If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the
receiving socket has an eBPF programs installed, run them from
sk_filter_trim_cap().
eBPF programs used in this context are expected to either return 1 to
let the packet pass, or != 1 to drop them. The programs have access to
the full skb, including the MAC headers.
This patch only implements the call site for ingress packets.
Signed-off-by: Daniel Mack <dan...@zonque.org>
---
net/core/filter.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index c5d8332..a1dd94b 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -52,6 +52,44 @@
#include <net/dst.h>
#include <net/sock_reuseport.h>
+#ifdef CONFIG_CGROUP_BPF
+static int sk_filter_cgroup_bpf(struct sock *sk, struct sk_buff *skb,
+ enum bpf_attach_type type)
+{
+ struct sock_cgroup_data *skcd = &sk->sk_cgrp_data;
+ struct cgroup *cgrp = sock_cgroup_ptr(skcd);
+ struct bpf_prog *prog;
+ int ret = 0;
+
+ rcu_read_lock();
+
+ switch (type) {
+ case BPF_ATTACH_TYPE_CGROUP_EGRESS:
+ prog = rcu_dereference(cgrp->bpf_egress);
+ break;
+ case BPF_ATTACH_TYPE_CGROUP_INGRESS:
+ prog = rcu_dereference(cgrp->bpf_ingress);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ ret = -EINVAL;
+ break;
+ }
+
+ if (prog) {
+ unsigned int offset = skb->data - skb_mac_header(skb);
+
+ __skb_push(skb, offset);
+ ret = bpf_prog_run_clear_cb(prog, skb) > 0 ? 0 : -EPERM;
+ __skb_pull(skb, offset);
+ }
+
+ rcu_read_unlock();
+
+ return ret;
+}
+#endif /* !CONFIG_CGROUP_BPF */
+
/**
* sk_filter_trim_cap - run a packet through a socket filter
* @sk: sock associated with &sk_buff
@@ -78,6 +116,12 @@ int sk_filter_trim_cap(struct sock *sk, struct sk_buff
*skb, unsigned int cap)
if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC))
return -ENOMEM;
+#ifdef CONFIG_CGROUP_BPF
+ err = sk_filter_cgroup_bpf(sk, skb, BPF_ATTACH_TYPE_CGROUP_INGRESS);
+ if (err)
+ return err;
+#endif
+
err = security_sock_rcv_skb(sk, skb);
if (err)
return err;
--
2.5.5
