From nobody Thu Oct 9 04:46:55 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 345B921B9FE; Thu, 19 Jun 2025 22:01:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370510; cv=none; b=iCgC0VGxUgVgAMz3ujTwTDA7+Wu24dQcuhiRmQJbItYNRIsW7wdrkGLJHHZSqcmbrGQ1dcOa81J8jNS3pA4Lg04ugLwJNQpkY4StyMmKO9lRCh4VkcO6OzsXvXtaosXNK0V3cQYHS1XS0E+zk8nE92kYxk7dwHSfJZPHngfYXAo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370510; c=relaxed/simple; bh=70QcfvF6VIZudb7XIiCFkMwfwY4Krq2D+z7j36ghyg4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PVwnZuyclH0aGVWWv54WD7FCHvkm+TyKlAyuYi/olmyeEuX+rHPYXz4i6q7n1z0mrcC73pXWMnQPCN13nOUK8vxi0waYDSjSuePRm8+ot1cWuV3ZFJtFKS+bxth+rE/h9gMqPXF6KGIMtgPVAhzIO9jRlaG1MfqNUlA66heOGl0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tz5ScZlS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tz5ScZlS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D8866C4CEEA; Thu, 19 Jun 2025 22:01:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750370509; bh=70QcfvF6VIZudb7XIiCFkMwfwY4Krq2D+z7j36ghyg4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tz5ScZlShMWxSHIYYWt4/9louCP4rzQvAH/9q+GYQHcW0cFPxujDkb/hMVGIL/vZ0 GQg6tb4wX1jjokBZg2KqkhKzuCnysN6r2lNJXRjsqOMKQUHjsx6mvO+tPdNkq9Ax0y 0wTzqdEJUSxRDY8HSfyOaHY8XkrFYwgoAcMXwWfHtH6biyZ8NUADo3wp3BP7PrM56F w7M0Gk5zN1xE5OY6oO0NCxvfvx3O9VU5Um+cVJy/MI8JtkA5/rACTCyTjTAuY0S6AT 4FUlaX4nrLBvk0qZY5kSkpJ1ymSJld2T8GM73FdK/NKMIHh+HWlf/Farqx2D967So3 YrpbNyLWOauwQ== From: Song Liu To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com, gregkh@linuxfoundation.org, tj@kernel.org, daan.j.demeyer@gmail.com, Song Liu Subject: [PATCH v2 bpf-next 1/5] kernfs: remove iattr_mutex Date: Thu, 19 Jun 2025 15:01:10 -0700 Message-ID: <20250619220114.3956120-2-song@kernel.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250619220114.3956120-1-song@kernel.org> References: <20250619220114.3956120-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Christian Brauner All allocations of struct kernfs_iattrs are serialized through a global mutex. Simply do a racy allocation and let the first one win. I bet most callers are under inode->i_rwsem anyway and it wouldn't be needed but let's not require that. Signed-off-by: Christian Brauner Acked-by: Greg Kroah-Hartman Signed-off-by: Song Liu --- fs/kernfs/inode.c | 74 +++++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c index b83054da68b3..f4b73b9482b7 100644 --- a/fs/kernfs/inode.c +++ b/fs/kernfs/inode.c @@ -24,45 +24,46 @@ static const struct inode_operations kernfs_iops =3D { .listxattr =3D kernfs_iop_listxattr, }; =20 -static struct kernfs_iattrs *__kernfs_iattrs(struct kernfs_node *kn, int a= lloc) +static struct kernfs_iattrs *__kernfs_iattrs(struct kernfs_node *kn, bool = alloc) { - static DEFINE_MUTEX(iattr_mutex); - struct kernfs_iattrs *ret; + struct kernfs_iattrs *ret __free(kfree) =3D NULL; + struct kernfs_iattrs *attr; =20 - mutex_lock(&iattr_mutex); + attr =3D READ_ONCE(kn->iattr); + if (attr || !alloc) + return attr; =20 - if (kn->iattr || !alloc) - goto out_unlock; - - kn->iattr =3D kmem_cache_zalloc(kernfs_iattrs_cache, GFP_KERNEL); - if (!kn->iattr) - goto out_unlock; + ret =3D kmem_cache_zalloc(kernfs_iattrs_cache, GFP_KERNEL); + if (!ret) + return NULL; =20 /* assign default attributes */ - kn->iattr->ia_uid =3D GLOBAL_ROOT_UID; - kn->iattr->ia_gid =3D GLOBAL_ROOT_GID; - - ktime_get_real_ts64(&kn->iattr->ia_atime); - kn->iattr->ia_mtime =3D kn->iattr->ia_atime; - kn->iattr->ia_ctime =3D kn->iattr->ia_atime; - - simple_xattrs_init(&kn->iattr->xattrs); - atomic_set(&kn->iattr->nr_user_xattrs, 0); - atomic_set(&kn->iattr->user_xattr_size, 0); -out_unlock: - ret =3D kn->iattr; - mutex_unlock(&iattr_mutex); - return ret; + ret->ia_uid =3D GLOBAL_ROOT_UID; + ret->ia_gid =3D GLOBAL_ROOT_GID; + + ktime_get_real_ts64(&ret->ia_atime); + ret->ia_mtime =3D ret->ia_atime; + ret->ia_ctime =3D ret->ia_atime; + + simple_xattrs_init(&ret->xattrs); + atomic_set(&ret->nr_user_xattrs, 0); + atomic_set(&ret->user_xattr_size, 0); + + /* If someone raced us, recognize it. */ + if (!try_cmpxchg(&kn->iattr, &attr, ret)) + return READ_ONCE(kn->iattr); + + return no_free_ptr(ret); } =20 static struct kernfs_iattrs *kernfs_iattrs(struct kernfs_node *kn) { - return __kernfs_iattrs(kn, 1); + return __kernfs_iattrs(kn, true); } =20 static struct kernfs_iattrs *kernfs_iattrs_noalloc(struct kernfs_node *kn) { - return __kernfs_iattrs(kn, 0); + return __kernfs_iattrs(kn, false); } =20 int __kernfs_setattr(struct kernfs_node *kn, const struct iattr *iattr) @@ -141,9 +142,9 @@ ssize_t kernfs_iop_listxattr(struct dentry *dentry, cha= r *buf, size_t size) struct kernfs_node *kn =3D kernfs_dentry_node(dentry); struct kernfs_iattrs *attrs; =20 - attrs =3D kernfs_iattrs(kn); + attrs =3D kernfs_iattrs_noalloc(kn); if (!attrs) - return -ENOMEM; + return -ENODATA; =20 return simple_xattr_list(d_inode(dentry), &attrs->xattrs, buf, size); } @@ -166,9 +167,10 @@ static inline void set_inode_attr(struct inode *inode, =20 static void kernfs_refresh_inode(struct kernfs_node *kn, struct inode *ino= de) { - struct kernfs_iattrs *attrs =3D kn->iattr; + struct kernfs_iattrs *attrs; =20 inode->i_mode =3D kn->mode; + attrs =3D kernfs_iattrs_noalloc(kn); if (attrs) /* * kernfs_node has non-default attributes get them from @@ -306,7 +308,9 @@ int kernfs_xattr_set(struct kernfs_node *kn, const char= *name, const void *value, size_t size, int flags) { struct simple_xattr *old_xattr; - struct kernfs_iattrs *attrs =3D kernfs_iattrs(kn); + struct kernfs_iattrs *attrs; + + attrs =3D kernfs_iattrs(kn); if (!attrs) return -ENOMEM; =20 @@ -345,8 +349,9 @@ static int kernfs_vfs_user_xattr_add(struct kernfs_node= *kn, struct simple_xattrs *xattrs, const void *value, size_t size, int flags) { - atomic_t *sz =3D &kn->iattr->user_xattr_size; - atomic_t *nr =3D &kn->iattr->nr_user_xattrs; + struct kernfs_iattrs *attr =3D kernfs_iattrs_noalloc(kn); + atomic_t *sz =3D &attr->user_xattr_size; + atomic_t *nr =3D &attr->nr_user_xattrs; struct simple_xattr *old_xattr; int ret; =20 @@ -384,8 +389,9 @@ static int kernfs_vfs_user_xattr_rm(struct kernfs_node = *kn, struct simple_xattrs *xattrs, const void *value, size_t size, int flags) { - atomic_t *sz =3D &kn->iattr->user_xattr_size; - atomic_t *nr =3D &kn->iattr->nr_user_xattrs; + struct kernfs_iattrs *attr =3D kernfs_iattrs(kn); + atomic_t *sz =3D &attr->user_xattr_size; + atomic_t *nr =3D &attr->nr_user_xattrs; struct simple_xattr *old_xattr; =20 old_xattr =3D simple_xattr_set(xattrs, full_name, value, size, flags); --=20 2.47.1 From nobody Thu Oct 9 04:46:55 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AD2428DF3B; Thu, 19 Jun 2025 22:01:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370516; cv=none; b=uNXPIYoYpAmCfOKmaoqusWXUdSbVLxbU2nP3Haf5K7IohPdLD+Q8GbhD4tY0dP6YxSx8YEeMpchYP/K7VCh/bq1VWyAJoJlerMYq3rjKUjqWLhZsc6RE4/+mHsY47aA+a9EIlC7SeHNkeoMFiPaNuS79Ch7TJ5eMMe+deyFpltk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370516; c=relaxed/simple; bh=NIfNoG423OkEnE3hS7qFIh07B2hsI2a8wQjaQzBrAe0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gw3z3IXLmVsMXj6YzkeDq/7ztSjhLLSH17sdFn46WzahWWvEqqbEkxFqPkz45vRZ7r9dHD9G9b9XOXUOOsHbz41P3JXDcgXfNZ0K5ufLosjCJtiwYWhswSUcQCKHYz4htedvUIc01qsXojbHzIpoLNeEzyR7v48MLzSDKHmyK0o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CstctGE2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CstctGE2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5EFEC4CEEA; Thu, 19 Jun 2025 22:01:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750370515; bh=NIfNoG423OkEnE3hS7qFIh07B2hsI2a8wQjaQzBrAe0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CstctGE2mkzfjgLwDCnBCJVvUIHNruZUecKwRc8qHuO1aYQVIUQbXIsXeqXhusEqm ezi4bJanpHyBDjtO0FH43groYjQSG+LUlFQIfAuN9ZiLBgJAAs1hZYuZha7FJ53gha NT7KeXIThfw0Bv/qhjbOlu0fjsJbj7LIYzJd4rsIEUsW+ExVX82qsQyoUTx1S3K14w U+mZhJ2R4BFf2nFRAKxenBYN8MRqcwv9OTdM7tFJz31qpKWV6DkVjSmUYJf60nUZbP jlReBBXtg+DOq80X+XwKLmEhgeLWt0iM1AU/Nca57qQK5KXTELsYxdmVPeyfyhV34f WL35akhLqVcPQ== From: Song Liu To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com, gregkh@linuxfoundation.org, tj@kernel.org, daan.j.demeyer@gmail.com, Song Liu Subject: [PATCH v2 bpf-next 2/5] bpf: Introduce bpf_cgroup_read_xattr to read xattr of cgroup's node Date: Thu, 19 Jun 2025 15:01:11 -0700 Message-ID: <20250619220114.3956120-3-song@kernel.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250619220114.3956120-1-song@kernel.org> References: <20250619220114.3956120-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BPF programs, such as LSM and sched_ext, would benefit from tags on cgroups. One common practice to apply such tags is to set xattrs on cgroupfs folders. Introduce kfunc bpf_cgroup_read_xattr, which allows reading cgroup's xattr. Note that, we already have bpf_get_[file|dentry]_xattr. However, these two APIs are not ideal for reading cgroupfs xattrs, because: 1) These two APIs only works in sleepable contexts; 2) There is no kfunc that matches current cgroup to cgroupfs dentry. Signed-off-by: Song Liu --- fs/bpf_fs_kfuncs.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c index 08412532db1b..9f3f9bd0f6f7 100644 --- a/fs/bpf_fs_kfuncs.c +++ b/fs/bpf_fs_kfuncs.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include =20 @@ -322,6 +323,37 @@ __bpf_kfunc int bpf_remove_dentry_xattr(struct dentry = *dentry, const char *name_ return ret; } =20 +/** + * bpf_cgroup_read_xattr - read xattr of a cgroup's node in cgroupfs + * @cgroup: cgroup to get xattr from + * @name__str: name of the xattr + * @value_p: output buffer of the xattr value + * + * Get xattr *name__str* of *cgroup* and store the output in *value_ptr*. + * + * For security reasons, only *name__str* with prefix "user." is allowed. + * + * Return: length of the xattr value on success, a negative value on error. + */ +__bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *n= ame__str, + struct bpf_dynptr *value_p) +{ + struct bpf_dynptr_kern *value_ptr =3D (struct bpf_dynptr_kern *)value_p; + u32 value_len; + void *value; + + /* Only allow reading "user.*" xattrs */ + if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) + return -EPERM; + + value_len =3D __bpf_dynptr_size(value_ptr); + value =3D __bpf_dynptr_data_rw(value_ptr, value_len); + if (!value) + return -EINVAL; + + return kernfs_xattr_get(cgroup->kn, name__str, value, value_len); +} + __bpf_kfunc_end_defs(); =20 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) @@ -333,6 +365,7 @@ BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE |= KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) +BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU) BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) =20 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) --=20 2.47.1 From nobody Thu Oct 9 04:46:55 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 174B728FA8A; Thu, 19 Jun 2025 22:02:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370522; cv=none; b=ibIQjiqy9dyS3gSHRT9zIU38sYCSNHRp9dT0pp0gC00kTrLJgAW56mQfhGgRW2S/ssS2OnHzbABZ5Lxd3JMTXKNHjX4t3b9kF4iRkuAOPaeNbX4HyofNIEsfGD5j4TJx3FRnlhpql220/5/M2n8lX6ObxBFrER8dew3qLdsSRsM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370522; c=relaxed/simple; bh=BEJZRN76m+6IEQPpBHY905TwGMpPvyUC5d/zGM477GM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=i6p+2VFdnOYm0MbOFrh1lC+pqUfQYaC9TK6UafOceFWCx8q3LiQiasyRMeMlEzTrXcw394kgAocItl0bfdhl2/1OX1R7gwTp6ANode58bIw1GH6JlqKUMFiHqpm3H9xYLBrTvRPpsQ+l45MESn9lOJRVaWJjX85k4dJqEV8ChBg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=O2jVOS9r; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="O2jVOS9r" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B992FC4CEEA; Thu, 19 Jun 2025 22:01:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750370521; bh=BEJZRN76m+6IEQPpBHY905TwGMpPvyUC5d/zGM477GM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O2jVOS9rsPu2QWKDqAZ9DxbYY0z+Q1V4k0o6rfpgaALR2sURs2kj5+dEgDCCQvA9k P+c4lwC3Od9MJGqSSP35rC49R8MNkM3v8dH9qkhCBsDhkXdwRb1+PMldrbp0RbZKUM UW3R7kO2jrvc1oCFrtdShybrPid1FFqUcz/0Srgmi5ACBwwpGL6hkF3SIdahQCH4F4 6WRxfvw4Ld6j4i/kUZ7kt4aLUep/oDTOBJC9iJF0+uyZZQ175yxnNHyiWMg2FPBXHx 1KOF543bUryz4TMLS1wL1tv5+XT0SeE5XJTWlnPYnDCyjRWGCWMzPAZmvBjW8DO9gB NxndpHVMqZgUg== From: Song Liu To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com, gregkh@linuxfoundation.org, tj@kernel.org, daan.j.demeyer@gmail.com, Song Liu Subject: [PATCH v2 bpf-next 3/5] bpf: Mark cgroup_subsys_state->cgroup RCU safe Date: Thu, 19 Jun 2025 15:01:12 -0700 Message-ID: <20250619220114.3956120-4-song@kernel.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250619220114.3956120-1-song@kernel.org> References: <20250619220114.3956120-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Mark struct cgroup_subsys_state->cgroup as safe under RCU read lock. This will enable accessing css->cgroup from a bpf css iterator. Signed-off-by: Song Liu Acked-by: Tejun Heo --- kernel/bpf/verifier.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 279a64933262..e2f53dc8766a 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7058,6 +7058,10 @@ BTF_TYPE_SAFE_RCU(struct css_set) { struct cgroup *dfl_cgrp; }; =20 +BTF_TYPE_SAFE_RCU(struct cgroup_subsys_state) { + struct cgroup *cgroup; +}; + /* RCU trusted: these fields are trusted in RCU CS and can be NULL */ BTF_TYPE_SAFE_RCU_OR_NULL(struct mm_struct) { struct file __rcu *exe_file; @@ -7108,6 +7112,7 @@ static bool type_is_rcu(struct bpf_verifier_env *env, BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct task_struct)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct cgroup)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct css_set)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct cgroup_subsys_state)); =20 return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__= safe_rcu"); } --=20 2.47.1 From nobody Thu Oct 9 04:46:55 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75858257ACF; Thu, 19 Jun 2025 22:02:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370528; cv=none; b=G3ftiqenRal9ZSYmXnR1KnEwcrw3aPQKxGkUElxXOMgJj/utl2s9HCO6NeAYC9LBlSIgmo5/CUU92renx5D9eV4LpdhPKHTdb7GFImQQy2uAN4GRY3LE8WX0pFrVzkTaWuxz13DS2ngQ3m2SZyAByOPUFNSwX9T8z5iHcClJXJU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370528; c=relaxed/simple; bh=jdWK/5a3W2+xBoAYx3DkNi8AquzLoEdQcA05Mo/5SrE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RPCcIYS+1/lC5e+elSR1JOikJvJo1YidVlm9chVlo+oKwwDqiLBI7MMH60D/FeOWs+lOBpnVk52mwJIELSzAQiwl7VPgNz9zpCaLUF2uxZ6ZXltG25wAEyCAQxl7R2XXdm7PbBCwTlBp1L8ALoVxb/QM9ZYGWJuMNCvWTgfGXD4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=baF9UeMj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="baF9UeMj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2CB5C4CEEA; Thu, 19 Jun 2025 22:02:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750370527; bh=jdWK/5a3W2+xBoAYx3DkNi8AquzLoEdQcA05Mo/5SrE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=baF9UeMjNGgQuJ96ScrNta9r9aC6VonmOkkfWm0D1VkmbU9cnWjIrxw6cdS2cFr/F B+25VQWEBLO3M4npDgVqbL2HTK9qfDBayHqpa/SXMfiQIk8yiL6WrMKpdA6EZm18T0 NVmVKqGXx9hHTdNGQ4vsd2ysb3j2lAa74r/2eGGiDbzKUX8+46CJzT359n/GGrTKfM DQ3y+t2Sy8L6qsNdFhGOlm05XTlT5ghKBe1zUNQpWrK5x60SGd4TPmj6ejcOHb3P+y W15DtO/D8KwL28rYifR5kcdLZEIDlG7Jd1c56U4Sma4psXPOb/xZowNMSYXfh/8Wtx eBnKIBetJqkJA== From: Song Liu To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com, gregkh@linuxfoundation.org, tj@kernel.org, daan.j.demeyer@gmail.com, Song Liu Subject: [PATCH v2 bpf-next 4/5] selftests/bpf: Add tests for bpf_cgroup_read_xattr Date: Thu, 19 Jun 2025 15:01:13 -0700 Message-ID: <20250619220114.3956120-5-song@kernel.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250619220114.3956120-1-song@kernel.org> References: <20250619220114.3956120-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add tests for different scenarios with bpf_cgroup_read_xattr: 1. Read cgroup xattr from bpf_cgroup_from_id; 2. Read cgroup xattr from bpf_cgroup_ancestor; 3. Read cgroup xattr from css_iter; 4. Use bpf_cgroup_read_xattr in LSM hook security_socket_connect. Signed-off-by: Song Liu --- .../selftests/bpf/prog_tests/cgroup_xattr.c | 145 ++++++++++++++++++ .../selftests/bpf/progs/cgroup_read_xattr.c | 136 ++++++++++++++++ .../selftests/bpf/progs/read_cgroupfs_xattr.c | 60 ++++++++ 3 files changed, 341 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup_xattr.c create mode 100644 tools/testing/selftests/bpf/progs/cgroup_read_xattr.c create mode 100644 tools/testing/selftests/bpf/progs/read_cgroupfs_xattr.c diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_xattr.c b/tools/= testing/selftests/bpf/prog_tests/cgroup_xattr.c new file mode 100644 index 000000000000..87978a0f7eb7 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/cgroup_xattr.c @@ -0,0 +1,145 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "read_cgroupfs_xattr.skel.h" +#include "cgroup_read_xattr.skel.h" + +#define CGROUP_FS_ROOT "/sys/fs/cgroup/" +#define CGROUP_FS_PARENT CGROUP_FS_ROOT "foo/" +#define CGROUP_FS_CHILD CGROUP_FS_PARENT "bar/" + +static int move_pid_to_cgroup(const char *cgroup_folder, pid_t pid) +{ + char filename[128]; + char pid_str[64]; + int procs_fd; + int ret; + + snprintf(filename, sizeof(filename), "%scgroup.procs", cgroup_folder); + snprintf(pid_str, sizeof(pid_str), "%d", pid); + + procs_fd =3D open(filename, O_WRONLY | O_APPEND); + if (!ASSERT_OK_FD(procs_fd, "open")) + return -1; + + ret =3D write(procs_fd, pid_str, strlen(pid_str)); + close(procs_fd); + if (!ASSERT_GT(ret, 0, "write cgroup.procs")) + return -1; + return 0; +} + +static void reset_cgroups_and_lo(void) +{ + rmdir(CGROUP_FS_CHILD); + rmdir(CGROUP_FS_PARENT); + system("ip addr del 1.1.1.1/32 dev lo"); + system("ip link set dev lo down"); +} + +static const char xattr_value_a[] =3D "bpf_selftest_value_a"; +static const char xattr_value_b[] =3D "bpf_selftest_value_b"; +static const char xattr_name[] =3D "user.bpf_test"; + +static int setup_cgroups_and_lo(void) +{ + int err; + + err =3D mkdir(CGROUP_FS_PARENT, 0755); + if (!ASSERT_OK(err, "mkdir 1")) + goto error; + err =3D mkdir(CGROUP_FS_CHILD, 0755); + if (!ASSERT_OK(err, "mkdir 2")) + goto error; + + err =3D setxattr(CGROUP_FS_PARENT, xattr_name, xattr_value_a, + strlen(xattr_value_a) + 1, 0); + if (!ASSERT_OK(err, "setxattr 1")) + goto error; + + err =3D setxattr(CGROUP_FS_CHILD, xattr_name, xattr_value_b, + strlen(xattr_value_b) + 1, 0); + if (!ASSERT_OK(err, "setxattr 2")) + goto error; + + err =3D system("ip link set dev lo up"); + if (!ASSERT_OK(err, "lo up")) + goto error; + + err =3D system("ip addr add 1.1.1.1 dev lo"); + if (!ASSERT_OK(err, "lo addr v4")) + goto error; + + err =3D write_sysctl("/proc/sys/net/ipv4/ping_group_range", "0 0"); + if (!ASSERT_OK(err, "write_sysctl")) + goto error; + + return 0; +error: + reset_cgroups_and_lo(); + return err; +} + +static void test_read_cgroup_xattr(void) +{ + struct sockaddr_in sa4 =3D { + .sin_family =3D AF_INET, + .sin_addr.s_addr =3D htonl(INADDR_LOOPBACK), + }; + struct read_cgroupfs_xattr *skel =3D NULL; + pid_t pid =3D gettid(); + int sock_fd =3D -1; + int connect_fd =3D -1; + + if (!ASSERT_OK(setup_cgroups_and_lo(), "setup_cgroups_and_lo")) + return; + if (!ASSERT_OK(move_pid_to_cgroup(CGROUP_FS_CHILD, pid), + "move_pid_to_cgroup")) + goto out; + + skel =3D read_cgroupfs_xattr__open_and_load(); + if (!ASSERT_OK_PTR(skel, "read_cgroupfs_xattr__open_and_load")) + goto out; + + skel->bss->target_pid =3D pid; + + if (!ASSERT_OK(read_cgroupfs_xattr__attach(skel), "read_cgroupfs_xattr__a= ttach")) + goto out; + + sock_fd =3D socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); + if (!ASSERT_OK_FD(sock_fd, "sock create")) + goto out; + + connect_fd =3D connect(sock_fd, &sa4, sizeof(sa4)); + if (!ASSERT_OK_FD(connect_fd, "connect 1")) + goto out; + close(connect_fd); + + ASSERT_TRUE(skel->bss->found_value_a, "found_value_a"); + ASSERT_TRUE(skel->bss->found_value_b, "found_value_b"); + +out: + close(connect_fd); + close(sock_fd); + read_cgroupfs_xattr__destroy(skel); + move_pid_to_cgroup(CGROUP_FS_ROOT, pid); + reset_cgroups_and_lo(); +} + +void test_cgroup_xattr(void) +{ + RUN_TESTS(cgroup_read_xattr); + + if (test__start_subtest("read_cgroupfs_xattr")) + test_read_cgroup_xattr(); +} diff --git a/tools/testing/selftests/bpf/progs/cgroup_read_xattr.c b/tools/= testing/selftests/bpf/progs/cgroup_read_xattr.c new file mode 100644 index 000000000000..b50ccb3aebcf --- /dev/null +++ b/tools/testing/selftests/bpf/progs/cgroup_read_xattr.c @@ -0,0 +1,136 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include +#include +#include +#include +#include "bpf_experimental.h" +#include "bpf_misc.h" + +char _license[] SEC("license") =3D "GPL"; + +char value[16]; + +__always_inline void read_xattr(struct cgroup *cgroup) +{ + struct bpf_dynptr value_ptr; + + bpf_dynptr_from_mem(value, sizeof(value), 0, &value_ptr); + bpf_cgroup_read_xattr(cgroup, "user.bpf_test", + &value_ptr); +} + +SEC("lsm.s/socket_connect") +__success +int BPF_PROG(trusted_cgroup_ptr_sleepable) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup *cgrp; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + read_xattr(cgrp); + bpf_cgroup_release(cgrp); + return 0; +} + +SEC("lsm/socket_connect") +__success +int BPF_PROG(trusted_cgroup_ptr_non_sleepable) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup *cgrp; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + read_xattr(cgrp); + bpf_cgroup_release(cgrp); + return 0; +} + +SEC("lsm/socket_connect") +__success +int BPF_PROG(use_css_iter_non_sleepable) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup_subsys_state *css; + struct cgroup *cgrp; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + bpf_for_each(css, css, &cgrp->self, BPF_CGROUP_ITER_ANCESTORS_UP) + read_xattr(css->cgroup); + + bpf_cgroup_release(cgrp); + return 0; +} + +SEC("lsm.s/socket_connect") +__failure __msg("expected an RCU CS") +int BPF_PROG(use_css_iter_sleepable_missing_rcu_lock) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup_subsys_state *css; + struct cgroup *cgrp; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + bpf_for_each(css, css, &cgrp->self, BPF_CGROUP_ITER_ANCESTORS_UP) + read_xattr(css->cgroup); + + bpf_cgroup_release(cgrp); + return 0; +} + +SEC("lsm.s/socket_connect") +__success +int BPF_PROG(use_css_iter_sleepable_with_rcu_lock) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup_subsys_state *css; + struct cgroup *cgrp; + + bpf_rcu_read_lock(); + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + goto out; + + bpf_for_each(css, css, &cgrp->self, BPF_CGROUP_ITER_ANCESTORS_UP) + read_xattr(css->cgroup); + + bpf_cgroup_release(cgrp); +out: + bpf_rcu_read_unlock(); + return 0; +} + +SEC("lsm/socket_connect") +__success +int BPF_PROG(use_bpf_cgroup_ancestor) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup *cgrp, *ancestor; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + ancestor =3D bpf_cgroup_ancestor(cgrp, 1); + if (!ancestor) + goto out; + + read_xattr(cgrp); + bpf_cgroup_release(ancestor); +out: + bpf_cgroup_release(cgrp); + return 0; +} diff --git a/tools/testing/selftests/bpf/progs/read_cgroupfs_xattr.c b/tool= s/testing/selftests/bpf/progs/read_cgroupfs_xattr.c new file mode 100644 index 000000000000..855f85fc5522 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/read_cgroupfs_xattr.c @@ -0,0 +1,60 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ + +#include +#include +#include +#include +#include "bpf_experimental.h" + +char _license[] SEC("license") =3D "GPL"; + +pid_t target_pid =3D 0; + +char xattr_value[64]; +static const char expected_value_a[] =3D "bpf_selftest_value_a"; +static const char expected_value_b[] =3D "bpf_selftest_value_b"; +bool found_value_a; +bool found_value_b; + +SEC("lsm.s/socket_connect") +int BPF_PROG(test_socket_connect) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup_subsys_state *css, *tmp; + struct bpf_dynptr value_ptr; + struct cgroup *cgrp; + + if ((bpf_get_current_pid_tgid() >> 32) !=3D target_pid) + return 0; + + bpf_rcu_read_lock(); + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) { + bpf_rcu_read_unlock(); + return 0; + } + + css =3D &cgrp->self; + bpf_dynptr_from_mem(xattr_value, sizeof(xattr_value), 0, &value_ptr); + bpf_for_each(css, tmp, css, BPF_CGROUP_ITER_ANCESTORS_UP) { + int ret; + + ret =3D bpf_cgroup_read_xattr(tmp->cgroup, "user.bpf_test", + &value_ptr); + if (ret < 0) + continue; + + if (ret =3D=3D sizeof(expected_value_a) && + !bpf_strncmp(xattr_value, sizeof(expected_value_a), expected_value_a= )) + found_value_a =3D true; + if (ret =3D=3D sizeof(expected_value_b) && + !bpf_strncmp(xattr_value, sizeof(expected_value_b), expected_value_b= )) + found_value_b =3D true; + } + + bpf_rcu_read_unlock(); + bpf_cgroup_release(cgrp); + + return 0; +} --=20 2.47.1 From nobody Thu Oct 9 04:46:55 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54DAA29CB40; Thu, 19 Jun 2025 22:02:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370534; cv=none; b=rQpJ+YWIMNKipIyAwfL3TJMvXp3KHoSdRP454hlFtsPUvTDmBiD4azrKLA8mlt9VDelLc65Sn9epOA2RBwjoph4mJjbtRKyf5kuDACyR3jPmEqWtIIi/PmHQEkOM8stjca6wLXPOrjBLCFc9Y5cPi4Mp25TRwkWQ5HOu2YDuI24= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750370534; c=relaxed/simple; bh=puTnRa7DG1Y2PCVVgbCIuZlS5MYTdTwFeWDN6MNVDzk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TINgn3FSbiNZlQButuLgN/HHezOf7lfFgJo9OH25uslnye7q9HVxZvt1+GeWCnRSVtMg/ZN7rTsw1JWlOL6wNK5iAtQvsOkI5BbJGjFHTpVIPD5C/PUlmLSiVrbudsaYiCk0JM5x/EwT2GTj+rkAXPxsJLD9Qp5vZiduEgHA1vc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=K/7siiah; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="K/7siiah" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04170C4CEEE; Thu, 19 Jun 2025 22:02:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750370533; bh=puTnRa7DG1Y2PCVVgbCIuZlS5MYTdTwFeWDN6MNVDzk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K/7siiahIm2+vZA2wm1AFxzo5pqkamDp6sKxQ9Vmz62HlRZ2iwBJEj9va2lWHpWFt HzRkvbJTJOBKMKlNXsI4zgUC/z3UnXa9eyxdVC8p0kt5GcPqrEt+fRYTUOqZ/+T/p9 2V2GLD0wmBChNu81p44UA/T7Hl8ONPHFIVN1pKSMOjFk7l5u1iT0tpJY/P+MtYlgG3 oyrZkcd3I0dQhTIQcxl/WGfyET25Q0pQiFInDTtr6vSh1guqGyhFUYj1p2VR7Di6Ah cz/F6tgeXiPl6tyvG7UpF92wxJOX+8Zx1Cy/j3tZ3umrjKwBAtITwfztifQGG4aevM krBu93NfV+KXg== From: Song Liu To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com, gregkh@linuxfoundation.org, tj@kernel.org, daan.j.demeyer@gmail.com, Song Liu Subject: [PATCH v2 bpf-next 5/5] bpf: Make bpf_cgroup_read_xattr available to cgroup and struct_ops progs Date: Thu, 19 Jun 2025 15:01:14 -0700 Message-ID: <20250619220114.3956120-6-song@kernel.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250619220114.3956120-1-song@kernel.org> References: <20250619220114.3956120-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cgroup BPF programs and struct_ops BPF programs (such as sched_ext), need bpf_cgroup_read_xattr. Make bpf_cgroup_read_xattr available to these prog types. Rename bpf_fs_kfunc_* variables as bpf_lsm_fs_kfunc_*, as these are only available to BPF LSM programs. Then, reuse bpf_fs_kfunc_* name for cgroup and struct_ops prog typs. Also add a selftest with program of "cgroup/sendmsg4" type. Signed-off-by: Song Liu --- fs/bpf_fs_kfuncs.c | 53 +++++++++++++++++-- .../selftests/bpf/progs/cgroup_read_xattr.c | 22 ++++++++ 2 files changed, 70 insertions(+), 5 deletions(-) diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c index 9f3f9bd0f6f7..8e02e09e092e 100644 --- a/fs/bpf_fs_kfuncs.c +++ b/fs/bpf_fs_kfuncs.c @@ -356,7 +356,7 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cg= roup, const char *name__s =20 __bpf_kfunc_end_defs(); =20 -BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) +BTF_KFUNCS_START(bpf_lsm_fs_kfunc_set_ids) BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE) @@ -366,11 +366,11 @@ BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE |= KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU) -BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) +BTF_KFUNCS_END(bpf_lsm_fs_kfunc_set_ids) =20 -static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) +static int bpf_lsm_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc= _id) { - if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id) || + if (!btf_id_set8_contains(&bpf_lsm_fs_kfunc_set_ids, kfunc_id) || prog->type =3D=3D BPF_PROG_TYPE_LSM) return 0; return -EACCES; @@ -407,6 +407,40 @@ bool bpf_lsm_has_d_inode_locked(const struct bpf_prog = *prog) return btf_id_set_contains(&d_inode_locked_hooks, prog->aux->attach_btf_i= d); } =20 +static const struct btf_kfunc_id_set bpf_lsm_fs_kfunc_set =3D { + .owner =3D THIS_MODULE, + .set =3D &bpf_lsm_fs_kfunc_set_ids, + .filter =3D bpf_lsm_fs_kfuncs_filter, +}; + +/* + * This set contains kfuncs available to BPF programs of cgroup type and + * struct_ops type. + */ +BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) +BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU) +BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) + +static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) +{ + if (!btf_id_set8_contains(&bpf_fs_kfunc_set_ids, kfunc_id)) + return 0; + switch (prog->type) { + case BPF_PROG_TYPE_LSM: + case BPF_PROG_TYPE_STRUCT_OPS: + case BPF_PROG_TYPE_CGROUP_SKB: + case BPF_PROG_TYPE_CGROUP_SOCK: + case BPF_PROG_TYPE_CGROUP_DEVICE: + case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: + case BPF_PROG_TYPE_CGROUP_SYSCTL: + case BPF_PROG_TYPE_CGROUP_SOCKOPT: + return 0; + default: + break; + } + return -EACCES; +} + static const struct btf_kfunc_id_set bpf_fs_kfunc_set =3D { .owner =3D THIS_MODULE, .set =3D &bpf_fs_kfunc_set_ids, @@ -415,7 +449,16 @@ static const struct btf_kfunc_id_set bpf_fs_kfunc_set = =3D { =20 static int __init bpf_fs_kfuncs_init(void) { - return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_fs_kfunc_set); + int ret; + + ret =3D register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, &bpf_lsm_fs_kfunc_se= t); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_STRUCT_OPS, &bpf_f= s_kfunc_set); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SKB, &bpf_f= s_kfunc_set); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SOCK, &bpf_= fs_kfunc_set); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_DEVICE, &bp= f_fs_kfunc_set); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, = &bpf_fs_kfunc_set); + ret =3D ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SYSCTL, &bp= f_fs_kfunc_set); + return ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_CGROUP_SOCKOPT, &bp= f_fs_kfunc_set); } =20 late_initcall(bpf_fs_kfuncs_init); diff --git a/tools/testing/selftests/bpf/progs/cgroup_read_xattr.c b/tools/= testing/selftests/bpf/progs/cgroup_read_xattr.c index b50ccb3aebcf..0995fb2ac9ff 100644 --- a/tools/testing/selftests/bpf/progs/cgroup_read_xattr.c +++ b/tools/testing/selftests/bpf/progs/cgroup_read_xattr.c @@ -134,3 +134,25 @@ int BPF_PROG(use_bpf_cgroup_ancestor) bpf_cgroup_release(cgrp); return 0; } + +SEC("cgroup/sendmsg4") +__success +int BPF_PROG(cgroup_skb) +{ + u64 cgrp_id =3D bpf_get_current_cgroup_id(); + struct cgroup *cgrp, *ancestor; + + cgrp =3D bpf_cgroup_from_id(cgrp_id); + if (!cgrp) + return 0; + + ancestor =3D bpf_cgroup_ancestor(cgrp, 1); + if (!ancestor) + goto out; + + read_xattr(cgrp); + bpf_cgroup_release(ancestor); +out: + bpf_cgroup_release(cgrp); + return 0; +} --=20 2.47.1