From patchwork Fri Aug 12 03:14:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sargun Dhillon <sargun@sargun.me>
X-Patchwork-Id: 658500
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3s9VPM5NpJz9s9W
	for <patchwork-incoming@ozlabs.org>;
	Fri, 12 Aug 2016 13:15:03 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=sargun.me header.i=@sargun.me header.b=UUEPH01g;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752554AbcHLDPA (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 11 Aug 2016 23:15:00 -0400
Received: from mail-io0-f172.google.com ([209.85.223.172]:33207 "EHLO
	mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752445AbcHLDO7 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 11 Aug 2016 23:14:59 -0400
Received: by mail-io0-f172.google.com with SMTP id 38so14217868iol.0
	for <netdev@vger.kernel.org>; Thu, 11 Aug 2016 20:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition
	:user-agent; bh=/GTfIblzBpGJOunKixtC+BLrVWZc4Wgt3Nsd1okNmwA=;
	b=UUEPH01gaQsgK3wv9tVBnUIDMFMvg47isp0EEs/ZKquEfredQWrePj8TYAnIaGEgT4
	4xc0XYCZsUYmF0XtEPyrZeqrYmUEoD9HKMiQkF6J0WdKbgnLOzDZWij3X2NiV9RbUvEJ
	Xwy2d7nCX5UyUSiujONGY6vJlQjFtfdci8tBE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition:user-agent;
	bh=/GTfIblzBpGJOunKixtC+BLrVWZc4Wgt3Nsd1okNmwA=;
	b=QP/Odrn6l+EbXZg2MMTG/vuVLuMTkaY9P6w5+qnAJ5cldH9ZTPgCtpGael4rTfSxlm
	q8nPRCfuOnWaRJOJYO0WdKlZlWKpFWxx+jRyF6jZ7C2ZVnSKiHnpG7cixw910adCxqNE
	nKEzPBmEjEZZtKBi+lxoigJ0gUdsOCbliRwinhVZQJV0iz1w0GuWxk21d2UNOsrXXRVE
	RHXscohraVRee2xIwxU/wTnm5BEGGf/Qhdef31XkO1+EdIj7A1ECYhL8AFS3r8ST8Xg/
	cMr2FLfbzOYILStCZai/y6aHEoYnVStmgnN9TXSL43oywLQgHTEJ5mOqYv+9vCUtyfME
	RNqg==
X-Gm-Message-State: 
 AEkoous+Kkmt120EEL6RKMCqla0/K1GzxmQf1/PHmhnhFoTh0O5oakPDYssB4aoVppsB7w==
X-Received: by 10.107.173.234 with SMTP id
	m103mr16455552ioo.127.1470971698260;
	Thu, 11 Aug 2016 20:14:58 -0700 (PDT)
Received: from ircssh.c.rugged-nimbus-611.internal
	(55.145.251.23.bc.googleusercontent.com. [23.251.145.55])
	by smtp.gmail.com with ESMTPSA id
	j129sm2688587iof.35.2016.08.11.20.14.57
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Thu, 11 Aug 2016 20:14:57 -0700 (PDT)
Date: Thu, 11 Aug 2016 20:14:56 -0700
From: Sargun Dhillon <sargun@sargun.me>
To: netdev@vger.kernel.org
Cc: alexei.starovoitov@gmail.com, daniel@iogearbox.net, tj@kernel.org
Subject: [PATCH net-next v4 2/3] bpf: Add bpf_current_task_under_cgroup
	helper
Message-ID: <20160812031454.GA2075@ircssh.c.rugged-nimbus-611.internal>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

This adds a bpf helper that's similar to the skb_in_cgroup helper to check
whether the probe is currently executing in the context of a specific
subset of the cgroupsv2 hierarchy. It does this based on membership test
for a cgroup arraymap. It is invalid to call this in an interrupt, and
it'll return an error. The helper is primarily to be used in debugging
activities for containers, where you may have multiple programs running in
a given top-level "container".

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Tejun Heo <tj@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
---
 include/uapi/linux/bpf.h | 11 +++++++++++
 kernel/bpf/arraymap.c    |  2 +-
 kernel/bpf/verifier.c    |  4 +++-
 kernel/trace/bpf_trace.c | 30 ++++++++++++++++++++++++++++++
 4 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index da218fe..bea0c4e 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -375,6 +375,17 @@ enum bpf_func_id {
 	 */
 	BPF_FUNC_probe_write_user,
 
+	/**
+	 * bpf_current_task_under_cgroup(map, index) - Check cgroup2 membership of current task
+	 * @map: pointer to bpf_map in BPF_MAP_TYPE_CGROUP_ARRAY type
+	 * @index: index of the cgroup in the bpf_map
+	 * Return:
+	 *   == 0 current failed the cgroup2 descendant test
+	 *   == 1 current succeeded the cgroup2 descendant test
+	 *    < 0 error
+	 */
+	BPF_FUNC_current_task_under_cgroup,
+
 	__BPF_FUNC_MAX_ID,
 };
 
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 633a650..a2ac051 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -538,7 +538,7 @@ static int __init register_perf_event_array_map(void)
 }
 late_initcall(register_perf_event_array_map);
 
-#ifdef CONFIG_SOCK_CGROUP_DATA
+#ifdef CONFIG_CGROUPS
 static void *cgroup_fd_array_get_ptr(struct bpf_map *map,
 				     struct file *map_file /* not used */,
 				     int fd)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7094c69..d504722 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1053,7 +1053,8 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
 			goto error;
 		break;
 	case BPF_MAP_TYPE_CGROUP_ARRAY:
-		if (func_id != BPF_FUNC_skb_in_cgroup)
+		if (func_id != BPF_FUNC_skb_in_cgroup &&
+		    func_id != BPF_FUNC_current_task_under_cgroup)
 			goto error;
 		break;
 	default:
@@ -1075,6 +1076,7 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
 		if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
 			goto error;
 		break;
+	case BPF_FUNC_current_task_under_cgroup:
 	case BPF_FUNC_skb_in_cgroup:
 		if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)
 			goto error;
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index b20438f..e85f183 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -376,6 +376,34 @@ static const struct bpf_func_proto bpf_get_current_task_proto = {
 	.ret_type	= RET_INTEGER,
 };
 
+static u64 bpf_current_task_under_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
+{
+	u32 idx = (u32)r2;
+	struct cgroup *cgrp;
+	struct bpf_map *map = (struct bpf_map *)(long)r1;
+	struct bpf_array *array = container_of(map, struct bpf_array, map);
+
+	if (unlikely(in_interrupt()))
+		return -EINVAL;
+
+	if (unlikely(idx >= array->map.max_entries))
+		return -E2BIG;
+
+	cgrp = READ_ONCE(array->ptrs[idx]);
+	if (unlikely(!cgrp))
+		return -EAGAIN;
+
+	return task_under_cgroup_hierarchy(current, cgrp);
+}
+
+static const struct bpf_func_proto bpf_current_task_under_cgroup_proto = {
+	.func           = bpf_current_task_under_cgroup,
+	.gpl_only       = false,
+	.ret_type       = RET_INTEGER,
+	.arg1_type      = ARG_CONST_MAP_PTR,
+	.arg2_type      = ARG_ANYTHING,
+};
+
 static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id)
 {
 	switch (func_id) {
@@ -407,6 +435,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id)
 		return &bpf_perf_event_read_proto;
 	case BPF_FUNC_probe_write_user:
 		return bpf_get_probe_write_proto();
+	case BPF_FUNC_current_task_under_cgroup:
+		return &bpf_current_task_under_cgroup_proto;
 	default:
 		return NULL;
 	}