Commit 6acc5c29 authored by Chenbo Feng's avatar Chenbo Feng Committed by David S. Miller

Add a eBPF helper function to retrieve socket uid

Returns the owner uid of the socket inside a sk_buff. This is useful to
perform per-UID accounting of network traffic or per-UID packet
filtering. The socket need to be a fullsock otherwise overflowuid is
returned.
Signed-off-by: default avatarChenbo Feng <fengc@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 91b8270f
...@@ -465,6 +465,12 @@ union bpf_attr { ...@@ -465,6 +465,12 @@ union bpf_attr {
* @skb: pointer to skb * @skb: pointer to skb
* Return: 8 Bytes non-decreasing number on success or 0 if the socket * Return: 8 Bytes non-decreasing number on success or 0 if the socket
* field is missing inside sk_buff * field is missing inside sk_buff
*
* u32 bpf_get_socket_uid(skb)
* Get the owner uid of the socket stored inside sk_buff.
* @skb: pointer to skb
* Return: uid of the socket owner on success or 0 if the socket pointer
* inside sk_buff is NULL
*/ */
#define __BPF_FUNC_MAPPER(FN) \ #define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \ FN(unspec), \
...@@ -513,7 +519,8 @@ union bpf_attr { ...@@ -513,7 +519,8 @@ union bpf_attr {
FN(skb_change_head), \ FN(skb_change_head), \
FN(xdp_adjust_head), \ FN(xdp_adjust_head), \
FN(probe_read_str), \ FN(probe_read_str), \
FN(get_socket_cookie), FN(get_socket_cookie), \
FN(get_socket_uid),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper /* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call * function eBPF program intends to call
......
...@@ -2619,6 +2619,24 @@ static const struct bpf_func_proto bpf_get_socket_cookie_proto = { ...@@ -2619,6 +2619,24 @@ static const struct bpf_func_proto bpf_get_socket_cookie_proto = {
.arg1_type = ARG_PTR_TO_CTX, .arg1_type = ARG_PTR_TO_CTX,
}; };
BPF_CALL_1(bpf_get_socket_uid, struct sk_buff *, skb)
{
struct sock *sk = sk_to_full_sk(skb->sk);
kuid_t kuid;
if (!sk || !sk_fullsock(sk))
return overflowuid;
kuid = sock_net_uid(sock_net(sk), sk);
return from_kuid_munged(sock_net(sk)->user_ns, kuid);
}
static const struct bpf_func_proto bpf_get_socket_uid_proto = {
.func = bpf_get_socket_uid,
.gpl_only = false,
.ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX,
};
static const struct bpf_func_proto * static const struct bpf_func_proto *
bpf_base_func_proto(enum bpf_func_id func_id) bpf_base_func_proto(enum bpf_func_id func_id)
{ {
...@@ -2655,6 +2673,8 @@ sk_filter_func_proto(enum bpf_func_id func_id) ...@@ -2655,6 +2673,8 @@ sk_filter_func_proto(enum bpf_func_id func_id)
return &bpf_skb_load_bytes_proto; return &bpf_skb_load_bytes_proto;
case BPF_FUNC_get_socket_cookie: case BPF_FUNC_get_socket_cookie:
return &bpf_get_socket_cookie_proto; return &bpf_get_socket_cookie_proto;
case BPF_FUNC_get_socket_uid:
return &bpf_get_socket_uid_proto;
default: default:
return bpf_base_func_proto(func_id); return bpf_base_func_proto(func_id);
} }
...@@ -2716,6 +2736,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id) ...@@ -2716,6 +2736,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id)
return &bpf_skb_under_cgroup_proto; return &bpf_skb_under_cgroup_proto;
case BPF_FUNC_get_socket_cookie: case BPF_FUNC_get_socket_cookie:
return &bpf_get_socket_cookie_proto; return &bpf_get_socket_cookie_proto;
case BPF_FUNC_get_socket_uid:
return &bpf_get_socket_uid_proto;
default: default:
return bpf_base_func_proto(func_id); return bpf_base_func_proto(func_id);
} }
......
...@@ -507,7 +507,8 @@ union bpf_attr { ...@@ -507,7 +507,8 @@ union bpf_attr {
FN(skb_change_head), \ FN(skb_change_head), \
FN(xdp_adjust_head), \ FN(xdp_adjust_head), \
FN(probe_read_str), \ FN(probe_read_str), \
FN(get_socket_cookie), FN(get_socket_cookie), \
FN(get_socket_uid),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper /* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call * function eBPF program intends to call
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment