From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753104AbdKENSD (ORCPT ); Sun, 5 Nov 2017 08:18:03 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:47758 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752522AbdKENQk (ORCPT ); Sun, 5 Nov 2017 08:16:40 -0500 From: Roman Gushchin To: CC: Tejun Heo , Alexei Starovoitov , Daniel Borkmann , , , Roman Gushchin Subject: [PATCH v3 net-next 0/5] eBPF-based device cgroup controller Date: Sun, 5 Nov 2017 08:15:29 -0500 Message-ID: <20171105131534.25040-1-guro@fb.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20171104.224008.1289480268047106418.davem@davemloft.net> References: <20171104.224008.1289480268047106418.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [2620:10d:c091:180::1:3064] X-ClientProxiedBy: DM3PR12CA0094.namprd12.prod.outlook.com (2603:10b6:0:55::14) To DM3PR15MB1082.namprd15.prod.outlook.com (2603:10b6:0:12::8) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 514d86e1-3cb6-482f-9373-08d5244f5ccd X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:DM3PR15MB1082; X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;3:rsR1L/PkOdI2oOeqoxQv2Mo3zAtjmfXxaLtjMlLeWpdVQRG2rwpGljeoJD0r7WJr3r10LNxNKR4aKpzULZ/p4QW38vK8YE+EhVHediXT4wa0uOm7qPZ+BDVv0nF43VQ98/NN8kJgg+iF9tfMSQ3TglOe1rwI1Qfz8IIAeYOFqe5/8rEYKK/yG89sUrE75Pavsn7KZnLSSFDKV/UNsfgSCXTVLNtwTLAWrBM5cY8QU2pGV8UXXZeqgIDRf9WwLT3N;25:MqfyTcqFiF/gaO4AJwVBxeFjyn6VjPiDwnjh4vzbKKx7aRYuNrpvWIQCb562+8MWxwpHqvJL92Fdn6Cl0pj7eCbY0xgSziYb+RIM87Y+ctOwZN4R2JCdK2IsJ934pxdOdgVjXJtW4vw3vX8mAcd6h/g9J+UqlG6xEI3YfGZRc4Un1QODARxZpkACvpliarfnqL+AyeHbETBUd5LNj4OghwH6bpGZlwUzlB+0JyXTk99XvfBzcD8TM/dtwkTMBySFIZDzNli6aJXRS3Sy9QjpTjQA5LiKN9ZzxQIE3H5d8nRH6b83uwwqrcMJtwikFov3i726m6Fpyjg0AjWqAJtb7w==;31:cg78Oy4qxgEZT1eiOi6UdLEHJ2tWsmI60TI3sHt/5M7D1sQzJwP4BTO/Tz5z3hhkRdiwSSg17InThmjqWTqOmiDfxURB/VtLAAE+ehbIQDUf4j7gDKxcB/YH9GYH29EADIynHwjS4AvQrb1DUitcKFlYxk97h+XECHz/kSB1Fel8FcpUYMbXx7LYTMZuUsE4NWtmFVI/ThGUnvkGRyl0WbypB7HJlTqgzX+HWdL7wWQ= X-MS-TrafficTypeDiagnostic: DM3PR15MB1082: X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:Kazt6DQrLExAmmRdG0ak9e3p9gesGTD89DOwmdILXRyCOG3rd2SWVxewbuYWTgxtl/T/uTXgXXfeq1TadCftTlR8Nf1eUaTINtQrLEB8M1HkGWZYE7fL7SNsPn6KRoNnI4LpDXUI/9v7AG1AWm5YpmIxMoP0OaVU+cMG6Dvtn/VL3YBhkNO/62xT6KtjRAZFnJF8VmKy4kbt+xPalnDPQFOSWwapeyVFgrFB9SH30gGMl1uT570+4yL/49FE7JTk6YaYdU+NYiXlAD2jpcL6z0UJBTBTKjtVp/KlIE2xtowbZYYAs+jSM+f/mCrkMuYsRFXE8/HAerBtkauf/Wh98dETTlWfdtvHpx6pM+ewcJqyUKXGoL3NAVzKWxW88fDXkR695+yZtDyFl0bApsAYW8x8WxR3AVOEum4HjNSeQpeYsrfjm8Nvplp9QgGgpQthOI08Mw/bRdfIr6IZK5EwZVPYf5By5gLOxdfs4LbhqhuUylxzLeJJY6rAhNvFyTwk;4:0p7aUqcjjGuXeUa5jMsdGaJpc7IT26q/Ejs8fGb1IXeeGYkO/O1fBZi9y8Onbj2wnd5GbtiZIp0wy0P1a2emaudE3JTajcvt/DLTpVJ2dAuO3dV277eihPT/yQhQzgfDacnd0a8xRL4phEYYLfXBKbaU4TGRFLwLmpQiz08EjC9LWFHqi5+7k8YTiTKvRgOQVIIObn6Qh2DjnxUhl5dddsGTaRQREwKVsQaJknL1hEeppmjHUgjyKqx5iQLoek+Rf67+TrWncMdbXfuYGnhJFlx0X5Ql+qsQ2GQJW3+fvzexUs0IDPLTjwCMi4R28Noa X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(5005006)(8121501046)(3231021)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM3PR15MB1082;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM3PR15MB1082; X-Forefront-PRVS: 04825EA361 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(346002)(376002)(189002)(199003)(5660300001)(25786009)(316002)(305945005)(76176999)(6486002)(50466002)(50986999)(8936002)(6506006)(50226002)(4326008)(101416001)(68736007)(54906003)(97736004)(36756003)(16586007)(6306002)(53416004)(6512007)(478600001)(69596002)(47776003)(5003940100001)(2950100002)(2361001)(33646002)(106356001)(6666003)(53936002)(1076002)(48376002)(189998001)(2906002)(81156014)(81166006)(8676002)(6116002)(105586002)(966005)(2351001)(86362001)(6916009)(7736002)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:DM3PR15MB1082;H:castle.thefacebook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;DM3PR15MB1082;23:zyXFF7m+127IdH/wwTu/OUa6AqzejxTN0wfHPeku6?= =?us-ascii?Q?whGVZ46n4zaFQoVOa2oj/EZIoS8YeK9417lKPaMDI3j+5v9jkNHEbTP/NGlC?= =?us-ascii?Q?4D5PADmTYq/2Am52Nc2vtcEknEC6wgxpWHW8iZAWnOLMGWuNM1WFGHikd5CJ?= =?us-ascii?Q?eGb06SothV2CmGOS5H0EOsyPB4UsPlBgz8QRybBvIy8+hcx3DR74js+yFUEm?= =?us-ascii?Q?SfVPs6Jx/kYa0gdYytHFlfTPwYfWScl588hIaDqfibD6q1hlThursZypS/ny?= =?us-ascii?Q?J4o27tZ5/yWyyhFC3C47yMqBE0ARtgOPkOLo4Z4vvvY0cx3XluNNCjDzoaRX?= =?us-ascii?Q?8IT60KUKCXb+eZLaVq0YraYm3PNztfeHbXbqgiJYMf7rKkDYyRQymBKDo2UK?= =?us-ascii?Q?eINlDd8gsBcEbBlyD3aMpuqJ0K9ssRgFYVXVH+IyX1sOFNqc4fTrkN8xW66f?= =?us-ascii?Q?IWuy1rAvVj8UtVxxPK59pbISIlYpKttZZ0klH5OVAfHt5Mjd1sYnuSR80WtZ?= =?us-ascii?Q?nXSuY+DAhyGYiya9AHQuRhl76EReBF7OaPGG76/6ltnDalKd2JuCrRCi1OGI?= =?us-ascii?Q?ZniRIT5YdxTaXsfJVI46t76Z+i1QZ5LsehW5pgo70zbZSOeXs0xISo+96YNH?= =?us-ascii?Q?hr5nt1mmWIA/zFdsqc8TCMHvWCRbG24eYpnzNFShavn3ppI/FS3JepXcT4aq?= =?us-ascii?Q?lYeGapUEbsMu2rT7NdQhmEZa4uT69ziKGbqCR5p+ibjSFKI7GAwkMN7ieRO4?= =?us-ascii?Q?Z/3QTgqJ1AYDZjjmnlvV3NB8e4q68bp+UX3H47jue0XNKK4Ba1b2qtw8yIaD?= =?us-ascii?Q?vP1AFksQXiJz/O1bx9e3YQt2EmwEsY9cRSXtLZ+CHVntAvuPH+6yKYoc7e9t?= =?us-ascii?Q?76xwZn3dlnp+oGEUa9ZxSfW+b1nqU3z0q9UK/UU2AnIqQytKEubQN7CYXYKt?= =?us-ascii?Q?/OKw/SG9iTQwbZTYqzYdt8wjQwktYtqxTS30GY5I0zjxOx70SPyLeEAtSgV9?= =?us-ascii?Q?OHd37woBUI/w+9jzNad7gl28kKv41iiNBwozHfmfZOUdpuXuc+4B0MFPRn8t?= =?us-ascii?Q?FZ5cj7BLHj/4otxFhKwPHf1105qnxSEOi6R0STIvWKPK57m3Oj7l+Ul60Vsk?= =?us-ascii?Q?q2Ov7YzO5q1MtZF7OIMVz0DaZ22FfRAvjZqPxEuje+iig3AHgrQvnDAX2ZmP?= =?us-ascii?Q?cYBDLRgNsBgyRA=3D?= X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;6:g9yyMpAbWyFB3GkfxHhliTUPXd8gIJtJ00ZcV1S/wscll/hQdmbtWmZMyBryG2I7qB/XDCU+A/VFNkji4+aQTCv2+fwYigKUhWd2fj6OTcOw3H2iE0V1UmLBF5CKFcy5knlkm5bhFrhQ8IOQHUxPDJo8uAf3OaBDbC9uXMvCcVEu75dQLsEHl52O5OSNNBnTGsCjuQFlQjIy6av5wLsHv1npSE+eOQzquhuFMkJv0+xASgnxGSoXtuK8JZZo3x+jf1SYywnMzxxJ64i/PCbHeuMkzR3qalbY8YlTrplRiCE40vgzGQLwUwQ0UMggRhOJzRj5z7VauR8xjW7vfFCVv6l84t/rUKim0AwgfT9jK/8=;5:nHGw4Qe/I3MMcd+jkgjPwpUbM+KLKsUZxzJNqtwYk9/U2YXaaybLRJNhuTfACW+DeeXJVRFcYdQPwjYPIIziCE8zTRgrRyWvrTQWwkvZep2Q/Y4ChT9FMMJsKgTLEXA1RtnrexJBIEPCd3+dthsxFoS90b2/bIhbeHr6xebIE+g=;24:PNvt1xz8vtBxCQgvKwsyoVijkfcO6lihSgGanaJPETQU+/zWbIlmVy2zPPXZ6is/SjUKu7Uu65g/0rPIEsCw/Ipd+RvDW+QJtoAaY9+TPXk=;7:O/7Fi7ltGfrypDdpPYvQmX18iYAD4QnzyqSBahTdrNY33+LE2GgSUgAWBncxCicVVQTJJxIw/MmvOFtE3B/OvVIP7AGmzVPxd8exB1AhzMEpNLL/11wbakxCpjwkkuDtnhEZNKcDPKM05PMTptI2YEpFiS2u8QNlrFMO/KKzwr+cRk2OpTB1dHEd4sWt63NY/M/XoqvLO4O1XUu05j5MeOm+irxJojXweoBhSRLq47Iodf3IjFm1chNmHaKmBuPm SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:y8f1z15DZqfdvzJoDZJmISM5ZkBcG7YrF6duhT5zDkz/SMhyRNwV/getr69YsvugAsbEOxqe/BsUrY8kDFCnBjs5P4Oqs9127VBPhG9lO0KURLY7q/cN2i908UzdxUw/2LAuyJF/UKlYavpOE4Cz6fzlMe2XwNpC3XFh/gFh+00= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Nov 2017 13:16:00.5785 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 514d86e1-3cb6-482f-9373-08d5244f5ccd X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR15MB1082 X-OriginatorOrg: fb.com X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-05_03:,, signatures=0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patchset introduces an eBPF-based device controller for cgroup v2. Patches (1) and (2) are a preparational work required to share some code with the existing device controller implementation. Patch (3) is the main patch, which introduces a new bpf prog type and all necessary infrastructure. Patch (4) moves cgroup_helpers.c/h to use them by patch (4). Patch (5) implements an example of eBPF program which controls access to device files and corresponding userspace test. v3: Renamed constants introduced by patch (3) to BPF_DEVCG_* v2: Added patch (1). v1: https://lkml.org/lkml/2017/11/1/363 Roman Gushchin (5): device_cgroup: add DEVCG_ prefix to ACC_* and DEV_* constants device_cgroup: prepare code for bpf-based device controller bpf, cgroup: implement eBPF-based device controller for cgroup v2 bpf: move cgroup_helpers from samples/bpf/ to tools/testing/selftesting/bpf/ selftests/bpf: add a test for device cgroup controller include/linux/bpf-cgroup.h | 15 ++++ include/linux/bpf_types.h | 3 + include/linux/device_cgroup.h | 67 +++++++++++++++- include/uapi/linux/bpf.h | 15 ++++ kernel/bpf/cgroup.c | 67 ++++++++++++++++ kernel/bpf/syscall.c | 7 ++ kernel/bpf/verifier.c | 1 + samples/bpf/Makefile | 5 +- security/device_cgroup.c | 91 ++++++--------------- tools/include/uapi/linux/bpf.h | 15 ++++ tools/testing/selftests/bpf/Makefile | 6 +- .../testing/selftests}/bpf/cgroup_helpers.c | 0 .../testing/selftests}/bpf/cgroup_helpers.h | 0 tools/testing/selftests/bpf/dev_cgroup.c | 60 ++++++++++++++ tools/testing/selftests/bpf/test_dev_cgroup.c | 93 ++++++++++++++++++++++ 15 files changed, 369 insertions(+), 76 deletions(-) rename {samples => tools/testing/selftests}/bpf/cgroup_helpers.c (100%) rename {samples => tools/testing/selftests}/bpf/cgroup_helpers.h (100%) create mode 100644 tools/testing/selftests/bpf/dev_cgroup.c create mode 100644 tools/testing/selftests/bpf/test_dev_cgroup.c -- 2.13.6