On 09/06/2016 07:18 PM, Daniel Borkmann wrote:
> On 09/06/2016 03:46 PM, Daniel Mack wrote:
>> This patch adds two sets of eBPF program pointers to struct cgroup.
>> One for such that are directly pinned to a cgroup, and one for such
>> that are effective for it.
>>
>> To illustrate the logic behind that, assume the following example
>> cgroup hierarchy.
>>
>> A - B - C
>> \ D - E
>>
>> If only B has a program attached, it will be effective for B, C, D
>> and E. If D then attaches a program itself, that will be effective for
>> both D and E, and the program in B will only affect B and C. Only one
>> program of a given type is effective for a cgroup.
>>
>> Attaching and detaching programs will be done through the bpf(2)
>> syscall. For now, ingress and egress inet socket filtering are the
>> only supported use-cases.
>>
>> Signed-off-by: Daniel Mack <daniel@xxxxxxxxxx>
> [...]
>> +/**
>> + * __cgroup_bpf_run_filter() - Run a program for packet filtering
>> + * @sk: The socken sending or receiving traffic
>> + * @skb: The skb that is being sent or received
>> + * @type: The type of program to be exectuted
>> + *
>> + * If no socket is passed, or the socket is not of type INET or INET6,
>> + * this function does nothing and returns 0.
>> + *
>> + * The program type passed in via @type must be suitable for network
>> + * filtering. No further check is performed to assert that.
>> + *
>> + * This function will return %-EPERM if any if an attached program was found
>> + * and if it returned != 1 during execution. In all other cases, 0 is returned.
>> + */
>> +int __cgroup_bpf_run_filter(struct sock *sk,
>> + struct sk_buff *skb,
>> + enum bpf_attach_type type)
>> +{
>> + struct bpf_prog *prog;
>> + struct cgroup *cgrp;
>> + int ret = 0;
>> +
>> + if (!sk)
>> + return 0;
>
> Doesn't this also need to check || !sk_fullsock(sk)?
Ah, yes. We should limit it to full sockets. Thanks!
Daniel
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
