If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the receiving socket has an eBPF programs installed, run them from sk_filter_trim_cap().
eBPF programs used in this context are expected to either return 1 to let the packet pass, or != 1 to drop them. The programs have access to the full skb, including the MAC headers. This patch only implements the call site for ingress packets. Signed-off-by: Daniel Mack <dan...@zonque.org> --- net/core/filter.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index c5d8332..a1dd94b 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -52,6 +52,44 @@ #include <net/dst.h> #include <net/sock_reuseport.h> +#ifdef CONFIG_CGROUP_BPF +static int sk_filter_cgroup_bpf(struct sock *sk, struct sk_buff *skb, + enum bpf_attach_type type) +{ + struct sock_cgroup_data *skcd = &sk->sk_cgrp_data; + struct cgroup *cgrp = sock_cgroup_ptr(skcd); + struct bpf_prog *prog; + int ret = 0; + + rcu_read_lock(); + + switch (type) { + case BPF_ATTACH_TYPE_CGROUP_EGRESS: + prog = rcu_dereference(cgrp->bpf_egress); + break; + case BPF_ATTACH_TYPE_CGROUP_INGRESS: + prog = rcu_dereference(cgrp->bpf_ingress); + break; + default: + WARN_ON_ONCE(1); + ret = -EINVAL; + break; + } + + if (prog) { + unsigned int offset = skb->data - skb_mac_header(skb); + + __skb_push(skb, offset); + ret = bpf_prog_run_clear_cb(prog, skb) > 0 ? 0 : -EPERM; + __skb_pull(skb, offset); + } + + rcu_read_unlock(); + + return ret; +} +#endif /* !CONFIG_CGROUP_BPF */ + /** * sk_filter_trim_cap - run a packet through a socket filter * @sk: sock associated with &sk_buff @@ -78,6 +116,12 @@ int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) return -ENOMEM; +#ifdef CONFIG_CGROUP_BPF + err = sk_filter_cgroup_bpf(sk, skb, BPF_ATTACH_TYPE_CGROUP_INGRESS); + if (err) + return err; +#endif + err = security_sock_rcv_skb(sk, skb); if (err) return err; -- 2.5.5