summaryrefslogtreecommitdiff
path: root/include/linux/device_cgroup.h
diff options
context:
space:
mode:
authorRoman Gushchin <guro@fb.com>2017-11-05 08:15:32 -0500
committerDavid S. Miller <davem@davemloft.net>2017-11-05 23:26:51 +0900
commitebc614f687369f9df99828572b1d85a7c2de3d92 (patch)
treebfcaecb3636c2ef3fd31da33138fe72db50663f2 /include/linux/device_cgroup.h
parentecf8fecb7828648cba0e42de7464a7e600c93459 (diff)
downloadlwn-ebc614f687369f9df99828572b1d85a7c2de3d92.tar.gz
lwn-ebc614f687369f9df99828572b1d85a7c2de3d92.zip
bpf, cgroup: implement eBPF-based device controller for cgroup v2
Cgroup v2 lacks the device controller, provided by cgroup v1. This patch adds a new eBPF program type, which in combination of previously added ability to attach multiple eBPF programs to a cgroup, will provide a similar functionality, but with some additional flexibility. This patch introduces a BPF_PROG_TYPE_CGROUP_DEVICE program type. A program takes major and minor device numbers, device type (block/character) and access type (mknod/read/write) as parameters and returns an integer which defines if the operation should be allowed or terminated with -EPERM. Signed-off-by: Roman Gushchin <guro@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/device_cgroup.h')
-rw-r--r--include/linux/device_cgroup.h8
1 files changed, 7 insertions, 1 deletions
diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 2d93d7ecd479..8557efe096dc 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -1,5 +1,6 @@
/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/fs.h>
+#include <linux/bpf-cgroup.h>
#define DEVCG_ACC_MKNOD 1
#define DEVCG_ACC_READ 2
@@ -19,10 +20,15 @@ static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
{ return 0; }
#endif
-#ifdef CONFIG_CGROUP_DEVICE
+#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
short access)
{
+ int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
+
+ if (rc)
+ return -EPERM;
+
return __devcgroup_check_permission(type, major, minor, access);
}