git.baikalelectronics.ru Git - kernel.git/commit

author	Andrey Ignatov <rdna@fb.com>
	Thu, 14 May 2020 20:03:47 +0000 (13:03 -0700)
committer	Alexei Starovoitov <ast@kernel.org>
	Fri, 15 May 2020 01:41:07 +0000 (18:41 -0700)
commit	9488e07c811b8fe1efd2820681dbc8a5f528a714
tree	dce575da97bf84e2fc907274202d228f8aa1a6c6	tree \| snapshot
parent	d9c5998df42425130f9e8d6a7160c232746c76b0	commit \| diff

bpf: Introduce bpf_sk_{, ancestor_}cgroup_id helpers

With having ability to lookup sockets in cgroup skb programs it becomes
useful to access cgroup id of retrieved sockets so that policies can be
implemented based on origin cgroup of such socket.

For example, a container running in a cgroup can have cgroup skb ingress
program that can lookup peer socket that is sending packets to a process
inside the container and decide whether those packets should be allowed
or denied based on cgroup id of the peer.

More specifically such ingress program can implement intra-host policy
"allow incoming packets only from this same container and not from any
other container on same host" w/o relying on source IP addresses since
quite often it can be the case that containers share same IP address on
the host.

Introduce two new helpers for this use-case: bpf_sk_cgroup_id() and
bpf_sk_ancestor_cgroup_id().

These helpers are similar to existing bpf_skb_{,ancestor_}cgroup_id
helpers with the only difference that sk is used to get cgroup id
instead of skb, and share code with them.

See documentation in UAPI for more details.

Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/f5884981249ce911f63e9b57ecd5d7d19154ff39.1589486450.git.rdna@fb.com

include/uapi/linux/bpf.h		diff \| blob \| history
net/core/filter.c		diff \| blob \| history
tools/include/uapi/linux/bpf.h		diff \| blob \| history