| .. SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) |
| |
| =========================== |
| BPF_PROG_TYPE_CGROUP_SYSCTL |
| =========================== |
| |
| This document describes ``BPF_PROG_TYPE_CGROUP_SYSCTL`` program type that |
| provides cgroup-bpf hook for sysctl. |
| |
| The hook has to be attached to a cgroup and will be called every time a |
| process inside that cgroup tries to read from or write to sysctl knob in proc. |
| |
| 1. Attach type |
| ************** |
| |
| ``BPF_CGROUP_SYSCTL`` attach type has to be used to attach |
| ``BPF_PROG_TYPE_CGROUP_SYSCTL`` program to a cgroup. |
| |
| 2. Context |
| ********** |
| |
| ``BPF_PROG_TYPE_CGROUP_SYSCTL`` provides access to the following context from |
| BPF program:: |
| |
| struct bpf_sysctl { |
| __u32 write; |
| __u32 file_pos; |
| }; |
| |
| * ``write`` indicates whether sysctl value is being read (``0``) or written |
| (``1``). This field is read-only. |
| |
| * ``file_pos`` indicates file position sysctl is being accessed at, read |
| or written. This field is read-write. Writing to the field sets the starting |
| position in sysctl proc file ``read(2)`` will be reading from or ``write(2)`` |
| will be writing to. Writing zero to the field can be used e.g. to override |
| whole sysctl value by ``bpf_sysctl_set_new_value()`` on ``write(2)`` even |
| when it's called by user space on ``file_pos > 0``. Writing non-zero |
| value to the field can be used to access part of sysctl value starting from |
| specified ``file_pos``. Not all sysctl support access with ``file_pos != |
| 0``, e.g. writes to numeric sysctl entries must always be at file position |
| ``0``. See also ``kernel.sysctl_writes_strict`` sysctl. |
| |
| See `linux/bpf.h`_ for more details on how context field can be accessed. |
| |
| 3. Return code |
| ************** |
| |
| ``BPF_PROG_TYPE_CGROUP_SYSCTL`` program must return one of the following |
| return codes: |
| |
| * ``0`` means "reject access to sysctl"; |
| * ``1`` means "proceed with access". |
| |
| If program returns ``0`` user space will get ``-1`` from ``read(2)`` or |
| ``write(2)`` and ``errno`` will be set to ``EPERM``. |
| |
| 4. Helpers |
| ********** |
| |
| Since sysctl knob is represented by a name and a value, sysctl specific BPF |
| helpers focus on providing access to these properties: |
| |
| * ``bpf_sysctl_get_name()`` to get sysctl name as it is visible in |
| ``/proc/sys`` into provided by BPF program buffer; |
| |
| * ``bpf_sysctl_get_current_value()`` to get string value currently held by |
| sysctl into provided by BPF program buffer. This helper is available on both |
| ``read(2)`` from and ``write(2)`` to sysctl; |
| |
| * ``bpf_sysctl_get_new_value()`` to get new string value currently being |
| written to sysctl before actual write happens. This helper can be used only |
| on ``ctx->write == 1``; |
| |
| * ``bpf_sysctl_set_new_value()`` to override new string value currently being |
| written to sysctl before actual write happens. Sysctl value will be |
| overridden starting from the current ``ctx->file_pos``. If the whole value |
| has to be overridden BPF program can set ``file_pos`` to zero before calling |
| to the helper. This helper can be used only on ``ctx->write == 1``. New |
| string value set by the helper is treated and verified by kernel same way as |
| an equivalent string passed by user space. |
| |
| BPF program sees sysctl value same way as user space does in proc filesystem, |
| i.e. as a string. Since many sysctl values represent an integer or a vector |
| of integers, the following helpers can be used to get numeric value from the |
| string: |
| |
| * ``bpf_strtol()`` to convert initial part of the string to long integer |
| similar to user space `strtol(3)`_; |
| * ``bpf_strtoul()`` to convert initial part of the string to unsigned long |
| integer similar to user space `strtoul(3)`_; |
| |
| See `linux/bpf.h`_ for more details on helpers described here. |
| |
| 5. Examples |
| *********** |
| |
| See `test_sysctl_prog.c`_ for an example of BPF program in C that access |
| sysctl name and value, parses string value to get vector of integers and uses |
| the result to make decision whether to allow or deny access to sysctl. |
| |
| 6. Notes |
| ******** |
| |
| ``BPF_PROG_TYPE_CGROUP_SYSCTL`` is intended to be used in **trusted** root |
| environment, for example to monitor sysctl usage or catch unreasonable values |
| an application, running as root in a separate cgroup, is trying to set. |
| |
| Since `task_dfl_cgroup(current)` is called at `sys_read` / `sys_write` time it |
| may return results different from that at `sys_open` time, i.e. process that |
| opened sysctl file in proc filesystem may differ from process that is trying |
| to read from / write to it and two such processes may run in different |
| cgroups, what means ``BPF_PROG_TYPE_CGROUP_SYSCTL`` should not be used as a |
| security mechanism to limit sysctl usage. |
| |
| As with any cgroup-bpf program additional care should be taken if an |
| application running as root in a cgroup should not be allowed to |
| detach/replace BPF program attached by administrator. |
| |
| .. Links |
| .. _linux/bpf.h: ../../include/uapi/linux/bpf.h |
| .. _strtol(3): http://man7.org/linux/man-pages/man3/strtol.3p.html |
| .. _strtoul(3): http://man7.org/linux/man-pages/man3/strtoul.3p.html |
| .. _test_sysctl_prog.c: |
| ../../tools/testing/selftests/bpf/progs/test_sysctl_prog.c |
