On Wed, Jun 22, 2022 at 09:03:38AM -0700, Stanislav Fomichev wrote: > Allow attaching to lsm hooks in the cgroup context. > > Attaching to per-cgroup LSM works exactly like attaching > to other per-cgroup hooks. New BPF_LSM_CGROUP is added > to trigger new mode; the actual lsm hook we attach to is > signaled via existing attach_btf_id. > > For the hooks that have 'struct socket' or 'struct sock' as its first > argument, we use the cgroup associated with that socket. For the rest, > we use 'current' cgroup (this is all on default hierarchy == v2 only). > Note that for some hooks that work on 'struct sock' we still > take the cgroup from 'current' because some of them work on the socket > that hasn't been properly initialized yet. > > Behind the scenes, we allocate a shim program that is attached > to the trampoline and runs cgroup effective BPF programs array. > This shim has some rudimentary ref counting and can be shared > between several programs attaching to the same lsm hook from > different cgroups. Reviewed-by: Martin KaFai Lau <kafai@xxxxxx>
