Currently, the cgroup_array map serves as a critical component for bpf_current_under_cgroup() and bpf_skb_under_cgroup() functions, allowing us to determine whether a task or a socket buffer (skb) resides within a specific cgroup. However, a limitation exists as we can only store cgroup2 file descriptors in the cgroup_array map. This limitation stems from the fact that cgroup_get_from_fd() exclusively supports cgroup2 file descriptors. Fortunately, an alternative solution presents itself by leveraging cgroup_v1v2_get_from_fd(), which accommodates both cgroup1 and cgroup2 file descriptors. It is essential to note that it is safe to utilize a cgroup1 pointer within both bpf_current_under_cgroup() and bpf_skb_under_cgroup(), with the result of receiving a "false" return value when verifying a cgroup1 pointer. To enable the checking of tasks under a cgroup1 hierarchy, we can make a minor modification to task_under_cgroup_hierarchy() to add support for cgroup1. In our specific use case, we intend to use bpf_current_under_cgroup() to audit whether the current task resides within specific containers. Subsequently, we can use this information to create distinct ACLs within our LSM BPF programs, enabling us to control specific operations performed by these tasks. Considering the widespread use of cgroup1 in container environments, coupled with the considerable time it will take to transition to cgroup2, implementing this change will significantly enhance the utility of BPF in container scenarios. This is especially noteworthy because the necessary adjustments can be made with minimal alterations to both the cgroup subsystem and the BPF subsystem. Yafang Shao (5): cgroup: Enable task_under_cgroup_hierarchy() on cgroup1 bpf: Enable cgroup_array map on cgroup1 selftests/bpf: Fix issues in setup_classid_environment() selftests/bpf: Add new cgroup helper open_classid() selftests/bpf: Add selftests for current_under_cgroupv1v2 include/linux/cgroup.h | 24 ++++++- kernel/bpf/arraymap.c | 2 +- tools/testing/selftests/bpf/cgroup_helpers.c | 34 ++++++++-- tools/testing/selftests/bpf/cgroup_helpers.h | 1 + .../bpf/prog_tests/current_under_cgroupv1v2.c | 76 ++++++++++++++++++++++ .../bpf/progs/test_current_under_cgroupv1v2.c | 31 +++++++++ 6 files changed, 160 insertions(+), 8 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/current_under_cgroupv1v2.c create mode 100644 tools/testing/selftests/bpf/progs/test_current_under_cgroupv1v2.c -- 1.8.3.1
