OpenCloudOS-Kernel/include/linux/bpf-cgroup-defs.h

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _BPF_CGROUP_DEFS_H
#define _BPF_CGROUP_DEFS_H

#ifdef CONFIG_CGROUP_BPF

#include <linux/list.h>
#include <linux/percpu-refcount.h>
#include <linux/workqueue.h>

struct bpf_prog_array;

#ifdef CONFIG_BPF_LSM
/* Maximum number of concurrently attachable per-cgroup LSM hooks. */
#define CGROUP_LSM_NUM 10
#else
#define CGROUP_LSM_NUM 0
#endif

enum cgroup_bpf_attach_type {
	CGROUP_BPF_ATTACH_TYPE_INVALID = -1,
	CGROUP_INET_INGRESS = 0,
	CGROUP_INET_EGRESS,
	CGROUP_INET_SOCK_CREATE,
	CGROUP_SOCK_OPS,
	CGROUP_DEVICE,
	CGROUP_INET4_BIND,
	CGROUP_INET6_BIND,
	CGROUP_INET4_CONNECT,
	CGROUP_INET6_CONNECT,
	CGROUP_INET4_POST_BIND,
	CGROUP_INET6_POST_BIND,
	CGROUP_UDP4_SENDMSG,
	CGROUP_UDP6_SENDMSG,
	CGROUP_SYSCTL,
	CGROUP_UDP4_RECVMSG,
	CGROUP_UDP6_RECVMSG,
	CGROUP_GETSOCKOPT,
	CGROUP_SETSOCKOPT,
	CGROUP_INET4_GETPEERNAME,
	CGROUP_INET6_GETPEERNAME,
	CGROUP_INET4_GETSOCKNAME,
	CGROUP_INET6_GETSOCKNAME,
	CGROUP_INET_SOCK_RELEASE,
	CGROUP_LSM_START,
	CGROUP_LSM_END = CGROUP_LSM_START + CGROUP_LSM_NUM - 1,
	MAX_CGROUP_BPF_ATTACH_TYPE
};

struct cgroup_bpf {
	/* array of effective progs in this cgroup */
	struct bpf_prog_array __rcu *effective[MAX_CGROUP_BPF_ATTACH_TYPE];

	/* attached progs to this cgroup and attach flags
	 * when flags == 0 or BPF_F_ALLOW_OVERRIDE the progs list will
	 * have either zero or one element
	 * when BPF_F_ALLOW_MULTI the list can have up to BPF_CGROUP_MAX_PROGS
	 */
	struct hlist_head progs[MAX_CGROUP_BPF_ATTACH_TYPE];
	u8 flags[MAX_CGROUP_BPF_ATTACH_TYPE];

	/* list of cgroup shared storages */
	struct list_head storages;

	/* temp storage for effective prog array used by prog_attach/detach */
	struct bpf_prog_array *inactive;

	/* reference counter used to detach bpf programs after cgroup removal */
	struct percpu_ref refcnt;

	/* cgroup_bpf is released using a work queue */
	struct work_struct release_work;
};

#else /* CONFIG_CGROUP_BPF */
struct cgroup_bpf {};
#endif /* CONFIG_CGROUP_BPF */

#endif
bpf: Remove the cgroup -> bpf header dependecy Remove the dependency from cgroup-defs.h to bpf-cgroup.h and bpf.h. This reduces the incremental build size of x86 allmodconfig after bpf.h was touched from ~17k objects rebuilt to ~5k objects. bpf.h is 2.2kLoC and is modified relatively often. We need a new header with just the definition of struct cgroup_bpf and enum cgroup_bpf_attach_type, this is akin to cgroup-defs.h. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/bpf/20211216025538.1649516-4-kuba@kernel.org 2021-12-16 10:55:38 +08:00			`/* SPDX-License-Identifier: GPL-2.0 */`
			`#ifndef _BPF_CGROUP_DEFS_H`
			`#define _BPF_CGROUP_DEFS_H`

			`#ifdef CONFIG_CGROUP_BPF`

			`#include <linux/list.h>`
			`#include <linux/percpu-refcount.h>`
			`#include <linux/workqueue.h>`

			`struct bpf_prog_array;`

bpf: per-cgroup lsm flavor Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-06-29 01:43:06 +08:00			`#ifdef CONFIG_BPF_LSM`
bpf: minimize number of allocated lsm slots per program Previous patch adds 1:1 mapping between all 211 LSM hooks and bpf_cgroup program array. Instead of reserving a slot per possible hook, reserve 10 slots per cgroup for lsm programs. Those slots are dynamically allocated on demand and reclaimed. struct cgroup_bpf { struct bpf_prog_array * effective[33]; /* 0 264 / / --- cacheline 4 boundary (256 bytes) was 8 bytes ago --- / struct hlist_head progs[33]; / 264 264 / / --- cacheline 8 boundary (512 bytes) was 16 bytes ago --- / u8 flags[33]; / 528 33 / / XXX 7 bytes hole, try to pack / struct list_head storages; / 568 16 / / --- cacheline 9 boundary (576 bytes) was 8 bytes ago --- / struct bpf_prog_array inactive; /* 584 8 / struct percpu_ref refcnt; / 592 16 / struct work_struct release_work; / 608 72 / / size: 680, cachelines: 11, members: 7 / / sum members: 673, holes: 1, sum holes: 7 / / last cacheline: 40 bytes */ }; Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-5-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-06-29 01:43:07 +08:00			`/* Maximum number of concurrently attachable per-cgroup LSM hooks. */`
			`#define CGROUP_LSM_NUM 10`
bpf: per-cgroup lsm flavor Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-06-29 01:43:06 +08:00			`#else`
			`#define CGROUP_LSM_NUM 0`
			`#endif`

bpf: Remove the cgroup -> bpf header dependecy Remove the dependency from cgroup-defs.h to bpf-cgroup.h and bpf.h. This reduces the incremental build size of x86 allmodconfig after bpf.h was touched from ~17k objects rebuilt to ~5k objects. bpf.h is 2.2kLoC and is modified relatively often. We need a new header with just the definition of struct cgroup_bpf and enum cgroup_bpf_attach_type, this is akin to cgroup-defs.h. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/bpf/20211216025538.1649516-4-kuba@kernel.org 2021-12-16 10:55:38 +08:00			`enum cgroup_bpf_attach_type {`
			`CGROUP_BPF_ATTACH_TYPE_INVALID = -1,`
			`CGROUP_INET_INGRESS = 0,`
			`CGROUP_INET_EGRESS,`
			`CGROUP_INET_SOCK_CREATE,`
			`CGROUP_SOCK_OPS,`
			`CGROUP_DEVICE,`
			`CGROUP_INET4_BIND,`
			`CGROUP_INET6_BIND,`
			`CGROUP_INET4_CONNECT,`
			`CGROUP_INET6_CONNECT,`
			`CGROUP_INET4_POST_BIND,`
			`CGROUP_INET6_POST_BIND,`
			`CGROUP_UDP4_SENDMSG,`
			`CGROUP_UDP6_SENDMSG,`
			`CGROUP_SYSCTL,`
			`CGROUP_UDP4_RECVMSG,`
			`CGROUP_UDP6_RECVMSG,`
			`CGROUP_GETSOCKOPT,`
			`CGROUP_SETSOCKOPT,`
			`CGROUP_INET4_GETPEERNAME,`
			`CGROUP_INET6_GETPEERNAME,`
			`CGROUP_INET4_GETSOCKNAME,`
			`CGROUP_INET6_GETSOCKNAME,`
			`CGROUP_INET_SOCK_RELEASE,`
bpf: per-cgroup lsm flavor Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-06-29 01:43:06 +08:00			`CGROUP_LSM_START,`
			`CGROUP_LSM_END = CGROUP_LSM_START + CGROUP_LSM_NUM - 1,`
bpf: Remove the cgroup -> bpf header dependecy Remove the dependency from cgroup-defs.h to bpf-cgroup.h and bpf.h. This reduces the incremental build size of x86 allmodconfig after bpf.h was touched from ~17k objects rebuilt to ~5k objects. bpf.h is 2.2kLoC and is modified relatively often. We need a new header with just the definition of struct cgroup_bpf and enum cgroup_bpf_attach_type, this is akin to cgroup-defs.h. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/bpf/20211216025538.1649516-4-kuba@kernel.org 2021-12-16 10:55:38 +08:00			`MAX_CGROUP_BPF_ATTACH_TYPE`
			`};`

			`struct cgroup_bpf {`
			`/* array of effective progs in this cgroup */`
			`struct bpf_prog_array __rcu *effective[MAX_CGROUP_BPF_ATTACH_TYPE];`

			`/* attached progs to this cgroup and attach flags`
			`* when flags == 0 or BPF_F_ALLOW_OVERRIDE the progs list will`
			`* have either zero or one element`
			`* when BPF_F_ALLOW_MULTI the list can have up to BPF_CGROUP_MAX_PROGS`
			`*/`
bpf: convert cgroup_bpf.progs to hlist This lets us reclaim some space to be used by new cgroup lsm slots. Before: struct cgroup_bpf { struct bpf_prog_array * effective[23]; /* 0 184 / / --- cacheline 2 boundary (128 bytes) was 56 bytes ago --- / struct list_head progs[23]; / 184 368 / / --- cacheline 8 boundary (512 bytes) was 40 bytes ago --- / u32 flags[23]; / 552 92 / / XXX 4 bytes hole, try to pack / / --- cacheline 10 boundary (640 bytes) was 8 bytes ago --- / struct list_head storages; / 648 16 / struct bpf_prog_array inactive; /* 664 8 / struct percpu_ref refcnt; / 672 16 / struct work_struct release_work; / 688 32 / / size: 720, cachelines: 12, members: 7 / / sum members: 716, holes: 1, sum holes: 4 / / last cacheline: 16 bytes / }; After: struct cgroup_bpf { struct bpf_prog_array effective[23]; /* 0 184 / / --- cacheline 2 boundary (128 bytes) was 56 bytes ago --- / struct hlist_head progs[23]; / 184 184 / / --- cacheline 5 boundary (320 bytes) was 48 bytes ago --- / u8 flags[23]; / 368 23 / / XXX 1 byte hole, try to pack / / --- cacheline 6 boundary (384 bytes) was 8 bytes ago --- / struct list_head storages; / 392 16 / struct bpf_prog_array inactive; /* 408 8 / struct percpu_ref refcnt; / 416 16 / struct work_struct release_work; / 432 72 / / size: 504, cachelines: 8, members: 7 / / sum members: 503, holes: 1, sum holes: 1 / / last cacheline: 56 bytes */ }; Suggested-by: Jakub Sitnicki <jakub@cloudflare.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Reviewed-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20220628174314.1216643-3-sdf@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-06-29 01:43:05 +08:00			`struct hlist_head progs[MAX_CGROUP_BPF_ATTACH_TYPE];`
			`u8 flags[MAX_CGROUP_BPF_ATTACH_TYPE];`
bpf: Remove the cgroup -> bpf header dependecy Remove the dependency from cgroup-defs.h to bpf-cgroup.h and bpf.h. This reduces the incremental build size of x86 allmodconfig after bpf.h was touched from ~17k objects rebuilt to ~5k objects. bpf.h is 2.2kLoC and is modified relatively often. We need a new header with just the definition of struct cgroup_bpf and enum cgroup_bpf_attach_type, this is akin to cgroup-defs.h. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/bpf/20211216025538.1649516-4-kuba@kernel.org 2021-12-16 10:55:38 +08:00
			`/* list of cgroup shared storages */`
			`struct list_head storages;`

			`/* temp storage for effective prog array used by prog_attach/detach */`
			`struct bpf_prog_array *inactive;`

			`/* reference counter used to detach bpf programs after cgroup removal */`
			`struct percpu_ref refcnt;`

			`/* cgroup_bpf is released using a work queue */`
			`struct work_struct release_work;`
			`};`

			`#else /* CONFIG_CGROUP_BPF */`
			`struct cgroup_bpf {};`
			`#endif /* CONFIG_CGROUP_BPF */`

			`#endif`