From: Yafang Shao <laoar.shao@gmail.com>
To: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, tj@kernel.org,
lizefan.x@bytedance.com, hannes@cmpxchg.org,
yosryahmed@google.com
Cc: cgroups@vger.kernel.org, bpf@vger.kernel.org,
Yafang Shao <laoar.shao@gmail.com>
Subject: [RFC PATCH bpf-next 0/5] bpf, cgroup: Enable cgroup_array map on cgroup1
Date: Sun, 3 Sep 2023 14:27:55 +0000 [thread overview]
Message-ID: <20230903142800.3870-1-laoar.shao@gmail.com> (raw)
Currently, the cgroup_array map serves as a critical component for
bpf_current_under_cgroup() and bpf_skb_under_cgroup() functions, allowing
us to determine whether a task or a socket buffer (skb) resides within a
specific cgroup. However, a limitation exists as we can only store cgroup2
file descriptors in the cgroup_array map. This limitation stems from the
fact that cgroup_get_from_fd() exclusively supports cgroup2 file
descriptors. Fortunately, an alternative solution presents itself by
leveraging cgroup_v1v2_get_from_fd(), which accommodates both cgroup1 and
cgroup2 file descriptors.
It is essential to note that it is safe to utilize a cgroup1 pointer within
both bpf_current_under_cgroup() and bpf_skb_under_cgroup(), with the result
of receiving a "false" return value when verifying a cgroup1 pointer. To
enable the checking of tasks under a cgroup1 hierarchy, we can make a minor
modification to task_under_cgroup_hierarchy() to add support for cgroup1.
In our specific use case, we intend to use bpf_current_under_cgroup() to
audit whether the current task resides within specific containers.
Subsequently, we can use this information to create distinct ACLs within
our LSM BPF programs, enabling us to control specific operations performed
by these tasks.
Considering the widespread use of cgroup1 in container environments,
coupled with the considerable time it will take to transition to cgroup2,
implementing this change will significantly enhance the utility of BPF
in container scenarios. This is especially noteworthy because the necessary
adjustments can be made with minimal alterations to both the cgroup
subsystem and the BPF subsystem.
Yafang Shao (5):
cgroup: Enable task_under_cgroup_hierarchy() on cgroup1
bpf: Enable cgroup_array map on cgroup1
selftests/bpf: Fix issues in setup_classid_environment()
selftests/bpf: Add new cgroup helper open_classid()
selftests/bpf: Add selftests for current_under_cgroupv1v2
include/linux/cgroup.h | 24 ++++++-
kernel/bpf/arraymap.c | 2 +-
tools/testing/selftests/bpf/cgroup_helpers.c | 34 ++++++++--
tools/testing/selftests/bpf/cgroup_helpers.h | 1 +
.../bpf/prog_tests/current_under_cgroupv1v2.c | 76 ++++++++++++++++++++++
.../bpf/progs/test_current_under_cgroupv1v2.c | 31 +++++++++
6 files changed, 160 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/current_under_cgroupv1v2.c
create mode 100644 tools/testing/selftests/bpf/progs/test_current_under_cgroupv1v2.c
--
1.8.3.1
next reply other threads:[~2023-09-03 14:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-03 14:27 Yafang Shao [this message]
2023-09-03 14:27 ` [RFC PATCH bpf-next 1/5] cgroup: Enable task_under_cgroup_hierarchy() on cgroup1 Yafang Shao
2023-09-06 19:53 ` Alexei Starovoitov
2023-09-06 20:13 ` Tejun Heo
2023-09-07 3:05 ` Yafang Shao
2023-09-11 20:27 ` Tejun Heo
2023-09-18 14:45 ` Michal Koutný
2023-09-19 5:42 ` Yafang Shao
2023-09-03 14:27 ` [RFC PATCH bpf-next 2/5] bpf: Enable cgroup_array map " Yafang Shao
2023-09-06 19:54 ` Alexei Starovoitov
2023-09-03 14:27 ` [RFC PATCH bpf-next 3/5] selftests/bpf: Fix issues in setup_classid_environment() Yafang Shao
2023-09-03 14:27 ` [RFC PATCH bpf-next 4/5] selftests/bpf: Add new cgroup helper open_classid() Yafang Shao
2023-09-03 14:28 ` [RFC PATCH bpf-next 5/5] selftests/bpf: Add selftests for current_under_cgroupv1v2 Yafang Shao
2023-09-07 14:41 ` [RFC PATCH bpf-next 0/5] bpf, cgroup: Enable cgroup_array map on cgroup1 Michal Koutný
2023-09-08 2:53 ` Yafang Shao
2023-09-08 18:09 ` Alexei Starovoitov
2023-09-10 3:17 ` Yafang Shao
2023-09-11 19:53 ` Alexei Starovoitov
2023-09-11 20:24 ` Tejun Heo
2023-09-12 3:30 ` Yafang Shao
2023-09-15 17:01 ` Michal Koutný
2023-09-15 17:31 ` Tejun Heo
2023-09-17 7:28 ` Yafang Shao
2023-09-17 7:19 ` Yafang Shao
2023-09-18 14:44 ` Michal Koutný
2023-09-15 18:57 ` Hao Luo
2023-09-17 7:30 ` Yafang Shao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230903142800.3870-1-laoar.shao@gmail.com \
--to=laoar.shao@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=hannes@cmpxchg.org \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=lizefan.x@bytedance.com \
--cc=martin.lau@linux.dev \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=tj@kernel.org \
--cc=yonghong.song@linux.dev \
--cc=yosryahmed@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).