• Martin KaFai Lau's avatar
    cgroup: bpf: Add bpf_skb_in_cgroup_proto · 4a482f34
    Martin KaFai Lau authored
    Adds a bpf helper, bpf_skb_in_cgroup, to decide if a skb->sk
    belongs to a descendant of a cgroup2.  It is similar to the
    feature added in netfilter:
    commit c38c4597 ("netfilter: implement xt_cgroup cgroup2 path match")
    
    The user is expected to populate a BPF_MAP_TYPE_CGROUP_ARRAY
    which will be used by the bpf_skb_in_cgroup.
    
    Modifications to the bpf verifier is to ensure BPF_MAP_TYPE_CGROUP_ARRAY
    and bpf_skb_in_cgroup() are always used together.
    Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
    Cc: Alexei Starovoitov <ast@fb.com>
    Cc: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Tejun Heo <tj@kernel.org>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    4a482f34
verifier.c 76.7 KB