On Mon, Apr 25, 2022 at 11:27:08PM -0700, Martin KaFai Lau wrote: > On Tue, Apr 19, 2022 at 12:00:48PM -0700, Stanislav Fomichev wrote: > > Allow attaching to lsm hooks in the cgroup context. > > > > Attaching to per-cgroup LSM works exactly like attaching > > to other per-cgroup hooks. New BPF_LSM_CGROUP is added > > to trigger new mode; the actual lsm hook we attach to is > > signaled via existing attach_btf_id. > > > > For the hooks that have 'struct socket' as its first argument, > > we use the cgroup associated with that socket. For the rest, > > we use 'current' cgroup (this is all on default hierarchy == v2 only). > > Note that for the hooks that work on 'struct sock' we still > > take the cgroup from 'current' because most of the time, > > the 'sock' argument is not properly initialized. > This paragraph is out-dated. > > > Behind the scenes, we allocate a shim program that is attached > > to the trampoline and runs cgroup effective BPF programs array. > > This shim has some rudimentary ref counting and can be shared > > between several programs attaching to the same per-cgroup lsm hook. > > > > Note that this patch bloats cgroup size because we add 211 > > cgroup_bpf_attach_type(s) for simplicity sake. This will be > > addressed in the subsequent patch. > > > > Also note that we only add non-sleepable flavor for now. To enable > > sleepable use-cases, BPF_PROG_RUN_ARRAY_CG has to grab trace rcu, > s/BPF_PROG_RUN_ARRAY_CG/bpf_prog_run_array_cg/ > > > shim programs have to be freed via trace rcu, cgroup_bpf.effective > > should be also trace-rcu-managed + maybe some other changes that > > I'm not aware of. Will continue the review tomorrow. thanks.
