On Tue, Oct 17, 2023 at 11:18 PM Chuyi Zhou <zhouchuyi@xxxxxxxxxxxxx> wrote:
>
> +
> +SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
> +__failure __msg("css_task_iter is only allowed in bpf_lsm and bpf iter-s")
> +int BPF_PROG(iter_css_task_for_each)
> +{
> + u64 cg_id = bpf_get_current_cgroup_id();
> + struct cgroup *cgrp = bpf_cgroup_from_id(cg_id);
> + struct cgroup_subsys_state *css;
> + struct task_struct *task;
> +
> + if (cgrp == NULL)
> + return 0;
> + css = &cgrp->self;
> +
> + bpf_for_each(css_task, task, css, CSS_TASK_ITER_PROCS) {
> +
> + }
> + bpf_cgroup_release(cgrp);
> + return 0;
> +}
I think we should relax allowlist in patch 2 further.
Any sleepable is safe.
Allowlist is needed to avoid dead locking on css_set_lock.
Any lsm and any iter (even non-sleepable) and any sleepable
seems to be safe.
Then the above test would need s/fentry.s/fentry/ to stay relevant.
I would also add:
SEC("iter/cgroup")
int cgroup_id_printer(struct bpf_iter__cgroup *ctx)
{
struct seq_file *seq = ctx->meta->seq;
struct cgroup *cgrp = ctx->cgroup;
/* epilogue */
if (cgrp == NULL) ..
bpf_for_each(css_task, task, css, CSS_TASK_ITER_PROCS) {
BPF_SEQ_PRINTF(); // something about task
}
To demonstrate how new kfunc iter can be combined with cgroup iter and
it won't deadlock, though cgroup iter is not sleepable.
I've applied the current set. Pls send a follow up. Thanks
