From patchwork Mon Mar 20 18:41:05 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chenbo Feng <chenbofeng.kernel@gmail.com>
X-Patchwork-Id: 741134
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vn4YQ1m6yz9s3w
	for <patchwork-incoming@ozlabs.org>;
	Tue, 21 Mar 2017 05:42:02 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="m7KEwq8r"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756139AbdCTSmB (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 20 Mar 2017 14:42:01 -0400
Received: from mail-pf0-f195.google.com ([209.85.192.195]:35290 "EHLO
	mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756024AbdCTSlw (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 20 Mar 2017 14:41:52 -0400
Received: by mail-pf0-f195.google.com with SMTP id n11so7222305pfg.2
	for <netdev@vger.kernel.org>; Mon, 20 Mar 2017 11:41:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=nQXoif43NPAd9O5edY5p0gbgO95etPvE/RS+k2ti4Ik=;
	b=m7KEwq8rOTHBvEofHaeK/QkRQdDaFp640a57o4kWLvQZ0u5wJ8kbnXEKp+HQbEXAGc
	3VWfd2dUNoZHCdUVZdWfW3G3mCoo8EaDFh965Mc68kZ3NuBkzqZ1zVwFsca6X5dgVwRn
	UBMTlQYZL8r82dSqGzvetFhjr97f8vKdfRwNFNk2iw8ujpD3uPuzlBU6mRO/40YoQYs/
	tS1id5Iznpb6Gw5Ipr6c1Hh9fcqlp/4ebH6m52Ty5d/vhq6EJIMuiPMjzQEmhdu1uM4Z
	wmuPzoQJyChX34o4PRT/uBvXHEtl2jSUD/P1Hi3xKJsDyF07+pBMlEDkD7e0WCZTeZ4u
	PCcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=nQXoif43NPAd9O5edY5p0gbgO95etPvE/RS+k2ti4Ik=;
	b=JZ8uOPalKEyeyl2BEyduX7utf/s5ge6TWN3i44fZVbiiQQHkL8k1SiV3DUNLqUeIVY
	C3Jpc66yCf9yreIZVv9dn538/eaUbdbFYFCGFgk6EBm7mpxQU2pt3gDt5bPTMgkdCFHz
	z15fxOdNPXxUmoQD6uNGiqEHN9GaD7jcvYoIZBX2MpLp//WS3VWI84A9Dd8izzps4PQ3
	eZ6IoRrhkDiJ6dppKz+Tl6G2qfG+52WebZWXYhpp1IL3Efv0FaeOTpa1UQMWw1L3g1H7
	//uweOB5EF1uUgn1fvnxzSfUcpwoyANYT+x/XZ6XWYqQkZI6iNQNYXqFD/Kdl1kMBPdN
	3kYA==
X-Gm-Message-State: 
 AFeK/H13UDZKf77LhFt04DF9tlW9TpolxZrlYp94CWwyDL23qIv2xQK0SrMOZXLSc2vB/A==
X-Received: by 10.98.14.140 with SMTP id 12mr28270586pfo.77.1490035279519;
	Mon, 20 Mar 2017 11:41:19 -0700 (PDT)
Received: from localhost.localdomain ([172.22.121.79])
	by smtp.gmail.com with ESMTPSA id
	u64sm22371676pfk.113.2017.03.20.11.41.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 20 Mar 2017 11:41:19 -0700 (PDT)
From: Chenbo Feng <chenbofeng.kernel@gmail.com>
To: netdev@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
	Daniel Borkmann <daniel@iogearbox.net>
Cc: Lorenzo Colitti <lorenzo@google.com>,
	Willem de Bruijn <willemb@google.com>, Chenbo Feng <fengc@google.com>
Subject: [PATCH net-next v5 2/3] Add a eBPF helper function to retrieve
	socket uid
Date: Mon, 20 Mar 2017 11:41:05 -0700
Message-Id: <1490035266-9861-3-git-send-email-chenbofeng.kernel@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1490035266-9861-1-git-send-email-chenbofeng.kernel@gmail.com>
References: <1490035266-9861-1-git-send-email-chenbofeng.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Chenbo Feng <fengc@google.com>

Returns the owner uid of the socket inside a sk_buff. This is useful to
perform per-UID accounting of network traffic or per-UID packet
filtering. The socket need to be a fullsock otherwise overflowuid is
returned.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
 include/uapi/linux/bpf.h       |  9 ++++++++-
 net/core/filter.c              | 22 ++++++++++++++++++++++
 tools/include/uapi/linux/bpf.h |  3 ++-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index dc81a9f..ff42111 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -462,6 +462,12 @@ union bpf_attr {
  *     @skb: pointer to skb
  *     Return: 8 Bytes non-decreasing number on success or 0 if the socket
  *     field is missing inside sk_buff
+ *
+ * u32 bpf_get_socket_uid(skb)
+ *     Get the owner uid of the socket stored inside sk_buff.
+ *     @skb: pointer to skb
+ *     Return: uid of the socket owner on success or 0 if the socket pointer
+ *     inside sk_buff is NULL
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -510,7 +516,8 @@ union bpf_attr {
 	FN(skb_change_head),		\
 	FN(xdp_adjust_head),		\
 	FN(probe_read_str),		\
-	FN(get_socket_cookie),
+	FN(get_socket_cookie),		\
+	FN(get_socket_uid),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
diff --git a/net/core/filter.c b/net/core/filter.c
index 5b65ae3..a7c25c1 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2612,6 +2612,24 @@ static const struct bpf_func_proto bpf_get_socket_cookie_proto = {
 	.arg1_type      = ARG_PTR_TO_CTX,
 };
 
+BPF_CALL_1(bpf_get_socket_uid, struct sk_buff *, skb)
+{
+	kuid_t kuid;
+	struct sock *sk = sk_to_full_sk(skb->sk);
+
+	if (!sk || !sk_fullsock(sk))
+		return overflowuid;
+	kuid = sock_net_uid(sock_net(sk), sk);
+	return from_kuid_munged(current_user_ns(), kuid);
+}
+
+static const struct bpf_func_proto bpf_get_socket_uid_proto = {
+	.func           = bpf_get_socket_uid,
+	.gpl_only       = false,
+	.ret_type       = RET_INTEGER,
+	.arg1_type      = ARG_PTR_TO_CTX,
+};
+
 static const struct bpf_func_proto *
 bpf_base_func_proto(enum bpf_func_id func_id)
 {
@@ -2648,6 +2666,8 @@ sk_filter_func_proto(enum bpf_func_id func_id)
 		return &bpf_skb_load_bytes_proto;
 	case BPF_FUNC_get_socket_cookie:
 		return &bpf_get_socket_cookie_proto;
+	case BPF_FUNC_get_socket_uid:
+		return &bpf_get_socket_uid_proto;
 	default:
 		return bpf_base_func_proto(func_id);
 	}
@@ -2709,6 +2729,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id)
 		return &bpf_skb_under_cgroup_proto;
 	case BPF_FUNC_get_socket_cookie:
 		return &bpf_get_socket_cookie_proto;
+	case BPF_FUNC_get_socket_uid:
+		return &bpf_get_socket_uid_proto;
 	default:
 		return bpf_base_func_proto(func_id);
 	}
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index a94bdd3..4a2d56d 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -504,7 +504,8 @@ union bpf_attr {
 	FN(skb_change_head),		\
 	FN(xdp_adjust_head),		\
 	FN(probe_read_str),		\
-	FN(get_socket_cookie),
+	FN(get_socket_cookie),		\
+	FN(get_socket_uid),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call