7f67763337
If BPF_F_ALLOW_OVERRIDE flag is used in BPF_PROG_ATTACH command
to the given cgroup the descendent cgroup will be able to override
effective bpf program that was inherited from this cgroup.
By default it's not passed, therefore override is disallowed.
Examples:
1.
prog X attached to /A with default
prog Y fails to attach to /A/B and /A/B/C
Everything under /A runs prog X
2.
prog X attached to /A with allow_override.
prog Y fails to attach to /A/B with default (non-override)
prog M attached to /A/B with allow_override.
Everything under /A/B runs prog M only.
3.
prog X attached to /A with allow_override.
prog Y fails to attach to /A with default.
The user has to detach first to switch the mode.
In the future this behavior may be extended with a chain of
non-overridable programs.
Also fix the bug where detach from cgroup where nothing is attached
was not throwing error. Return ENOENT in such case.
Add several testcases and adjust libbpf.
Fixes: 3007098494
("cgroup: add support for eBPF programs")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Daniel Mack <daniel@zonque.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
196 lines
4.6 KiB
C
196 lines
4.6 KiB
C
/* eBPF example program:
|
|
*
|
|
* - Creates arraymap in kernel with 4 bytes keys and 8 byte values
|
|
*
|
|
* - Loads eBPF program
|
|
*
|
|
* The eBPF program accesses the map passed in to store two pieces of
|
|
* information. The number of invocations of the program, which maps
|
|
* to the number of packets received, is stored to key 0. Key 1 is
|
|
* incremented on each iteration by the number of bytes stored in
|
|
* the skb.
|
|
*
|
|
* - Attaches the new program to a cgroup using BPF_PROG_ATTACH
|
|
*
|
|
* - Every second, reads map[0] and map[1] to see how many bytes and
|
|
* packets were seen on any socket of tasks in the given cgroup.
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <assert.h>
|
|
#include <unistd.h>
|
|
|
|
#include <linux/bpf.h>
|
|
|
|
#include "libbpf.h"
|
|
#include "cgroup_helpers.h"
|
|
|
|
#define FOO "/foo"
|
|
#define BAR "/foo/bar/"
|
|
#define PING_CMD "ping -c1 -w1 127.0.0.1"
|
|
|
|
char bpf_log_buf[BPF_LOG_BUF_SIZE];
|
|
|
|
static int prog_load(int verdict)
|
|
{
|
|
int ret;
|
|
struct bpf_insn prog[] = {
|
|
BPF_MOV64_IMM(BPF_REG_0, verdict), /* r0 = verdict */
|
|
BPF_EXIT_INSN(),
|
|
};
|
|
size_t insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
|
|
|
|
ret = bpf_load_program(BPF_PROG_TYPE_CGROUP_SKB,
|
|
prog, insns_cnt, "GPL", 0,
|
|
bpf_log_buf, BPF_LOG_BUF_SIZE);
|
|
|
|
if (ret < 0) {
|
|
log_err("Loading program");
|
|
printf("Output from verifier:\n%s\n-------\n", bpf_log_buf);
|
|
return 0;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int drop_prog, allow_prog, foo = 0, bar = 0, rc = 0;
|
|
|
|
allow_prog = prog_load(1);
|
|
if (!allow_prog)
|
|
goto err;
|
|
|
|
drop_prog = prog_load(0);
|
|
if (!drop_prog)
|
|
goto err;
|
|
|
|
if (setup_cgroup_environment())
|
|
goto err;
|
|
|
|
/* Create cgroup /foo, get fd, and join it */
|
|
foo = create_and_get_cgroup(FOO);
|
|
if (!foo)
|
|
goto err;
|
|
|
|
if (join_cgroup(FOO))
|
|
goto err;
|
|
|
|
if (bpf_prog_attach(drop_prog, foo, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
log_err("Attaching prog to /foo");
|
|
goto err;
|
|
}
|
|
|
|
printf("Attached DROP prog. This ping in cgroup /foo should fail...\n");
|
|
assert(system(PING_CMD) != 0);
|
|
|
|
/* Create cgroup /foo/bar, get fd, and join it */
|
|
bar = create_and_get_cgroup(BAR);
|
|
if (!bar)
|
|
goto err;
|
|
|
|
if (join_cgroup(BAR))
|
|
goto err;
|
|
|
|
printf("Attached DROP prog. This ping in cgroup /foo/bar should fail...\n");
|
|
assert(system(PING_CMD) != 0);
|
|
|
|
if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
log_err("Attaching prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
printf("Attached PASS prog. This ping in cgroup /foo/bar should pass...\n");
|
|
assert(system(PING_CMD) == 0);
|
|
|
|
if (bpf_prog_detach(bar, BPF_CGROUP_INET_EGRESS)) {
|
|
log_err("Detaching program from /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
printf("Detached PASS from /foo/bar while DROP is attached to /foo.\n"
|
|
"This ping in cgroup /foo/bar should fail...\n");
|
|
assert(system(PING_CMD) != 0);
|
|
|
|
if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
log_err("Attaching prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (bpf_prog_detach(foo, BPF_CGROUP_INET_EGRESS)) {
|
|
log_err("Detaching program from /foo");
|
|
goto err;
|
|
}
|
|
|
|
printf("Attached PASS from /foo/bar and detached DROP from /foo.\n"
|
|
"This ping in cgroup /foo/bar should pass...\n");
|
|
assert(system(PING_CMD) == 0);
|
|
|
|
if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
log_err("Attaching prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 0)) {
|
|
errno = 0;
|
|
log_err("Unexpected success attaching prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (bpf_prog_detach(bar, BPF_CGROUP_INET_EGRESS)) {
|
|
log_err("Detaching program from /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (!bpf_prog_detach(foo, BPF_CGROUP_INET_EGRESS)) {
|
|
errno = 0;
|
|
log_err("Unexpected success in double detach from /foo");
|
|
goto err;
|
|
}
|
|
|
|
if (bpf_prog_attach(allow_prog, foo, BPF_CGROUP_INET_EGRESS, 0)) {
|
|
log_err("Attaching non-overridable prog to /foo");
|
|
goto err;
|
|
}
|
|
|
|
if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 0)) {
|
|
errno = 0;
|
|
log_err("Unexpected success attaching non-overridable prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
errno = 0;
|
|
log_err("Unexpected success attaching overridable prog to /foo/bar");
|
|
goto err;
|
|
}
|
|
|
|
if (!bpf_prog_attach(allow_prog, foo, BPF_CGROUP_INET_EGRESS, 1)) {
|
|
errno = 0;
|
|
log_err("Unexpected success attaching overridable prog to /foo");
|
|
goto err;
|
|
}
|
|
|
|
if (bpf_prog_attach(drop_prog, foo, BPF_CGROUP_INET_EGRESS, 0)) {
|
|
log_err("Attaching different non-overridable prog to /foo");
|
|
goto err;
|
|
}
|
|
|
|
goto out;
|
|
|
|
err:
|
|
rc = 1;
|
|
|
|
out:
|
|
close(foo);
|
|
close(bar);
|
|
cleanup_cgroup_environment();
|
|
if (!rc)
|
|
printf("PASS\n");
|
|
else
|
|
printf("FAIL\n");
|
|
return rc;
|
|
}
|