Skip to content

Commit 5bf7a60

Browse files
yonghong-songborkmann
yonghong-song
authored and
borkmann
committed
bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id()
Currently, helper bpf_get_current_cgroup_id() is not permitted for CGROUP_DEVICE type of programs. If the helper is used in such cases, the verifier will log the following error: 0: (bf) r6 = r1 1: (69) r7 = *(u16 *)(r6 +0) 2: (85) call bpf_get_current_cgroup_id#80 unknown func bpf_get_current_cgroup_id#80 The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE type of programs in order to customize action based on cgroup id. This patch added such a support. Cc: Roman Gushchin <guro@fb.com> Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Roman Gushchin <guro@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
1 parent 78e6e5c commit 5bf7a60

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

kernel/bpf/cgroup.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -677,6 +677,8 @@ cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
677677
return &bpf_get_current_uid_gid_proto;
678678
case BPF_FUNC_get_local_storage:
679679
return &bpf_get_local_storage_proto;
680+
case BPF_FUNC_get_current_cgroup_id:
681+
return &bpf_get_current_cgroup_id_proto;
680682
case BPF_FUNC_trace_printk:
681683
if (capable(CAP_SYS_ADMIN))
682684
return bpf_get_trace_printk_proto();

0 commit comments

Comments
 (0)