tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'Refactor cgroup_bpf internals to use more specific attach_type'

Dave Marchevsky says:

====================

The cgroup_bpf struct has a few arrays (effective, progs, and flags) of
size MAX_BPF_ATTACH_TYPE. These are meant to separate progs by their
attach type, currently represented by the bpf_attach_type enum.

There are some bpf_attach_type values which are not valid attach types
for cgroup bpf programs. Programs with these attach types will never be
handled by cgroup_bpf_{attach,detach} and thus will never be held in
cgroup_bpf structs. Even if such programs did make it into their
reserved slot in those arrays, they would never be executed.

Accordingly we can migrate to a new internal cgroup_bpf-specific enum
for these arrays, saving some bytes per cgroup and making it more
obvious which BPF programs belong there. netns_bpf_attach_type is an
existing example of this pattern, let's do similar for cgroup_bpf.

v1->v2: Address Daniel's comments
* Reverse xmas tree ordering for def changes
* Helper macro to reduce to_cgroup_bpf_attach_type boilerplate
* checkpatch.pl complains: "ERROR: Macros with complex values should
be enclosed in parentheses". Found some existing macros (do 'git grep
"define case"') which get same complaint. Think it's fine to keep
as-is since it's immediately undef'd.
* Remove CG_BPF_ prefix from cgroup_bpf_attach_type
* Although I agree that the prefix is redundant, the de-prefixed
names feel a bit too 'general' given the internal use of the enum.
e.g. when someone sees CGROUP_INET6_BIND it's not obvious that it
should only be used in certain ways internally.
* Don't feel strongly about this, just my thoughts as a noob to the
internals.
* Rebase onto latest bpf-next/master
* No significant conflicts, some small boilerplate adjustments
needed to catch up to Andrii's "bpf: Refactor BPF_PROG_RUN_ARRAY
family of macros into functions" change
====================

Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov 4ed589a2 d359902d

+226 -132
+123 -59
include/linux/bpf-cgroup.h
··· 23 23 struct task_struct; 24 24 25 25 #ifdef CONFIG_CGROUP_BPF 26 + enum cgroup_bpf_attach_type { 27 + CGROUP_BPF_ATTACH_TYPE_INVALID = -1, 28 + CGROUP_INET_INGRESS = 0, 29 + CGROUP_INET_EGRESS, 30 + CGROUP_INET_SOCK_CREATE, 31 + CGROUP_SOCK_OPS, 32 + CGROUP_DEVICE, 33 + CGROUP_INET4_BIND, 34 + CGROUP_INET6_BIND, 35 + CGROUP_INET4_CONNECT, 36 + CGROUP_INET6_CONNECT, 37 + CGROUP_INET4_POST_BIND, 38 + CGROUP_INET6_POST_BIND, 39 + CGROUP_UDP4_SENDMSG, 40 + CGROUP_UDP6_SENDMSG, 41 + CGROUP_SYSCTL, 42 + CGROUP_UDP4_RECVMSG, 43 + CGROUP_UDP6_RECVMSG, 44 + CGROUP_GETSOCKOPT, 45 + CGROUP_SETSOCKOPT, 46 + CGROUP_INET4_GETPEERNAME, 47 + CGROUP_INET6_GETPEERNAME, 48 + CGROUP_INET4_GETSOCKNAME, 49 + CGROUP_INET6_GETSOCKNAME, 50 + CGROUP_INET_SOCK_RELEASE, 51 + MAX_CGROUP_BPF_ATTACH_TYPE 52 + }; 26 53 27 - extern struct static_key_false cgroup_bpf_enabled_key[MAX_BPF_ATTACH_TYPE]; 28 - #define cgroup_bpf_enabled(type) static_branch_unlikely(&cgroup_bpf_enabled_key[type]) 54 + #define CGROUP_ATYPE(type) \ 55 + case BPF_##type: return type 56 + 57 + static inline enum cgroup_bpf_attach_type 58 + to_cgroup_bpf_attach_type(enum bpf_attach_type attach_type) 59 + { 60 + switch (attach_type) { 61 + CGROUP_ATYPE(CGROUP_INET_INGRESS); 62 + CGROUP_ATYPE(CGROUP_INET_EGRESS); 63 + CGROUP_ATYPE(CGROUP_INET_SOCK_CREATE); 64 + CGROUP_ATYPE(CGROUP_SOCK_OPS); 65 + CGROUP_ATYPE(CGROUP_DEVICE); 66 + CGROUP_ATYPE(CGROUP_INET4_BIND); 67 + CGROUP_ATYPE(CGROUP_INET6_BIND); 68 + CGROUP_ATYPE(CGROUP_INET4_CONNECT); 69 + CGROUP_ATYPE(CGROUP_INET6_CONNECT); 70 + CGROUP_ATYPE(CGROUP_INET4_POST_BIND); 71 + CGROUP_ATYPE(CGROUP_INET6_POST_BIND); 72 + CGROUP_ATYPE(CGROUP_UDP4_SENDMSG); 73 + CGROUP_ATYPE(CGROUP_UDP6_SENDMSG); 74 + CGROUP_ATYPE(CGROUP_SYSCTL); 75 + CGROUP_ATYPE(CGROUP_UDP4_RECVMSG); 76 + CGROUP_ATYPE(CGROUP_UDP6_RECVMSG); 77 + CGROUP_ATYPE(CGROUP_GETSOCKOPT); 78 + CGROUP_ATYPE(CGROUP_SETSOCKOPT); 79 + CGROUP_ATYPE(CGROUP_INET4_GETPEERNAME); 80 + CGROUP_ATYPE(CGROUP_INET6_GETPEERNAME); 81 + CGROUP_ATYPE(CGROUP_INET4_GETSOCKNAME); 82 + CGROUP_ATYPE(CGROUP_INET6_GETSOCKNAME); 83 + CGROUP_ATYPE(CGROUP_INET_SOCK_RELEASE); 84 + default: 85 + return CGROUP_BPF_ATTACH_TYPE_INVALID; 86 + } 87 + } 88 + 89 + #undef CGROUP_ATYPE 90 + 91 + extern struct static_key_false cgroup_bpf_enabled_key[MAX_CGROUP_BPF_ATTACH_TYPE]; 92 + #define cgroup_bpf_enabled(atype) static_branch_unlikely(&cgroup_bpf_enabled_key[atype]) 29 93 30 94 #define for_each_cgroup_storage_type(stype) \ 31 95 for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++) ··· 131 67 132 68 struct cgroup_bpf { 133 69 /* array of effective progs in this cgroup */ 134 - struct bpf_prog_array __rcu *effective[MAX_BPF_ATTACH_TYPE]; 70 + struct bpf_prog_array __rcu *effective[MAX_CGROUP_BPF_ATTACH_TYPE]; 135 71 136 72 /* attached progs to this cgroup and attach flags 137 73 * when flags == 0 or BPF_F_ALLOW_OVERRIDE the progs list will 138 74 * have either zero or one element 139 75 * when BPF_F_ALLOW_MULTI the list can have up to BPF_CGROUP_MAX_PROGS 140 76 */ 141 - struct list_head progs[MAX_BPF_ATTACH_TYPE]; 142 - u32 flags[MAX_BPF_ATTACH_TYPE]; 77 + struct list_head progs[MAX_CGROUP_BPF_ATTACH_TYPE]; 78 + u32 flags[MAX_CGROUP_BPF_ATTACH_TYPE]; 143 79 144 80 /* list of cgroup shared storages */ 145 81 struct list_head storages; ··· 179 115 180 116 int __cgroup_bpf_run_filter_skb(struct sock *sk, 181 117 struct sk_buff *skb, 182 - enum bpf_attach_type type); 118 + enum cgroup_bpf_attach_type atype); 183 119 184 120 int __cgroup_bpf_run_filter_sk(struct sock *sk, 185 - enum bpf_attach_type type); 121 + enum cgroup_bpf_attach_type atype); 186 122 187 123 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, 188 124 struct sockaddr *uaddr, 189 - enum bpf_attach_type type, 125 + enum cgroup_bpf_attach_type atype, 190 126 void *t_ctx, 191 127 u32 *flags); 192 128 193 129 int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, 194 130 struct bpf_sock_ops_kern *sock_ops, 195 - enum bpf_attach_type type); 131 + enum cgroup_bpf_attach_type atype); 196 132 197 133 int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, 198 - short access, enum bpf_attach_type type); 134 + short access, enum cgroup_bpf_attach_type atype); 199 135 200 136 int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head, 201 137 struct ctl_table *table, int write, 202 138 char **buf, size_t *pcount, loff_t *ppos, 203 - enum bpf_attach_type type); 139 + enum cgroup_bpf_attach_type atype); 204 140 205 141 int __cgroup_bpf_run_filter_setsockopt(struct sock *sock, int *level, 206 142 int *optname, char __user *optval, ··· 243 179 #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \ 244 180 ({ \ 245 181 int __ret = 0; \ 246 - if (cgroup_bpf_enabled(BPF_CGROUP_INET_INGRESS)) \ 182 + if (cgroup_bpf_enabled(CGROUP_INET_INGRESS)) \ 247 183 __ret = __cgroup_bpf_run_filter_skb(sk, skb, \ 248 - BPF_CGROUP_INET_INGRESS); \ 184 + CGROUP_INET_INGRESS); \ 249 185 \ 250 186 __ret; \ 251 187 }) ··· 253 189 #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb) \ 254 190 ({ \ 255 191 int __ret = 0; \ 256 - if (cgroup_bpf_enabled(BPF_CGROUP_INET_EGRESS) && sk && sk == skb->sk) { \ 192 + if (cgroup_bpf_enabled(CGROUP_INET_EGRESS) && sk && sk == skb->sk) { \ 257 193 typeof(sk) __sk = sk_to_full_sk(sk); \ 258 194 if (sk_fullsock(__sk)) \ 259 195 __ret = __cgroup_bpf_run_filter_skb(__sk, skb, \ 260 - BPF_CGROUP_INET_EGRESS); \ 196 + CGROUP_INET_EGRESS); \ 261 197 } \ 262 198 __ret; \ 263 199 }) 264 200 265 - #define BPF_CGROUP_RUN_SK_PROG(sk, type) \ 201 + #define BPF_CGROUP_RUN_SK_PROG(sk, atype) \ 266 202 ({ \ 267 203 int __ret = 0; \ 268 - if (cgroup_bpf_enabled(type)) { \ 269 - __ret = __cgroup_bpf_run_filter_sk(sk, type); \ 204 + if (cgroup_bpf_enabled(atype)) { \ 205 + __ret = __cgroup_bpf_run_filter_sk(sk, atype); \ 270 206 } \ 271 207 __ret; \ 272 208 }) 273 209 274 210 #define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) \ 275 - BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET_SOCK_CREATE) 211 + BPF_CGROUP_RUN_SK_PROG(sk, CGROUP_INET_SOCK_CREATE) 276 212 277 213 #define BPF_CGROUP_RUN_PROG_INET_SOCK_RELEASE(sk) \ 278 - BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET_SOCK_RELEASE) 214 + BPF_CGROUP_RUN_SK_PROG(sk, CGROUP_INET_SOCK_RELEASE) 279 215 280 216 #define BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk) \ 281 - BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET4_POST_BIND) 217 + BPF_CGROUP_RUN_SK_PROG(sk, CGROUP_INET4_POST_BIND) 282 218 283 219 #define BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk) \ 284 - BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET6_POST_BIND) 220 + BPF_CGROUP_RUN_SK_PROG(sk, CGROUP_INET6_POST_BIND) 285 221 286 - #define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, type) \ 222 + #define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, atype) \ 287 223 ({ \ 288 224 u32 __unused_flags; \ 289 225 int __ret = 0; \ 290 - if (cgroup_bpf_enabled(type)) \ 291 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type, \ 226 + if (cgroup_bpf_enabled(atype)) \ 227 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, atype, \ 292 228 NULL, \ 293 229 &__unused_flags); \ 294 230 __ret; \ 295 231 }) 296 232 297 - #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, type, t_ctx) \ 233 + #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, atype, t_ctx) \ 298 234 ({ \ 299 235 u32 __unused_flags; \ 300 236 int __ret = 0; \ 301 - if (cgroup_bpf_enabled(type)) { \ 237 + if (cgroup_bpf_enabled(atype)) { \ 302 238 lock_sock(sk); \ 303 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type, \ 239 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, atype, \ 304 240 t_ctx, \ 305 241 &__unused_flags); \ 306 242 release_sock(sk); \ ··· 313 249 * (at bit position 0) is to indicate CAP_NET_BIND_SERVICE capability check 314 250 * should be bypassed (BPF_RET_BIND_NO_CAP_NET_BIND_SERVICE). 315 251 */ 316 - #define BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, type, bind_flags) \ 252 + #define BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, atype, bind_flags) \ 317 253 ({ \ 318 254 u32 __flags = 0; \ 319 255 int __ret = 0; \ 320 - if (cgroup_bpf_enabled(type)) { \ 256 + if (cgroup_bpf_enabled(atype)) { \ 321 257 lock_sock(sk); \ 322 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, type, \ 258 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, uaddr, atype, \ 323 259 NULL, &__flags); \ 324 260 release_sock(sk); \ 325 261 if (__flags & BPF_RET_BIND_NO_CAP_NET_BIND_SERVICE) \ ··· 329 265 }) 330 266 331 267 #define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) \ 332 - ((cgroup_bpf_enabled(BPF_CGROUP_INET4_CONNECT) || \ 333 - cgroup_bpf_enabled(BPF_CGROUP_INET6_CONNECT)) && \ 268 + ((cgroup_bpf_enabled(CGROUP_INET4_CONNECT) || \ 269 + cgroup_bpf_enabled(CGROUP_INET6_CONNECT)) && \ 334 270 (sk)->sk_prot->pre_connect) 335 271 336 272 #define BPF_CGROUP_RUN_PROG_INET4_CONNECT(sk, uaddr) \ 337 - BPF_CGROUP_RUN_SA_PROG(sk, uaddr, BPF_CGROUP_INET4_CONNECT) 273 + BPF_CGROUP_RUN_SA_PROG(sk, uaddr, CGROUP_INET4_CONNECT) 338 274 339 275 #define BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr) \ 340 - BPF_CGROUP_RUN_SA_PROG(sk, uaddr, BPF_CGROUP_INET6_CONNECT) 276 + BPF_CGROUP_RUN_SA_PROG(sk, uaddr, CGROUP_INET6_CONNECT) 341 277 342 278 #define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) \ 343 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET4_CONNECT, NULL) 279 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_INET4_CONNECT, NULL) 344 280 345 281 #define BPF_CGROUP_RUN_PROG_INET6_CONNECT_LOCK(sk, uaddr) \ 346 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_INET6_CONNECT, NULL) 282 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_INET6_CONNECT, NULL) 347 283 348 284 #define BPF_CGROUP_RUN_PROG_UDP4_SENDMSG_LOCK(sk, uaddr, t_ctx) \ 349 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP4_SENDMSG, t_ctx) 285 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_UDP4_SENDMSG, t_ctx) 350 286 351 287 #define BPF_CGROUP_RUN_PROG_UDP6_SENDMSG_LOCK(sk, uaddr, t_ctx) \ 352 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP6_SENDMSG, t_ctx) 288 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_UDP6_SENDMSG, t_ctx) 353 289 354 290 #define BPF_CGROUP_RUN_PROG_UDP4_RECVMSG_LOCK(sk, uaddr) \ 355 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP4_RECVMSG, NULL) 291 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_UDP4_RECVMSG, NULL) 356 292 357 293 #define BPF_CGROUP_RUN_PROG_UDP6_RECVMSG_LOCK(sk, uaddr) \ 358 - BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, BPF_CGROUP_UDP6_RECVMSG, NULL) 294 + BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, CGROUP_UDP6_RECVMSG, NULL) 359 295 360 296 /* The SOCK_OPS"_SK" macro should be used when sock_ops->sk is not a 361 297 * fullsock and its parent fullsock cannot be traced by ··· 375 311 #define BPF_CGROUP_RUN_PROG_SOCK_OPS_SK(sock_ops, sk) \ 376 312 ({ \ 377 313 int __ret = 0; \ 378 - if (cgroup_bpf_enabled(BPF_CGROUP_SOCK_OPS)) \ 314 + if (cgroup_bpf_enabled(CGROUP_SOCK_OPS)) \ 379 315 __ret = __cgroup_bpf_run_filter_sock_ops(sk, \ 380 316 sock_ops, \ 381 - BPF_CGROUP_SOCK_OPS); \ 317 + CGROUP_SOCK_OPS); \ 382 318 __ret; \ 383 319 }) 384 320 385 321 #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) \ 386 322 ({ \ 387 323 int __ret = 0; \ 388 - if (cgroup_bpf_enabled(BPF_CGROUP_SOCK_OPS) && (sock_ops)->sk) { \ 324 + if (cgroup_bpf_enabled(CGROUP_SOCK_OPS) && (sock_ops)->sk) { \ 389 325 typeof(sk) __sk = sk_to_full_sk((sock_ops)->sk); \ 390 326 if (__sk && sk_fullsock(__sk)) \ 391 327 __ret = __cgroup_bpf_run_filter_sock_ops(__sk, \ 392 328 sock_ops, \ 393 - BPF_CGROUP_SOCK_OPS); \ 329 + CGROUP_SOCK_OPS); \ 394 330 } \ 395 331 __ret; \ 396 332 }) 397 333 398 - #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access) \ 334 + #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(atype, major, minor, access) \ 399 335 ({ \ 400 336 int __ret = 0; \ 401 - if (cgroup_bpf_enabled(BPF_CGROUP_DEVICE)) \ 402 - __ret = __cgroup_bpf_check_dev_permission(type, major, minor, \ 337 + if (cgroup_bpf_enabled(CGROUP_DEVICE)) \ 338 + __ret = __cgroup_bpf_check_dev_permission(atype, major, minor, \ 403 339 access, \ 404 - BPF_CGROUP_DEVICE); \ 340 + CGROUP_DEVICE); \ 405 341 \ 406 342 __ret; \ 407 343 }) ··· 410 346 #define BPF_CGROUP_RUN_PROG_SYSCTL(head, table, write, buf, count, pos) \ 411 347 ({ \ 412 348 int __ret = 0; \ 413 - if (cgroup_bpf_enabled(BPF_CGROUP_SYSCTL)) \ 349 + if (cgroup_bpf_enabled(CGROUP_SYSCTL)) \ 414 350 __ret = __cgroup_bpf_run_filter_sysctl(head, table, write, \ 415 351 buf, count, pos, \ 416 - BPF_CGROUP_SYSCTL); \ 352 + CGROUP_SYSCTL); \ 417 353 __ret; \ 418 354 }) 419 355 ··· 421 357 kernel_optval) \ 422 358 ({ \ 423 359 int __ret = 0; \ 424 - if (cgroup_bpf_enabled(BPF_CGROUP_SETSOCKOPT)) \ 360 + if (cgroup_bpf_enabled(CGROUP_SETSOCKOPT)) \ 425 361 __ret = __cgroup_bpf_run_filter_setsockopt(sock, level, \ 426 362 optname, optval, \ 427 363 optlen, \ ··· 432 368 #define BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen) \ 433 369 ({ \ 434 370 int __ret = 0; \ 435 - if (cgroup_bpf_enabled(BPF_CGROUP_GETSOCKOPT)) \ 371 + if (cgroup_bpf_enabled(CGROUP_GETSOCKOPT)) \ 436 372 get_user(__ret, optlen); \ 437 373 __ret; \ 438 374 }) ··· 441 377 max_optlen, retval) \ 442 378 ({ \ 443 379 int __ret = retval; \ 444 - if (cgroup_bpf_enabled(BPF_CGROUP_GETSOCKOPT)) \ 380 + if (cgroup_bpf_enabled(CGROUP_GETSOCKOPT)) \ 445 381 if (!(sock)->sk_prot->bpf_bypass_getsockopt || \ 446 382 !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_getsockopt, \ 447 383 tcp_bpf_bypass_getsockopt, \ ··· 456 392 optlen, retval) \ 457 393 ({ \ 458 394 int __ret = retval; \ 459 - if (cgroup_bpf_enabled(BPF_CGROUP_GETSOCKOPT)) \ 395 + if (cgroup_bpf_enabled(CGROUP_GETSOCKOPT)) \ 460 396 __ret = __cgroup_bpf_run_filter_getsockopt_kern( \ 461 397 sock, level, optname, optval, optlen, retval); \ 462 398 __ret; \ ··· 515 451 return 0; 516 452 } 517 453 518 - #define cgroup_bpf_enabled(type) (0) 519 - #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, type, t_ctx) ({ 0; }) 454 + #define cgroup_bpf_enabled(atype) (0) 455 + #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, atype, t_ctx) ({ 0; }) 520 456 #define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0) 521 457 #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; }) 522 458 #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; }) 523 459 #define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; }) 524 460 #define BPF_CGROUP_RUN_PROG_INET_SOCK_RELEASE(sk) ({ 0; }) 525 - #define BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, type, flags) ({ 0; }) 461 + #define BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, atype, flags) ({ 0; }) 526 462 #define BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk) ({ 0; }) 527 463 #define BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk) ({ 0; }) 528 464 #define BPF_CGROUP_RUN_PROG_INET4_CONNECT(sk, uaddr) ({ 0; }) ··· 534 470 #define BPF_CGROUP_RUN_PROG_UDP4_RECVMSG_LOCK(sk, uaddr) ({ 0; }) 535 471 #define BPF_CGROUP_RUN_PROG_UDP6_RECVMSG_LOCK(sk, uaddr) ({ 0; }) 536 472 #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; }) 537 - #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; }) 473 + #define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(atype, major, minor, access) ({ 0; }) 538 474 #define BPF_CGROUP_RUN_PROG_SYSCTL(head,table,write,buf,count,pos) ({ 0; }) 539 475 #define BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen) ({ 0; }) 540 476 #define BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock, level, optname, optval, \
+1 -1
include/uapi/linux/bpf.h
··· 84 84 85 85 struct bpf_cgroup_storage_key { 86 86 __u64 cgroup_inode_id; /* cgroup inode id */ 87 - __u32 attach_type; /* program attach type */ 87 + __u32 attach_type; /* program attach type (enum bpf_attach_type) */ 88 88 }; 89 89 90 90 union bpf_iter_link_info {
+93 -63
kernel/bpf/cgroup.c
··· 19 19 20 20 #include "../cgroup/cgroup-internal.h" 21 21 22 - DEFINE_STATIC_KEY_ARRAY_FALSE(cgroup_bpf_enabled_key, MAX_BPF_ATTACH_TYPE); 22 + DEFINE_STATIC_KEY_ARRAY_FALSE(cgroup_bpf_enabled_key, MAX_CGROUP_BPF_ATTACH_TYPE); 23 23 EXPORT_SYMBOL(cgroup_bpf_enabled_key); 24 24 25 25 void cgroup_bpf_offline(struct cgroup *cgrp) ··· 113 113 struct list_head *storages = &cgrp->bpf.storages; 114 114 struct bpf_cgroup_storage *storage, *stmp; 115 115 116 - unsigned int type; 116 + unsigned int atype; 117 117 118 118 mutex_lock(&cgroup_mutex); 119 119 120 - for (type = 0; type < ARRAY_SIZE(cgrp->bpf.progs); type++) { 121 - struct list_head *progs = &cgrp->bpf.progs[type]; 120 + for (atype = 0; atype < ARRAY_SIZE(cgrp->bpf.progs); atype++) { 121 + struct list_head *progs = &cgrp->bpf.progs[atype]; 122 122 struct bpf_prog_list *pl, *pltmp; 123 123 124 124 list_for_each_entry_safe(pl, pltmp, progs, node) { ··· 128 128 if (pl->link) 129 129 bpf_cgroup_link_auto_detach(pl->link); 130 130 kfree(pl); 131 - static_branch_dec(&cgroup_bpf_enabled_key[type]); 131 + static_branch_dec(&cgroup_bpf_enabled_key[atype]); 132 132 } 133 133 old_array = rcu_dereference_protected( 134 - cgrp->bpf.effective[type], 134 + cgrp->bpf.effective[atype], 135 135 lockdep_is_held(&cgroup_mutex)); 136 136 bpf_prog_array_free(old_array); 137 137 } ··· 196 196 * if parent has overridable or multi-prog, allow attaching 197 197 */ 198 198 static bool hierarchy_allows_attach(struct cgroup *cgrp, 199 - enum bpf_attach_type type) 199 + enum cgroup_bpf_attach_type atype) 200 200 { 201 201 struct cgroup *p; 202 202 ··· 204 204 if (!p) 205 205 return true; 206 206 do { 207 - u32 flags = p->bpf.flags[type]; 207 + u32 flags = p->bpf.flags[atype]; 208 208 u32 cnt; 209 209 210 210 if (flags & BPF_F_ALLOW_MULTI) 211 211 return true; 212 - cnt = prog_list_length(&p->bpf.progs[type]); 212 + cnt = prog_list_length(&p->bpf.progs[atype]); 213 213 WARN_ON_ONCE(cnt > 1); 214 214 if (cnt == 1) 215 215 return !!(flags & BPF_F_ALLOW_OVERRIDE); ··· 225 225 * to programs in this cgroup 226 226 */ 227 227 static int compute_effective_progs(struct cgroup *cgrp, 228 - enum bpf_attach_type type, 228 + enum cgroup_bpf_attach_type atype, 229 229 struct bpf_prog_array **array) 230 230 { 231 231 struct bpf_prog_array_item *item; ··· 236 236 237 237 /* count number of effective programs by walking parents */ 238 238 do { 239 - if (cnt == 0 || (p->bpf.flags[type] & BPF_F_ALLOW_MULTI)) 240 - cnt += prog_list_length(&p->bpf.progs[type]); 239 + if (cnt == 0 || (p->bpf.flags[atype] & BPF_F_ALLOW_MULTI)) 240 + cnt += prog_list_length(&p->bpf.progs[atype]); 241 241 p = cgroup_parent(p); 242 242 } while (p); 243 243 ··· 249 249 cnt = 0; 250 250 p = cgrp; 251 251 do { 252 - if (cnt > 0 && !(p->bpf.flags[type] & BPF_F_ALLOW_MULTI)) 252 + if (cnt > 0 && !(p->bpf.flags[atype] & BPF_F_ALLOW_MULTI)) 253 253 continue; 254 254 255 - list_for_each_entry(pl, &p->bpf.progs[type], node) { 255 + list_for_each_entry(pl, &p->bpf.progs[atype], node) { 256 256 if (!prog_list_prog(pl)) 257 257 continue; 258 258 ··· 269 269 } 270 270 271 271 static void activate_effective_progs(struct cgroup *cgrp, 272 - enum bpf_attach_type type, 272 + enum cgroup_bpf_attach_type atype, 273 273 struct bpf_prog_array *old_array) 274 274 { 275 - old_array = rcu_replace_pointer(cgrp->bpf.effective[type], old_array, 275 + old_array = rcu_replace_pointer(cgrp->bpf.effective[atype], old_array, 276 276 lockdep_is_held(&cgroup_mutex)); 277 277 /* free prog array after grace period, since __cgroup_bpf_run_*() 278 278 * might be still walking the array ··· 328 328 } 329 329 330 330 static int update_effective_progs(struct cgroup *cgrp, 331 - enum bpf_attach_type type) 331 + enum cgroup_bpf_attach_type atype) 332 332 { 333 333 struct cgroup_subsys_state *css; 334 334 int err; ··· 340 340 if (percpu_ref_is_zero(&desc->bpf.refcnt)) 341 341 continue; 342 342 343 - err = compute_effective_progs(desc, type, &desc->bpf.inactive); 343 + err = compute_effective_progs(desc, atype, &desc->bpf.inactive); 344 344 if (err) 345 345 goto cleanup; 346 346 } ··· 357 357 continue; 358 358 } 359 359 360 - activate_effective_progs(desc, type, desc->bpf.inactive); 360 + activate_effective_progs(desc, atype, desc->bpf.inactive); 361 361 desc->bpf.inactive = NULL; 362 362 } 363 363 ··· 436 436 enum bpf_attach_type type, u32 flags) 437 437 { 438 438 u32 saved_flags = (flags & (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI)); 439 - struct list_head *progs = &cgrp->bpf.progs[type]; 440 439 struct bpf_prog *old_prog = NULL; 441 440 struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {}; 442 441 struct bpf_cgroup_storage *new_storage[MAX_BPF_CGROUP_STORAGE_TYPE] = {}; 442 + enum cgroup_bpf_attach_type atype; 443 443 struct bpf_prog_list *pl; 444 + struct list_head *progs; 444 445 int err; 445 446 446 447 if (((flags & BPF_F_ALLOW_OVERRIDE) && (flags & BPF_F_ALLOW_MULTI)) || ··· 455 454 /* replace_prog implies BPF_F_REPLACE, and vice versa */ 456 455 return -EINVAL; 457 456 458 - if (!hierarchy_allows_attach(cgrp, type)) 457 + atype = to_cgroup_bpf_attach_type(type); 458 + if (atype < 0) 459 + return -EINVAL; 460 + 461 + progs = &cgrp->bpf.progs[atype]; 462 + 463 + if (!hierarchy_allows_attach(cgrp, atype)) 459 464 return -EPERM; 460 465 461 - if (!list_empty(progs) && cgrp->bpf.flags[type] != saved_flags) 466 + if (!list_empty(progs) && cgrp->bpf.flags[atype] != saved_flags) 462 467 /* Disallow attaching non-overridable on top 463 468 * of existing overridable in this cgroup. 464 469 * Disallow attaching multi-prog if overridable or none ··· 497 490 pl->prog = prog; 498 491 pl->link = link; 499 492 bpf_cgroup_storages_assign(pl->storage, storage); 500 - cgrp->bpf.flags[type] = saved_flags; 493 + cgrp->bpf.flags[atype] = saved_flags; 501 494 502 - err = update_effective_progs(cgrp, type); 495 + err = update_effective_progs(cgrp, atype); 503 496 if (err) 504 497 goto cleanup; 505 498 506 499 if (old_prog) 507 500 bpf_prog_put(old_prog); 508 501 else 509 - static_branch_inc(&cgroup_bpf_enabled_key[type]); 502 + static_branch_inc(&cgroup_bpf_enabled_key[atype]); 510 503 bpf_cgroup_storages_link(new_storage, cgrp, type); 511 504 return 0; 512 505 ··· 527 520 * all descendant cgroups. This function is guaranteed to succeed. 528 521 */ 529 522 static void replace_effective_prog(struct cgroup *cgrp, 530 - enum bpf_attach_type type, 523 + enum cgroup_bpf_attach_type atype, 531 524 struct bpf_cgroup_link *link) 532 525 { 533 526 struct bpf_prog_array_item *item; ··· 546 539 547 540 /* find position of link in effective progs array */ 548 541 for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) { 549 - if (pos && !(cg->bpf.flags[type] & BPF_F_ALLOW_MULTI)) 542 + if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI)) 550 543 continue; 551 544 552 - head = &cg->bpf.progs[type]; 545 + head = &cg->bpf.progs[atype]; 553 546 list_for_each_entry(pl, head, node) { 554 547 if (!prog_list_prog(pl)) 555 548 continue; ··· 561 554 found: 562 555 BUG_ON(!cg); 563 556 progs = rcu_dereference_protected( 564 - desc->bpf.effective[type], 557 + desc->bpf.effective[atype], 565 558 lockdep_is_held(&cgroup_mutex)); 566 559 item = &progs->items[pos]; 567 560 WRITE_ONCE(item->prog, link->link.prog); ··· 581 574 struct bpf_cgroup_link *link, 582 575 struct bpf_prog *new_prog) 583 576 { 584 - struct list_head *progs = &cgrp->bpf.progs[link->type]; 577 + enum cgroup_bpf_attach_type atype; 585 578 struct bpf_prog *old_prog; 586 579 struct bpf_prog_list *pl; 580 + struct list_head *progs; 587 581 bool found = false; 582 + 583 + atype = to_cgroup_bpf_attach_type(link->type); 584 + if (atype < 0) 585 + return -EINVAL; 586 + 587 + progs = &cgrp->bpf.progs[atype]; 588 588 589 589 if (link->link.prog->type != new_prog->type) 590 590 return -EINVAL; ··· 606 592 return -ENOENT; 607 593 608 594 old_prog = xchg(&link->link.prog, new_prog); 609 - replace_effective_prog(cgrp, link->type, link); 595 + replace_effective_prog(cgrp, atype, link); 610 596 bpf_prog_put(old_prog); 611 597 return 0; 612 598 } ··· 681 667 int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, 682 668 struct bpf_cgroup_link *link, enum bpf_attach_type type) 683 669 { 684 - struct list_head *progs = &cgrp->bpf.progs[type]; 685 - u32 flags = cgrp->bpf.flags[type]; 686 - struct bpf_prog_list *pl; 670 + enum cgroup_bpf_attach_type atype; 687 671 struct bpf_prog *old_prog; 672 + struct bpf_prog_list *pl; 673 + struct list_head *progs; 674 + u32 flags; 688 675 int err; 676 + 677 + atype = to_cgroup_bpf_attach_type(type); 678 + if (atype < 0) 679 + return -EINVAL; 680 + 681 + progs = &cgrp->bpf.progs[atype]; 682 + flags = cgrp->bpf.flags[atype]; 689 683 690 684 if (prog && link) 691 685 /* only one of prog or link can be specified */ ··· 708 686 pl->prog = NULL; 709 687 pl->link = NULL; 710 688 711 - err = update_effective_progs(cgrp, type); 689 + err = update_effective_progs(cgrp, atype); 712 690 if (err) 713 691 goto cleanup; 714 692 ··· 717 695 kfree(pl); 718 696 if (list_empty(progs)) 719 697 /* last program was detached, reset flags to zero */ 720 - cgrp->bpf.flags[type] = 0; 698 + cgrp->bpf.flags[atype] = 0; 721 699 if (old_prog) 722 700 bpf_prog_put(old_prog); 723 - static_branch_dec(&cgroup_bpf_enabled_key[type]); 701 + static_branch_dec(&cgroup_bpf_enabled_key[atype]); 724 702 return 0; 725 703 726 704 cleanup: ··· 736 714 { 737 715 __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids); 738 716 enum bpf_attach_type type = attr->query.attach_type; 739 - struct list_head *progs = &cgrp->bpf.progs[type]; 740 - u32 flags = cgrp->bpf.flags[type]; 717 + enum cgroup_bpf_attach_type atype; 741 718 struct bpf_prog_array *effective; 719 + struct list_head *progs; 742 720 struct bpf_prog *prog; 743 721 int cnt, ret = 0, i; 722 + u32 flags; 744 723 745 - effective = rcu_dereference_protected(cgrp->bpf.effective[type], 724 + atype = to_cgroup_bpf_attach_type(type); 725 + if (atype < 0) 726 + return -EINVAL; 727 + 728 + progs = &cgrp->bpf.progs[atype]; 729 + flags = cgrp->bpf.flags[atype]; 730 + 731 + effective = rcu_dereference_protected(cgrp->bpf.effective[atype], 746 732 lockdep_is_held(&cgroup_mutex)); 747 733 748 734 if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) ··· 955 925 link->cgroup = cgrp; 956 926 link->type = attr->link_create.attach_type; 957 927 958 - err = bpf_link_prime(&link->link, &link_primer); 928 + err = bpf_link_prime(&link->link, &link_primer); 959 929 if (err) { 960 930 kfree(link); 961 931 goto out_put_cgroup; 962 932 } 963 933 964 - err = cgroup_bpf_attach(cgrp, NULL, NULL, link, link->type, 965 - BPF_F_ALLOW_MULTI); 934 + err = cgroup_bpf_attach(cgrp, NULL, NULL, link, 935 + link->type, BPF_F_ALLOW_MULTI); 966 936 if (err) { 967 937 bpf_link_cleanup(&link_primer); 968 938 goto out_put_cgroup; ··· 1016 986 */ 1017 987 int __cgroup_bpf_run_filter_skb(struct sock *sk, 1018 988 struct sk_buff *skb, 1019 - enum bpf_attach_type type) 989 + enum cgroup_bpf_attach_type atype) 1020 990 { 1021 991 unsigned int offset = skb->data - skb_network_header(skb); 1022 992 struct sock *save_sk; ··· 1038 1008 /* compute pointers for the bpf prog */ 1039 1009 bpf_compute_and_save_data_end(skb, &saved_data_end); 1040 1010 1041 - if (type == BPF_CGROUP_INET_EGRESS) { 1011 + if (atype == CGROUP_INET_EGRESS) { 1042 1012 ret = BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY( 1043 - cgrp->bpf.effective[type], skb, __bpf_prog_run_save_cb); 1013 + cgrp->bpf.effective[atype], skb, __bpf_prog_run_save_cb); 1044 1014 } else { 1045 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[type], skb, 1015 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[atype], skb, 1046 1016 __bpf_prog_run_save_cb); 1047 1017 ret = (ret == 1 ? 0 : -EPERM); 1048 1018 } ··· 1068 1038 * and if it returned != 1 during execution. In all other cases, 0 is returned. 1069 1039 */ 1070 1040 int __cgroup_bpf_run_filter_sk(struct sock *sk, 1071 - enum bpf_attach_type type) 1041 + enum cgroup_bpf_attach_type atype) 1072 1042 { 1073 1043 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); 1074 1044 int ret; 1075 1045 1076 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[type], sk, bpf_prog_run); 1046 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[atype], sk, bpf_prog_run); 1077 1047 return ret == 1 ? 0 : -EPERM; 1078 1048 } 1079 1049 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sk); ··· 1095 1065 */ 1096 1066 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, 1097 1067 struct sockaddr *uaddr, 1098 - enum bpf_attach_type type, 1068 + enum cgroup_bpf_attach_type atype, 1099 1069 void *t_ctx, 1100 1070 u32 *flags) 1101 1071 { ··· 1120 1090 } 1121 1091 1122 1092 cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); 1123 - ret = BPF_PROG_RUN_ARRAY_CG_FLAGS(cgrp->bpf.effective[type], &ctx, 1093 + ret = BPF_PROG_RUN_ARRAY_CG_FLAGS(cgrp->bpf.effective[atype], &ctx, 1124 1094 bpf_prog_run, flags); 1125 1095 1126 1096 return ret == 1 ? 0 : -EPERM; ··· 1145 1115 */ 1146 1116 int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, 1147 1117 struct bpf_sock_ops_kern *sock_ops, 1148 - enum bpf_attach_type type) 1118 + enum cgroup_bpf_attach_type atype) 1149 1119 { 1150 1120 struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); 1151 1121 int ret; 1152 1122 1153 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[type], sock_ops, 1123 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[atype], sock_ops, 1154 1124 bpf_prog_run); 1155 1125 return ret == 1 ? 0 : -EPERM; 1156 1126 } 1157 1127 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops); 1158 1128 1159 1129 int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor, 1160 - short access, enum bpf_attach_type type) 1130 + short access, enum cgroup_bpf_attach_type atype) 1161 1131 { 1162 1132 struct cgroup *cgrp; 1163 1133 struct bpf_cgroup_dev_ctx ctx = { ··· 1169 1139 1170 1140 rcu_read_lock(); 1171 1141 cgrp = task_dfl_cgroup(current); 1172 - allow = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[type], &ctx, 1142 + allow = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[atype], &ctx, 1173 1143 bpf_prog_run); 1174 1144 rcu_read_unlock(); 1175 1145 ··· 1261 1231 int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head, 1262 1232 struct ctl_table *table, int write, 1263 1233 char **buf, size_t *pcount, loff_t *ppos, 1264 - enum bpf_attach_type type) 1234 + enum cgroup_bpf_attach_type atype) 1265 1235 { 1266 1236 struct bpf_sysctl_kern ctx = { 1267 1237 .head = head, ··· 1301 1271 1302 1272 rcu_read_lock(); 1303 1273 cgrp = task_dfl_cgroup(current); 1304 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[type], &ctx, bpf_prog_run); 1274 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[atype], &ctx, bpf_prog_run); 1305 1275 rcu_read_unlock(); 1306 1276 1307 1277 kfree(ctx.cur_val); ··· 1319 1289 1320 1290 #ifdef CONFIG_NET 1321 1291 static bool __cgroup_bpf_prog_array_is_empty(struct cgroup *cgrp, 1322 - enum bpf_attach_type attach_type) 1292 + enum cgroup_bpf_attach_type attach_type) 1323 1293 { 1324 1294 struct bpf_prog_array *prog_array; 1325 1295 bool empty; ··· 1394 1364 * attached to the hook so we don't waste time allocating 1395 1365 * memory and locking the socket. 1396 1366 */ 1397 - if (__cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_SETSOCKOPT)) 1367 + if (__cgroup_bpf_prog_array_is_empty(cgrp, CGROUP_SETSOCKOPT)) 1398 1368 return 0; 1399 1369 1400 1370 /* Allocate a bit more than the initial user buffer for ··· 1415 1385 } 1416 1386 1417 1387 lock_sock(sk); 1418 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[BPF_CGROUP_SETSOCKOPT], 1388 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[CGROUP_SETSOCKOPT], 1419 1389 &ctx, bpf_prog_run); 1420 1390 release_sock(sk); 1421 1391 ··· 1490 1460 * attached to the hook so we don't waste time allocating 1491 1461 * memory and locking the socket. 1492 1462 */ 1493 - if (__cgroup_bpf_prog_array_is_empty(cgrp, BPF_CGROUP_GETSOCKOPT)) 1463 + if (__cgroup_bpf_prog_array_is_empty(cgrp, CGROUP_GETSOCKOPT)) 1494 1464 return retval; 1495 1465 1496 1466 ctx.optlen = max_optlen; ··· 1525 1495 } 1526 1496 1527 1497 lock_sock(sk); 1528 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT], 1498 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[CGROUP_GETSOCKOPT], 1529 1499 &ctx, bpf_prog_run); 1530 1500 release_sock(sk); 1531 1501 ··· 1586 1556 * be called if that data shouldn't be "exported". 1587 1557 */ 1588 1558 1589 - ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT], 1559 + ret = BPF_PROG_RUN_ARRAY_CG(cgrp->bpf.effective[CGROUP_GETSOCKOPT], 1590 1560 &ctx, bpf_prog_run); 1591 1561 if (!ret) 1592 1562 return -EPERM;
+3 -3
net/ipv4/af_inet.c
··· 452 452 * changes context in a wrong way it will be caught. 453 453 */ 454 454 err = BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, 455 - BPF_CGROUP_INET4_BIND, &flags); 455 + CGROUP_INET4_BIND, &flags); 456 456 if (err) 457 457 return err; 458 458 ··· 781 781 sin->sin_port = inet->inet_dport; 782 782 sin->sin_addr.s_addr = inet->inet_daddr; 783 783 BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, 784 - BPF_CGROUP_INET4_GETPEERNAME, 784 + CGROUP_INET4_GETPEERNAME, 785 785 NULL); 786 786 } else { 787 787 __be32 addr = inet->inet_rcv_saddr; ··· 790 790 sin->sin_port = inet->inet_sport; 791 791 sin->sin_addr.s_addr = addr; 792 792 BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, 793 - BPF_CGROUP_INET4_GETSOCKNAME, 793 + CGROUP_INET4_GETSOCKNAME, 794 794 NULL); 795 795 } 796 796 memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+1 -1
net/ipv4/udp.c
··· 1143 1143 rcu_read_unlock(); 1144 1144 } 1145 1145 1146 - if (cgroup_bpf_enabled(BPF_CGROUP_UDP4_SENDMSG) && !connected) { 1146 + if (cgroup_bpf_enabled(CGROUP_UDP4_SENDMSG) && !connected) { 1147 1147 err = BPF_CGROUP_RUN_PROG_UDP4_SENDMSG_LOCK(sk, 1148 1148 (struct sockaddr *)usin, &ipc.addr); 1149 1149 if (err)
+3 -3
net/ipv6/af_inet6.c
··· 455 455 * changes context in a wrong way it will be caught. 456 456 */ 457 457 err = BPF_CGROUP_RUN_PROG_INET_BIND_LOCK(sk, uaddr, 458 - BPF_CGROUP_INET6_BIND, &flags); 458 + CGROUP_INET6_BIND, &flags); 459 459 if (err) 460 460 return err; 461 461 ··· 532 532 if (np->sndflow) 533 533 sin->sin6_flowinfo = np->flow_label; 534 534 BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, 535 - BPF_CGROUP_INET6_GETPEERNAME, 535 + CGROUP_INET6_GETPEERNAME, 536 536 NULL); 537 537 } else { 538 538 if (ipv6_addr_any(&sk->sk_v6_rcv_saddr)) ··· 541 541 sin->sin6_addr = sk->sk_v6_rcv_saddr; 542 542 sin->sin6_port = inet->inet_sport; 543 543 BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, 544 - BPF_CGROUP_INET6_GETSOCKNAME, 544 + CGROUP_INET6_GETSOCKNAME, 545 545 NULL); 546 546 } 547 547 sin->sin6_scope_id = ipv6_iface_scope_id(&sin->sin6_addr,
+1 -1
net/ipv6/udp.c
··· 1475 1475 fl6.saddr = np->saddr; 1476 1476 fl6.fl6_sport = inet->inet_sport; 1477 1477 1478 - if (cgroup_bpf_enabled(BPF_CGROUP_UDP6_SENDMSG) && !connected) { 1478 + if (cgroup_bpf_enabled(CGROUP_UDP6_SENDMSG) && !connected) { 1479 1479 err = BPF_CGROUP_RUN_PROG_UDP6_SENDMSG_LOCK(sk, 1480 1480 (struct sockaddr *)sin6, &fl6.saddr); 1481 1481 if (err)
+1 -1
tools/include/uapi/linux/bpf.h
··· 84 84 85 85 struct bpf_cgroup_storage_key { 86 86 __u64 cgroup_inode_id; /* cgroup inode id */ 87 - __u32 attach_type; /* program attach type */ 87 + __u32 attach_type; /* program attach type (enum bpf_attach_type) */ 88 88 }; 89 89 90 90 union bpf_iter_link_info {