\n kernel/cgroup/cgroup.c | 25 +++++++++++++++++++++++--\n 5 files changed, 63 insertions(+), 16 deletions(-)", "diff": "diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h\nindex d41d40ac3efd..2d02187f242f 100644\n--- a/include/linux/bpf-cgroup.h\n+++ b/include/linux/bpf-cgroup.h\n@@ -23,6 +23,7 @@ struct cgroup_bpf {\n \tstruct bpf_prog *prog[MAX_BPF_ATTACH_TYPE];\n \tstruct bpf_prog __rcu *effective[MAX_BPF_ATTACH_TYPE];\n \tbool disallow_override[MAX_BPF_ATTACH_TYPE];\n+\tbool is_recursive[MAX_BPF_ATTACH_TYPE];\n };\n \n void cgroup_bpf_put(struct cgroup *cgrp);\n@@ -30,18 +31,19 @@ void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent);\n \n int __cgroup_bpf_update(struct cgroup *cgrp, struct cgroup *parent,\n \t\t\tstruct bpf_prog *prog, enum bpf_attach_type type,\n-\t\t\tbool overridable);\n+\t\t\tu32 flags);\n \n /* Wrapper for __cgroup_bpf_update() protected by cgroup_mutex */\n int cgroup_bpf_update(struct cgroup *cgrp, struct bpf_prog *prog,\n-\t\t enum bpf_attach_type type, bool overridable);\n+\t\t enum bpf_attach_type type, u32 flags);\n \n int __cgroup_bpf_run_filter_skb(struct sock *sk,\n \t\t\t\tstruct sk_buff *skb,\n \t\t\t\tenum bpf_attach_type type);\n \n-int __cgroup_bpf_run_filter_sk(struct sock *sk,\n+int __cgroup_bpf_run_filter_sk(struct cgroup *cgrp, struct sock *sk,\n \t\t\t enum bpf_attach_type type);\n+int cgroup_bpf_run_filter_sk(struct sock *sk, enum bpf_attach_type type);\n \n int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,\n \t\t\t\t struct bpf_sock_ops_kern *sock_ops,\n@@ -74,7 +76,7 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,\n ({\t\t\t\t\t\t\t\t\t \\\n \tint __ret = 0;\t\t\t\t\t\t\t \\\n \tif (cgroup_bpf_enabled && sk) {\t\t\t\t\t \\\n-\t\t__ret = __cgroup_bpf_run_filter_sk(sk,\t\t\t \\\n+\t\t__ret = cgroup_bpf_run_filter_sk(sk,\t\t\t \\\n \t\t\t\t\t\t BPF_CGROUP_INET_SOCK_CREATE); \\\n \t}\t\t\t\t\t\t\t\t \\\n \t__ret;\t\t\t\t\t\t\t\t \\\ndiff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h\nindex f71f5e07d82d..595e31b30f23 100644\n--- a/include/uapi/linux/bpf.h\n+++ b/include/uapi/linux/bpf.h\n@@ -151,6 +151,15 @@ enum bpf_attach_type {\n */\n #define BPF_F_ALLOW_OVERRIDE\t(1U << 0)\n \n+/* If BPF_F_RECURSIVE flag is used in BPF_PROG_ATTACH command\n+ * cgroups are walked recursively back to the root cgroup or the\n+ * first cgroup without the flag set running any program attached.\n+ * Once the flag is set, it MUST be set for all descendant cgroups.\n+ */\n+#define BPF_F_RECURSIVE\t\t(1U << 1)\n+\n+#define BPF_F_ALL_ATTACH_FLAGS (BPF_F_ALLOW_OVERRIDE | BPF_F_RECURSIVE)\n+\n /* If BPF_F_STRICT_ALIGNMENT is used in BPF_PROG_LOAD command, the\n * verifier will perform strict alignment checking as if the kernel\n * has been built with CONFIG_EFFICIENT_UNALIGNED_ACCESS not set,\ndiff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c\nindex 546113430049..eb1f436c18fb 100644\n--- a/kernel/bpf/cgroup.c\n+++ b/kernel/bpf/cgroup.c\n@@ -47,10 +47,16 @@ void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)\n \tunsigned int type;\n \n \tfor (type = 0; type < ARRAY_SIZE(cgrp->bpf.effective); type++) {\n-\t\tstruct bpf_prog *e;\n+\t\tstruct bpf_prog *e = NULL;\n+\n+\t\t/* do not need to set effective program if cgroups are\n+\t\t * walked recursively\n+\t\t */\n+\t\tcgrp->bpf.is_recursive[type] = parent->bpf.is_recursive[type];\n+\t\tif (!cgrp->bpf.is_recursive[type])\n+\t\t\te = rcu_dereference_protected(parent->bpf.effective[type],\n+\t\t\t\t\t\t lockdep_is_held(&cgroup_mutex));\n \n-\t\te = rcu_dereference_protected(parent->bpf.effective[type],\n-\t\t\t\t\t lockdep_is_held(&cgroup_mutex));\n \t\trcu_assign_pointer(cgrp->bpf.effective[type], e);\n \t\tcgrp->bpf.disallow_override[type] = parent->bpf.disallow_override[type];\n \t}\n@@ -85,8 +91,12 @@ void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)\n */\n int __cgroup_bpf_update(struct cgroup *cgrp, struct cgroup *parent,\n \t\t\tstruct bpf_prog *prog, enum bpf_attach_type type,\n-\t\t\tbool new_overridable)\n+\t\t\tu32 flags)\n {\n+\tbool new_overridable = flags & BPF_F_ALLOW_OVERRIDE;\n+\t/* initial state inherited from parent */\n+\tbool curr_recursive = cgrp->bpf.is_recursive[type];\n+\tbool new_recursive = flags & BPF_F_RECURSIVE;\n \tstruct bpf_prog *old_prog, *effective = NULL;\n \tstruct cgroup_subsys_state *pos;\n \tbool overridable = true;\n@@ -109,6 +119,12 @@ int __cgroup_bpf_update(struct cgroup *cgrp, struct cgroup *parent,\n \t\t */\n \t\treturn -EPERM;\n \n+\tif (prog && curr_recursive && !new_recursive)\n+\t\t/* if a parent has recursive prog attached, only\n+\t\t * allow recursive programs in descendent cgroup\n+\t\t */\n+\t\treturn -EINVAL;\n+\n \told_prog = cgrp->bpf.prog[type];\n \n \tif (prog) {\n@@ -139,6 +155,7 @@ int __cgroup_bpf_update(struct cgroup *cgrp, struct cgroup *parent,\n \t\t\trcu_assign_pointer(desc->bpf.effective[type],\n \t\t\t\t\t effective);\n \t\t\tdesc->bpf.disallow_override[type] = !overridable;\n+\t\t\tdesc->bpf.is_recursive[type] = new_recursive;\n \t\t}\n \t}\n \n@@ -217,14 +234,12 @@ EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb);\n * This function will return %-EPERM if any if an attached program was found\n * and if it returned != 1 during execution. In all other cases, 0 is returned.\n */\n-int __cgroup_bpf_run_filter_sk(struct sock *sk,\n+int __cgroup_bpf_run_filter_sk(struct cgroup *cgrp, struct sock *sk,\n \t\t\t enum bpf_attach_type type)\n {\n-\tstruct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);\n \tstruct bpf_prog *prog;\n \tint ret = 0;\n \n-\n \trcu_read_lock();\n \n \tprog = rcu_dereference(cgrp->bpf.effective[type]);\ndiff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c\nindex d5774a6851f1..a1ab5dbaae89 100644\n--- a/kernel/bpf/syscall.c\n+++ b/kernel/bpf/syscall.c\n@@ -1187,7 +1187,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)\n \tif (CHECK_ATTR(BPF_PROG_ATTACH))\n \t\treturn -EINVAL;\n \n-\tif (attr->attach_flags & ~BPF_F_ALLOW_OVERRIDE)\n+\tif (attr->attach_flags & ~BPF_F_ALL_ATTACH_FLAGS)\n \t\treturn -EINVAL;\n \n \tswitch (attr->attach_type) {\n@@ -1222,7 +1222,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)\n \t}\n \n \tret = cgroup_bpf_update(cgrp, prog, attr->attach_type,\n-\t\t\t\tattr->attach_flags & BPF_F_ALLOW_OVERRIDE);\n+\t\t\t\tattr->attach_flags);\n \tif (ret)\n \t\tbpf_prog_put(prog);\n \tcgroup_put(cgrp);\n@@ -1252,7 +1252,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)\n \t\tif (IS_ERR(cgrp))\n \t\t\treturn PTR_ERR(cgrp);\n \n-\t\tret = cgroup_bpf_update(cgrp, NULL, attr->attach_type, false);\n+\t\tret = cgroup_bpf_update(cgrp, NULL, attr->attach_type, 0);\n \t\tcgroup_put(cgrp);\n \t\tbreak;\n \ndiff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c\nindex df2e0f14a95d..27a4f14435a3 100644\n--- a/kernel/cgroup/cgroup.c\n+++ b/kernel/cgroup/cgroup.c\n@@ -5176,14 +5176,35 @@ void cgroup_sk_free(struct sock_cgroup_data *skcd)\n \n #ifdef CONFIG_CGROUP_BPF\n int cgroup_bpf_update(struct cgroup *cgrp, struct bpf_prog *prog,\n-\t\t enum bpf_attach_type type, bool overridable)\n+\t\t enum bpf_attach_type type, u32 flags)\n {\n \tstruct cgroup *parent = cgroup_parent(cgrp);\n \tint ret;\n \n \tmutex_lock(&cgroup_mutex);\n-\tret = __cgroup_bpf_update(cgrp, parent, prog, type, overridable);\n+\tret = __cgroup_bpf_update(cgrp, parent, prog, type, flags);\n \tmutex_unlock(&cgroup_mutex);\n \treturn ret;\n }\n+\n+int cgroup_bpf_run_filter_sk(struct sock *sk,\n+\t\t\t enum bpf_attach_type type)\n+{\n+\tstruct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);\n+\tint ret = 0;\n+\n+\twhile (cgrp) {\n+\t\tret = __cgroup_bpf_run_filter_sk(cgrp, sk, type);\n+\t\tif (ret)\n+\t\t\tbreak;\n+\n+\t\tif (!cgrp->bpf.is_recursive[type])\n+\t\t\tbreak;\n+\n+\t\tcgrp = cgroup_parent(cgrp);\n+\t}\n+\n+\treturn ret;\n+}\n+EXPORT_SYMBOL(cgroup_bpf_run_filter_sk);\n #endif /* CONFIG_CGROUP_BPF */\n", "prefixes": [ "v2", "net-next", "1/8" ] }