From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753064AbdKENR6 (ORCPT <rfc822;w@1wt.eu>);
        Sun, 5 Nov 2017 08:17:58 -0500
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:47764 "EHLO
        mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1752776AbdKENQl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 5 Nov 2017 08:16:41 -0500
From: Roman Gushchin <guro@fb.com>
To: <netdev@vger.kernel.org>
CC: Tejun Heo <tj@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>, <linux-kernel@vger.kernel.org>,
        <kernel-team@fb.com>, Roman Gushchin <guro@fb.com>
Subject: [PATCH v3 net-next 3/5] bpf, cgroup: implement eBPF-based device controller for cgroup v2
Date: Sun, 5 Nov 2017 08:15:32 -0500
Message-ID: <20171105131534.25040-4-guro@fb.com>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <20171105131534.25040-1-guro@fb.com>
References: <20171104.224008.1289480268047106418.davem@davemloft.net>
 <20171105131534.25040-1-guro@fb.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [2620:10d:c091:180::1:3064]
X-ClientProxiedBy: DM3PR12CA0094.namprd12.prod.outlook.com
 (2603:10b6:0:55::14) To DM3PR15MB1082.namprd15.prod.outlook.com
 (2603:10b6:0:12::8)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b56a1901-463c-416b-b5e4-08d5244f5f53
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:DM3PR15MB1082;
X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;3:OAUJiX3aYtPn9DSwyI/pW19dXELLhPrV3vV8OEGocxhj2BihEKjJUhU/8tqAKOoUGvydL6Nrxoh0RePBOjiih6Jj0lZlAe/LNOS/sCTJaD8RpkSwdcb+n7LK+WU41Fhyt6YVRIHCDbSoib0nKL4hq9/FOOBHfUXMuWMyhONj83Gn7XIchZ3/gynCX/ejVMeqFuPrwYZnvs7j9YrBpmNu/6/EkOgcKOJuRfiX2j2EXdmjlkuzU1Ltp3mxSjjIrvC7;25:Mkr7UW7+MToDJPFMWJ28d6qgsLUtF/d3nONqqz//V8gk3cRPFH8C161QQqwxxPyy+7XLf5e08JEmXF+ZaFZbcR5zfepUo8SQ1fI4xqnPpC3hvGTs85oTz4GbXcCS8S0ACoiMBd2r1kYodJtqaRA4ley1GZsyux18Le35yX+ro1UWz2Pl9vx8zh3UfjmKFmUpHAeimiOjqw1swsc90/gCeUrPuhKxyPBxh8oO9JsIGtD3Mk0QDeTqlnRfyq1xuZwa1uqX1jtdKr5tJODlIudHRWnFW0bP2kE52FaECsjAhEuaVRhD/2dhZO71mQ43Me/1d938HWD6t6WFyTuULmNJdg==;31:lhbJvLoSrOaDpKf83UOFxPfMJ/bfdMGEVd9rqCga0eMhbERkJfFVrcAcUSLCG3lYPVi47Kba0t15LqpqQFVP9lN8rDRwZGYBzY5QPIEpUf3rVO5GpnPxvLd5Y/qaCJXEJk1d3p7s/HOvthp+OUV+KWpt2xhfwaSLDuqJgm4hJiWJQC06d47VvuKMnlM5q6rEF1nwzo6pYcZfr3Wu63BLsfb8ThJvV4y93AZca5ZEj1Q=
X-MS-TrafficTypeDiagnostic: DM3PR15MB1082:
X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:fLpbmnGSypmyFd9S/RmkptA5VpBm5JOYNrED/XtHD6rOeoJBZhm8ON1RK9xmyk6+dWHlsLXNhZYiGNXPfU2QljJ/JV5MfYqkrP0mT1/P9z6BgyhNUJeJJ3DydOGoEhfu9rkbPM0b7C+O24vIpiphUGsBb64FgOzB3+5VojzeJICScmTy9EX0SO5r/vs5SfAfXi/A+xqZ6SqkgmvilGjXp5YdpHCBZkaLnFEmjhIlxjVB9G2oM1nGRsIkiLrUp4sCjp0X0c+6DLZ4q2hEs6Gv6n2dpptmrga4pJsMNTGi0FY48IiPoEMpkja2RHCu23f6pc95e+LqYv9CQtcaLdFbswH7NGx2AGLQnMuFuNMgZkdgTQvJjzl5+FoMQEB0gV947yfomNDyz2kejuI150nRECU20uqO9qmEtvNeT7JTlEFhFk78ff+FMQIfkiIrWE8+50aDNQNAtafe2ZSO/ixn+pd69GHH0Xq2wzb0cydvixQRxTGJLMyRmMRtVMtaNBtR;4:wOn8EhSUEd1pWJSgK+8EPW6XwDryuLnYYU3vy3aLjBQMzTVoughiP07iUaB0p9hS7/xMFqpHgH6GipBs5DvzGkj8/R56oOWlQUhqSk+Z1aaYSwKVbqXBlMGs6mREPw5jnWi6wvuBjeEv9ZIz5sCW5Ryg6noXMndH0aaFLmeZ6WyyMnQCOHhjS42dQeEfe3SDx9TyXf/iexlzrpJXpm5RwRKVkgnauaMKnr/8zGAYOAmIdIdKp9JaSsJ9btQhJnCggvCU43m1R+6kubgdsYh2JxmT/b4OlphDuraTjytwYmdl0qZ1TrhCZr/LMX1SjiJP
X-Exchange-Antispam-Report-Test: UriScan:(67672495146484);
X-Microsoft-Antispam-PRVS: <DM3PR15MB10825304DBB720BD6EDF0FFDBE530@DM3PR15MB1082.namprd15.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(5005006)(8121501046)(3231021)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM3PR15MB1082;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM3PR15MB1082;
X-Forefront-PRVS: 04825EA361
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(346002)(376002)(189002)(199003)(5660300001)(25786009)(316002)(305945005)(5890100001)(76176999)(6486002)(50466002)(50986999)(8936002)(6506006)(50226002)(4326008)(101416001)(68736007)(54906003)(97736004)(36756003)(16586007)(53416004)(6512007)(478600001)(69596002)(47776003)(5003940100001)(2950100002)(2361001)(33646002)(106356001)(6666003)(53936002)(1076002)(48376002)(189998001)(2906002)(81156014)(81166006)(8676002)(6116002)(105586002)(2351001)(575784001)(86362001)(6916009)(7736002)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:DM3PR15MB1082;H:castle.thefacebook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;DM3PR15MB1082;23:aWnVRi/X83VCZROslWINdLzxsw/L3TtdcCJ5ZTqkL?=
 =?us-ascii?Q?S//cr0VvcvgfFOJ+ZXeG8IMhsyxfSrQvA61CIyFwBZeETTLG+RtDsTLyAejs?=
 =?us-ascii?Q?LWIToTzX5wYRxiFmVJbdKpiDCLailv6afzHlAeMZgZiXy93oGZcK+7USTZVs?=
 =?us-ascii?Q?r2NF//M/iJQ9IoOyVWkWp6iW7vOn08auR5/EssUln/KW0i6ho6ZHuYVxMMYm?=
 =?us-ascii?Q?BPiXee82MNOS5Yy/gyY0jSq+1+uJijhbaaU0/dIMshD/4vQc6tUvqpXOivEM?=
 =?us-ascii?Q?7h5wUyEGFeO9haW+IgS4xPVvBqNVo50PWnRDATDQt7uB+WFVD/E3chfRKxUD?=
 =?us-ascii?Q?3CrMxO5d2/gMt7YJmA31YwvXZPJUAOa0I9I5xu508SwEWzpC3cx+dS8ZdgG/?=
 =?us-ascii?Q?w+L6iCKmoi/m05icrvkoPwnON9URmVSMDxxNt+3W3+Og4KS/TPQLlSl8SRoc?=
 =?us-ascii?Q?nHn5oCYPgqoLN25ix7d5bwBGPHeJ5FRbLlcCYx0oCi/sQRxoCN0W82dQ0Mo0?=
 =?us-ascii?Q?bv+Ttelo+7nERN6DdZx4x6SwF43i1W/2Hg9IfrHCiHUK5NyGSNkJ5ShW/jAI?=
 =?us-ascii?Q?aXepzL+r/sh9CziJ7eSwZZlmEkFYpd76Nm6/SJbRVfSK1CgJeOGoUjs8Zf1v?=
 =?us-ascii?Q?S9bLSm04stmIZ9XWYz6HLybjGCcSjO7r0ym5WQ9lXESkXhRDgtE7ADBy/kXJ?=
 =?us-ascii?Q?ikfA0Siy1Z4vd7LjzrV2xSdVVi5grWMuWbc6KeuPTZTI2I7MScPay1TAom5A?=
 =?us-ascii?Q?7+Ld7lWMyZqlLgzh7rLxO3Id6XY1pa5p0mXjWaq0RHGxjjELCXWEt71r9mWi?=
 =?us-ascii?Q?tyPqTK3f78nDbXkwCSPGbbCgyHJqzQszHFGdYF9jg+356+ZJLZB6mZvD1V1z?=
 =?us-ascii?Q?XT6PRtfBKNHWV4oKZqKfnaHuYxLerGT1m5zXfKUuyYDacpegF4YHI78KSJ9l?=
 =?us-ascii?Q?r1Q1GNE4gbZr2R2CWYgWepVwTCiZC0KJBtczPa0By973DTbV/UoJOMjAesPS?=
 =?us-ascii?Q?NaElq8LSHw/kWc1z4sD6dBAXkJ5qioSHwyGvutcGJGNt1mzaqq3syy3K+R8U?=
 =?us-ascii?Q?5yBSQ/pobQQdPoJI2BIx83033kUrCdfClf0jqz53olsuGad5mj5rfYLjM+2K?=
 =?us-ascii?Q?70AEs8/BYP99QE1UBnVhV239p7Lxm7H3fB3o59nW3Zj7DhLIZKanGXqYBy9v?=
 =?us-ascii?Q?OttbC128SseB6yQ1IBjWY+1GU1YybFsS45H?=
X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;6:03MzIrGfOZdoLMISha76kt+7TogDFzhK4l8BogA2eyfOgu6Qw4HiZRDe+hWtTmLansOz4olXW6zo5LLCpjROzmdM/3ABFGfnVUbABhA0aC6B8F1iDJCw9REIcpewGMh80Y5yUoU+rDziDv/FIV1jDg44gXS+u2Ve8gEUUVdgccBoP2d4Zhnl0JMgVylU2hKbW6vIOblfuGHOFgR5lAVOOyseAWrfTve4xiHP64wwowGDXrD2bk0p2Qszh9Oi3gyY/RXa8YZVA8vF7eZQJ4daFaBUaKSObccgkHl+8c5bBDBO/XUugXKIAYIecO+Kxv8SQZjsaQ11qdxxrhwfK3h3TH6s1PxPvrqFJn+kLfKRUvA=;5:eTfVfNY86gbMKDb2SE+IY5s2uMpYUFFIS3s3ONK5v/QZJY1lym9xHydeRFG3m9t2m7E1U1xp2yHTETrozCgaQGOATO63uPVotcCJ0HIoCWlneO/6Lt1Vurp+Nhfk+J3eQf9NaUYtvVS0BSOETcsaB8C8fIETMFQ1vnYFG+RnK0Y=;24:TEBIjNk4ZU67RpYkzkT1Tdu9fW4zWkhVFpeQDgDsENLTKbI24zJpqKAAhcm7b2sCLJSX9Xe8T+DSFKj0/vEhxGyGKetdqYoGoU/eMzzbxyM=;7:rsGVgHoimhcywZ+dcNtwU4T0uJlOYXJwaV6sUpIb0DpLVOJb5i33soZcyGR+dJ13py324KZgeSMDQitp3yHPdWVwhTBYIKy3q+NypT74JDXm9qvoDHRSTnJN7fKRRxlJ8W0aCMhaYMHhK5oh7yDhnYtWs1a0d/E0S/ZeccIwgx8xmmLSCA/K8o3CCLOR4P6eQMyoB8Id7fJDUE+LbO6aj+eU08smXdyAoQ8qbOXRowo2mfAh1SAMCWzzjuM1ysxO
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:Jo7+4u6uHlfJBenhIkQCt4f+X+8yDs8Il7weaL69bSYFgVInWVM/UB1mmiSdIAk6RoSSB8uMvLMmz4+hBjog3/Q2lAMcREH2Rl8RCYmpstm7PWUmLpxjfxxZbGWEcwEIzIJZ8CeGZSXug7lVJFf5BOSTcouqHjqX/6kKakJP1gU=
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Nov 2017 13:16:05.4224 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b56a1901-463c-416b-b5e4-08d5244f5f53
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR15MB1082
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-05_03:,,
 signatures=0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Cgroup v2 lacks the device controller, provided by cgroup v1.
This patch adds a new eBPF program type, which in combination
of previously added ability to attach multiple eBPF programs
to a cgroup, will provide a similar functionality, but with some
additional flexibility.

This patch introduces a BPF_PROG_TYPE_CGROUP_DEVICE program type.
A program takes major and minor device numbers, device type
(block/character) and access type (mknod/read/write) as parameters
and returns an integer which defines if the operation should be
allowed or terminated with -EPERM.

Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
---
 include/linux/bpf-cgroup.h     | 15 ++++++++++
 include/linux/bpf_types.h      |  3 ++
 include/linux/device_cgroup.h  |  8 ++++-
 include/uapi/linux/bpf.h       | 15 ++++++++++
 kernel/bpf/cgroup.c            | 67 ++++++++++++++++++++++++++++++++++++++++++
 kernel/bpf/syscall.c           |  7 +++++
 kernel/bpf/verifier.c          |  1 +
 tools/include/uapi/linux/bpf.h | 15 ++++++++++
 8 files changed, 130 insertions(+), 1 deletion(-)

diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index 87a7db9feb38..a7f16e0f8d68 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -67,6 +67,9 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
 				     struct bpf_sock_ops_kern *sock_ops,
 				     enum bpf_attach_type type);
 
+int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
+				      short access, enum bpf_attach_type type);
+
 /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */
 #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb)			      \
 ({									      \
@@ -112,6 +115,17 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
 	}								       \
 	__ret;								       \
 })
+
+#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access)	      \
+({									      \
+	int __ret = 0;							      \
+	if (cgroup_bpf_enabled)						      \
+		__ret = __cgroup_bpf_check_dev_permission(type, major, minor, \
+							  access,	      \
+							  BPF_CGROUP_DEVICE); \
+									      \
+	__ret;								      \
+})
 #else
 
 struct cgroup_bpf {};
@@ -122,6 +136,7 @@ static inline int cgroup_bpf_inherit(struct cgroup *cgrp) { return 0; }
 #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; })
 #define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; })
 #define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; })
+#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; })
 
 #endif /* CONFIG_CGROUP_BPF */
 
diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
index 53c5b9ad7220..978c1d9c9383 100644
--- a/include/linux/bpf_types.h
+++ b/include/linux/bpf_types.h
@@ -19,6 +19,9 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_KPROBE, kprobe)
 BPF_PROG_TYPE(BPF_PROG_TYPE_TRACEPOINT, tracepoint)
 BPF_PROG_TYPE(BPF_PROG_TYPE_PERF_EVENT, perf_event)
 #endif
+#ifdef CONFIG_CGROUP_BPF
+BPF_PROG_TYPE(BPF_PROG_TYPE_CGROUP_DEVICE, cg_dev)
+#endif
 
 BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)
 BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_ARRAY, percpu_array_map_ops)
diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 2d93d7ecd479..8557efe096dc 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #include <linux/fs.h>
+#include <linux/bpf-cgroup.h>
 
 #define DEVCG_ACC_MKNOD 1
 #define DEVCG_ACC_READ  2
@@ -19,10 +20,15 @@ static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
 { return 0; }
 #endif
 
-#ifdef CONFIG_CGROUP_DEVICE
+#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
 static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
 					     short access)
 {
+	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
+
+	if (rc)
+		return -EPERM;
+
 	return __devcgroup_check_permission(type, major, minor, access);
 }
 
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index a9820677c2ff..d581407bb2dc 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -132,6 +132,7 @@ enum bpf_prog_type {
 	BPF_PROG_TYPE_LWT_XMIT,
 	BPF_PROG_TYPE_SOCK_OPS,
 	BPF_PROG_TYPE_SK_SKB,
+	BPF_PROG_TYPE_CGROUP_DEVICE,
 };
 
 enum bpf_attach_type {
@@ -141,6 +142,7 @@ enum bpf_attach_type {
 	BPF_CGROUP_SOCK_OPS,
 	BPF_SK_SKB_STREAM_PARSER,
 	BPF_SK_SKB_STREAM_VERDICT,
+	BPF_CGROUP_DEVICE,
 	__MAX_BPF_ATTACH_TYPE
 };
 
@@ -984,4 +986,17 @@ struct bpf_perf_event_value {
 	__u64 running;
 };
 
+#define BPF_DEVCG_ACC_MKNOD	(1ULL << 0)
+#define BPF_DEVCG_ACC_READ	(1ULL << 1)
+#define BPF_DEVCG_ACC_WRITE	(1ULL << 2)
+
+#define BPF_DEVCG_DEV_BLOCK	(1ULL << 0)
+#define BPF_DEVCG_DEV_CHAR	(1ULL << 1)
+
+struct bpf_cgroup_dev_ctx {
+	__u32 access_type; /* (access << 16) | type */
+	__u32 major;
+	__u32 minor;
+};
+
 #endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 3db5a17fcfe8..b789ab78d28f 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -522,3 +522,70 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk,
 	return ret == 1 ? 0 : -EPERM;
 }
 EXPORT_SYMBOL(__cgroup_bpf_run_filter_sock_ops);
+
+int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
+				      short access, enum bpf_attach_type type)
+{
+	struct cgroup *cgrp;
+	struct bpf_cgroup_dev_ctx ctx = {
+		.access_type = (access << 16) | dev_type,
+		.major = major,
+		.minor = minor,
+	};
+	int allow = 1;
+
+	rcu_read_lock();
+	cgrp = task_dfl_cgroup(current);
+	allow = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], &ctx,
+				   BPF_PROG_RUN);
+	rcu_read_unlock();
+
+	return !allow;
+}
+EXPORT_SYMBOL(__cgroup_bpf_check_dev_permission);
+
+static const struct bpf_func_proto *
+cgroup_dev_func_proto(enum bpf_func_id func_id)
+{
+	switch (func_id) {
+	case BPF_FUNC_map_lookup_elem:
+		return &bpf_map_lookup_elem_proto;
+	case BPF_FUNC_map_update_elem:
+		return &bpf_map_update_elem_proto;
+	case BPF_FUNC_map_delete_elem:
+		return &bpf_map_delete_elem_proto;
+	case BPF_FUNC_get_current_uid_gid:
+		return &bpf_get_current_uid_gid_proto;
+	case BPF_FUNC_trace_printk:
+		if (capable(CAP_SYS_ADMIN))
+			return bpf_get_trace_printk_proto();
+	default:
+		return NULL;
+	}
+}
+
+static bool cgroup_dev_is_valid_access(int off, int size,
+				       enum bpf_access_type type,
+				       struct bpf_insn_access_aux *info)
+{
+	if (type == BPF_WRITE)
+		return false;
+
+	if (off < 0 || off + size > sizeof(struct bpf_cgroup_dev_ctx))
+		return false;
+	/* The verifier guarantees that size > 0. */
+	if (off % size != 0)
+		return false;
+	if (size != sizeof(__u32))
+		return false;
+
+	return true;
+}
+
+const struct bpf_prog_ops cg_dev_prog_ops = {
+};
+
+const struct bpf_verifier_ops cg_dev_verifier_ops = {
+	.get_func_proto		= cgroup_dev_func_proto,
+	.is_valid_access	= cgroup_dev_is_valid_access,
+};
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 323be2473c4b..08f7b450828e 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1291,6 +1291,9 @@ static int bpf_prog_attach(const union bpf_attr *attr)
 	case BPF_CGROUP_SOCK_OPS:
 		ptype = BPF_PROG_TYPE_SOCK_OPS;
 		break;
+	case BPF_CGROUP_DEVICE:
+		ptype = BPF_PROG_TYPE_CGROUP_DEVICE;
+		break;
 	case BPF_SK_SKB_STREAM_PARSER:
 	case BPF_SK_SKB_STREAM_VERDICT:
 		return sockmap_get_from_fd(attr, true);
@@ -1343,6 +1346,9 @@ static int bpf_prog_detach(const union bpf_attr *attr)
 	case BPF_CGROUP_SOCK_OPS:
 		ptype = BPF_PROG_TYPE_SOCK_OPS;
 		break;
+	case BPF_CGROUP_DEVICE:
+		ptype = BPF_PROG_TYPE_CGROUP_DEVICE;
+		break;
 	case BPF_SK_SKB_STREAM_PARSER:
 	case BPF_SK_SKB_STREAM_VERDICT:
 		return sockmap_get_from_fd(attr, false);
@@ -1385,6 +1391,7 @@ static int bpf_prog_query(const union bpf_attr *attr,
 	case BPF_CGROUP_INET_EGRESS:
 	case BPF_CGROUP_INET_SOCK_CREATE:
 	case BPF_CGROUP_SOCK_OPS:
+	case BPF_CGROUP_DEVICE:
 		break;
 	default:
 		return -EINVAL;
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 04357ad5a812..43c13ca3d491 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3127,6 +3127,7 @@ static int check_return_code(struct bpf_verifier_env *env)
 	case BPF_PROG_TYPE_CGROUP_SKB:
 	case BPF_PROG_TYPE_CGROUP_SOCK:
 	case BPF_PROG_TYPE_SOCK_OPS:
+	case BPF_PROG_TYPE_CGROUP_DEVICE:
 		break;
 	default:
 		return 0;
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 7cebba491011..33490eb2d22e 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -131,6 +131,7 @@ enum bpf_prog_type {
 	BPF_PROG_TYPE_LWT_XMIT,
 	BPF_PROG_TYPE_SOCK_OPS,
 	BPF_PROG_TYPE_SK_SKB,
+	BPF_PROG_TYPE_CGROUP_DEVICE,
 };
 
 enum bpf_attach_type {
@@ -140,6 +141,7 @@ enum bpf_attach_type {
 	BPF_CGROUP_SOCK_OPS,
 	BPF_SK_SKB_STREAM_PARSER,
 	BPF_SK_SKB_STREAM_VERDICT,
+	BPF_CGROUP_DEVICE,
 	__MAX_BPF_ATTACH_TYPE
 };
 
@@ -983,4 +985,17 @@ struct bpf_perf_event_value {
 	__u64 running;
 };
 
+#define BPF_DEVCG_ACC_MKNOD	(1ULL << 0)
+#define BPF_DEVCG_ACC_READ	(1ULL << 1)
+#define BPF_DEVCG_ACC_WRITE	(1ULL << 2)
+
+#define BPF_DEVCG_DEV_BLOCK	(1ULL << 0)
+#define BPF_DEVCG_DEV_CHAR	(1ULL << 1)
+
+struct bpf_cgroup_dev_ctx {
+	__u32 access_type; /* (access << 16) | type */
+	__u32 major;
+	__u32 minor;
+};
+
 #endif /* _UAPI__LINUX_BPF_H__ */
-- 
2.13.6