From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Daniel Mack" <daniel@zonque.org>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Paul Moore" <pmoore@redhat.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Tejun Heo" <tj@kernel.org>, "Thomas Graf" <tgraf@suug.ch>,
"Will Drewry" <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
cgroups@vger.kernel.org
Subject: [RFC v4 14/18] bpf/cgroup: Make cgroup_bpf_update() return an error code
Date: Wed, 26 Oct 2016 08:56:50 +0200 [thread overview]
Message-ID: <20161026065654.19166-15-mic@digikod.net> (raw)
In-Reply-To: <20161026065654.19166-1-mic@digikod.net>
This will be useful to support Landlock for the next commits.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Daniel Mack <daniel@zonque.org>
Cc: David S. Miller <davem@davemloft.net>
Cc: Tejun Heo <tj@kernel.org>
---
include/linux/bpf-cgroup.h | 4 ++--
kernel/bpf/cgroup.c | 3 ++-
kernel/bpf/syscall.c | 10 ++++++----
kernel/cgroup.c | 6 ++++--
4 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index 2f608e5d94e9..aab1aa91c064 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -31,13 +31,13 @@ struct cgroup_bpf {
void cgroup_bpf_put(struct cgroup *cgrp);
void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent);
-void __cgroup_bpf_update(struct cgroup *cgrp,
+int __cgroup_bpf_update(struct cgroup *cgrp,
struct cgroup *parent,
struct bpf_prog *prog,
enum bpf_attach_type type);
/* Wrapper for __cgroup_bpf_update() protected by cgroup_mutex */
-void cgroup_bpf_update(struct cgroup *cgrp,
+int cgroup_bpf_update(struct cgroup *cgrp,
struct bpf_prog *prog,
enum bpf_attach_type type);
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 75482cd92d56..269b410d890c 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -83,7 +83,7 @@ void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)
*
* Must be called with cgroup_mutex held.
*/
-void __cgroup_bpf_update(struct cgroup *cgrp,
+int __cgroup_bpf_update(struct cgroup *cgrp,
struct cgroup *parent,
struct bpf_prog *prog,
enum bpf_attach_type type)
@@ -116,6 +116,7 @@ void __cgroup_bpf_update(struct cgroup *cgrp,
bpf_prog_put(old_prog);
static_branch_dec(&cgroup_bpf_enabled_key);
}
+ return 0;
}
/**
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index ac4cbb98596d..e62123aeb202 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -831,6 +831,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)
{
struct bpf_prog *prog;
struct cgroup *cgrp;
+ int result;
if (!capable(CAP_NET_ADMIN))
return -EPERM;
@@ -858,10 +859,10 @@ static int bpf_prog_attach(const union bpf_attr *attr)
return PTR_ERR(cgrp);
}
- cgroup_bpf_update(cgrp, prog, attr->attach_type);
+ result = cgroup_bpf_update(cgrp, prog, attr->attach_type);
cgroup_put(cgrp);
- return 0;
+ return result;
}
#define BPF_PROG_DETACH_LAST_FIELD attach_type
@@ -869,6 +870,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)
static int bpf_prog_detach(const union bpf_attr *attr)
{
struct cgroup *cgrp;
+ int result = 0;
if (!capable(CAP_NET_ADMIN))
return -EPERM;
@@ -883,7 +885,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)
if (IS_ERR(cgrp))
return PTR_ERR(cgrp);
- cgroup_bpf_update(cgrp, NULL, attr->attach_type);
+ result = cgroup_bpf_update(cgrp, NULL, attr->attach_type);
cgroup_put(cgrp);
break;
@@ -891,7 +893,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)
return -EINVAL;
}
- return 0;
+ return result;
}
#endif /* CONFIG_CGROUP_BPF */
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 2ee9ec3051b2..f77a974eb960 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -6501,15 +6501,17 @@ static __init int cgroup_namespaces_init(void)
subsys_initcall(cgroup_namespaces_init);
#ifdef CONFIG_CGROUP_BPF
-void cgroup_bpf_update(struct cgroup *cgrp,
+int cgroup_bpf_update(struct cgroup *cgrp,
struct bpf_prog *prog,
enum bpf_attach_type type)
{
struct cgroup *parent = cgroup_parent(cgrp);
+ int result;
mutex_lock(&cgroup_mutex);
- __cgroup_bpf_update(cgrp, parent, prog, type);
+ result = __cgroup_bpf_update(cgrp, parent, prog, type);
mutex_unlock(&cgroup_mutex);
+ return result;
}
#endif /* CONFIG_CGROUP_BPF */
--
2.9.3
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Daniel Mack" <daniel@zonque.org>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Paul Moore" <pmoore@redhat.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Tejun Heo" <tj@kernel.org>, "Thomas Graf" <tgraf@suug.ch>,
"Will Drewry" <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
cgroups@vger.kernel.org
Subject: [kernel-hardening] [RFC v4 14/18] bpf/cgroup: Make cgroup_bpf_update() return an error code
Date: Wed, 26 Oct 2016 08:56:50 +0200 [thread overview]
Message-ID: <20161026065654.19166-15-mic@digikod.net> (raw)
In-Reply-To: <20161026065654.19166-1-mic@digikod.net>
This will be useful to support Landlock for the next commits.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Daniel Mack <daniel@zonque.org>
Cc: David S. Miller <davem@davemloft.net>
Cc: Tejun Heo <tj@kernel.org>
---
include/linux/bpf-cgroup.h | 4 ++--
kernel/bpf/cgroup.c | 3 ++-
kernel/bpf/syscall.c | 10 ++++++----
kernel/cgroup.c | 6 ++++--
4 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index 2f608e5d94e9..aab1aa91c064 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -31,13 +31,13 @@ struct cgroup_bpf {
void cgroup_bpf_put(struct cgroup *cgrp);
void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent);
-void __cgroup_bpf_update(struct cgroup *cgrp,
+int __cgroup_bpf_update(struct cgroup *cgrp,
struct cgroup *parent,
struct bpf_prog *prog,
enum bpf_attach_type type);
/* Wrapper for __cgroup_bpf_update() protected by cgroup_mutex */
-void cgroup_bpf_update(struct cgroup *cgrp,
+int cgroup_bpf_update(struct cgroup *cgrp,
struct bpf_prog *prog,
enum bpf_attach_type type);
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 75482cd92d56..269b410d890c 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -83,7 +83,7 @@ void cgroup_bpf_inherit(struct cgroup *cgrp, struct cgroup *parent)
*
* Must be called with cgroup_mutex held.
*/
-void __cgroup_bpf_update(struct cgroup *cgrp,
+int __cgroup_bpf_update(struct cgroup *cgrp,
struct cgroup *parent,
struct bpf_prog *prog,
enum bpf_attach_type type)
@@ -116,6 +116,7 @@ void __cgroup_bpf_update(struct cgroup *cgrp,
bpf_prog_put(old_prog);
static_branch_dec(&cgroup_bpf_enabled_key);
}
+ return 0;
}
/**
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index ac4cbb98596d..e62123aeb202 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -831,6 +831,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)
{
struct bpf_prog *prog;
struct cgroup *cgrp;
+ int result;
if (!capable(CAP_NET_ADMIN))
return -EPERM;
@@ -858,10 +859,10 @@ static int bpf_prog_attach(const union bpf_attr *attr)
return PTR_ERR(cgrp);
}
- cgroup_bpf_update(cgrp, prog, attr->attach_type);
+ result = cgroup_bpf_update(cgrp, prog, attr->attach_type);
cgroup_put(cgrp);
- return 0;
+ return result;
}
#define BPF_PROG_DETACH_LAST_FIELD attach_type
@@ -869,6 +870,7 @@ static int bpf_prog_attach(const union bpf_attr *attr)
static int bpf_prog_detach(const union bpf_attr *attr)
{
struct cgroup *cgrp;
+ int result = 0;
if (!capable(CAP_NET_ADMIN))
return -EPERM;
@@ -883,7 +885,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)
if (IS_ERR(cgrp))
return PTR_ERR(cgrp);
- cgroup_bpf_update(cgrp, NULL, attr->attach_type);
+ result = cgroup_bpf_update(cgrp, NULL, attr->attach_type);
cgroup_put(cgrp);
break;
@@ -891,7 +893,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)
return -EINVAL;
}
- return 0;
+ return result;
}
#endif /* CONFIG_CGROUP_BPF */
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 2ee9ec3051b2..f77a974eb960 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -6501,15 +6501,17 @@ static __init int cgroup_namespaces_init(void)
subsys_initcall(cgroup_namespaces_init);
#ifdef CONFIG_CGROUP_BPF
-void cgroup_bpf_update(struct cgroup *cgrp,
+int cgroup_bpf_update(struct cgroup *cgrp,
struct bpf_prog *prog,
enum bpf_attach_type type)
{
struct cgroup *parent = cgroup_parent(cgrp);
+ int result;
mutex_lock(&cgroup_mutex);
- __cgroup_bpf_update(cgrp, parent, prog, type);
+ result = __cgroup_bpf_update(cgrp, parent, prog, type);
mutex_unlock(&cgroup_mutex);
+ return result;
}
#endif /* CONFIG_CGROUP_BPF */
--
2.9.3
next prev parent reply other threads:[~2016-10-26 7:04 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-26 6:56 [RFC v4 00/18] Landlock LSM: Unprivileged sandboxing Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 01/18] landlock: Add Kconfig Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 02/18] bpf: Move u64_to_ptr() to BPF headers and inline it Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 7:19 ` Arnd Bergmann
2016-10-26 7:19 ` [kernel-hardening] " Arnd Bergmann
2016-10-26 13:52 ` David Sterba
2016-10-26 13:52 ` David Sterba
2016-10-26 6:56 ` [RFC v4 03/18] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 19:01 ` Jann Horn
2016-10-26 19:01 ` Jann Horn
2016-10-26 20:03 ` Mickaël Salaün
2016-10-26 20:03 ` Mickaël Salaün
2016-10-26 20:16 ` [kernel-hardening] " Jann Horn
2016-10-26 20:16 ` Jann Horn
2016-10-26 6:56 ` [RFC v4 04/18] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 05/18] bpf,landlock: Define an eBPF program type for Landlock Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 06/18] fs: Constify path_is_under()'s arguments Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 07/18] landlock: Add LSM hooks Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 08/18] landlock: Handle file comparisons Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 09/18] landlock: Add manager functions Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 10/18] seccomp: Split put_seccomp_filter() with put_seccomp() Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 11/18] seccomp,landlock: Handle Landlock hooks per process hierarchy Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 12/18] bpf: Cosmetic change for bpf_prog_attach() Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 13/18] bpf/cgroup: Replace struct bpf_prog with struct bpf_object Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün [this message]
2016-10-26 6:56 ` [kernel-hardening] [RFC v4 14/18] bpf/cgroup: Make cgroup_bpf_update() return an error code Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 15/18] bpf/cgroup: Move capability check Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 16/18] bpf/cgroup,landlock: Handle Landlock hooks per cgroup Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 17/18] landlock: Add update and debug access flags Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 6:56 ` [RFC v4 18/18] samples/landlock: Add sandbox example Mickaël Salaün
2016-10-26 6:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 6:56 ` Mickaël Salaün
2016-10-26 14:52 ` [RFC v4 00/18] Landlock LSM: Unprivileged sandboxing Jann Horn
2016-10-26 14:52 ` [kernel-hardening] " Jann Horn
2016-10-26 16:56 ` Mickaël Salaün
2016-10-26 16:56 ` [kernel-hardening] " Mickaël Salaün
2016-10-26 17:24 ` Mickaël Salaün
2016-10-26 17:24 ` [kernel-hardening] " Mickaël Salaün
2016-11-13 14:23 ` Mickaël Salaün
2016-11-13 14:23 ` [kernel-hardening] " Mickaël Salaün
2016-11-14 10:35 ` Sargun Dhillon
2016-11-14 10:35 ` [kernel-hardening] " Sargun Dhillon
2016-11-14 10:35 ` Sargun Dhillon
2016-11-14 20:51 ` Mickaël Salaün
2016-11-14 20:51 ` [kernel-hardening] " Mickaël Salaün
2016-11-14 20:51 ` Mickaël Salaün
2016-11-14 20:51 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161026065654.19166-15-mic@digikod.net \
--to=mic@digikod.net \
--cc=ast@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.