1*4882a593Smuzhiyun /* eBPF example program:
2*4882a593Smuzhiyun *
3*4882a593Smuzhiyun * - Loads eBPF program
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * The eBPF program sets the sk_bound_dev_if index in new AF_INET{6}
6*4882a593Smuzhiyun * sockets opened by processes in the cgroup.
7*4882a593Smuzhiyun *
8*4882a593Smuzhiyun * - Attaches the new program to a cgroup using BPF_PROG_ATTACH
9*4882a593Smuzhiyun */
10*4882a593Smuzhiyun
11*4882a593Smuzhiyun #define _GNU_SOURCE
12*4882a593Smuzhiyun
13*4882a593Smuzhiyun #include <stdio.h>
14*4882a593Smuzhiyun #include <stdlib.h>
15*4882a593Smuzhiyun #include <stddef.h>
16*4882a593Smuzhiyun #include <string.h>
17*4882a593Smuzhiyun #include <unistd.h>
18*4882a593Smuzhiyun #include <assert.h>
19*4882a593Smuzhiyun #include <errno.h>
20*4882a593Smuzhiyun #include <fcntl.h>
21*4882a593Smuzhiyun #include <net/if.h>
22*4882a593Smuzhiyun #include <inttypes.h>
23*4882a593Smuzhiyun #include <linux/bpf.h>
24*4882a593Smuzhiyun #include <bpf/bpf.h>
25*4882a593Smuzhiyun
26*4882a593Smuzhiyun #include "bpf_insn.h"
27*4882a593Smuzhiyun
28*4882a593Smuzhiyun char bpf_log_buf[BPF_LOG_BUF_SIZE];
29*4882a593Smuzhiyun
prog_load(__u32 idx,__u32 mark,__u32 prio)30*4882a593Smuzhiyun static int prog_load(__u32 idx, __u32 mark, __u32 prio)
31*4882a593Smuzhiyun {
32*4882a593Smuzhiyun /* save pointer to context */
33*4882a593Smuzhiyun struct bpf_insn prog_start[] = {
34*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
35*4882a593Smuzhiyun };
36*4882a593Smuzhiyun struct bpf_insn prog_end[] = {
37*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 1), /* r0 = verdict */
38*4882a593Smuzhiyun BPF_EXIT_INSN(),
39*4882a593Smuzhiyun };
40*4882a593Smuzhiyun
41*4882a593Smuzhiyun /* set sk_bound_dev_if on socket */
42*4882a593Smuzhiyun struct bpf_insn prog_dev[] = {
43*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, idx),
44*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, offsetof(struct bpf_sock, bound_dev_if)),
45*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, offsetof(struct bpf_sock, bound_dev_if)),
46*4882a593Smuzhiyun };
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun /* set mark on socket */
49*4882a593Smuzhiyun struct bpf_insn prog_mark[] = {
50*4882a593Smuzhiyun /* get uid of process */
51*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
52*4882a593Smuzhiyun BPF_FUNC_get_current_uid_gid),
53*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffffffff),
54*4882a593Smuzhiyun
55*4882a593Smuzhiyun /* if uid is 0, use given mark, else use the uid as the mark */
56*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
57*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
58*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, mark),
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun /* set the mark on the new socket */
61*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
62*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, offsetof(struct bpf_sock, mark)),
63*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, offsetof(struct bpf_sock, mark)),
64*4882a593Smuzhiyun };
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun /* set priority on socket */
67*4882a593Smuzhiyun struct bpf_insn prog_prio[] = {
68*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
69*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, prio),
70*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, offsetof(struct bpf_sock, priority)),
71*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, offsetof(struct bpf_sock, priority)),
72*4882a593Smuzhiyun };
73*4882a593Smuzhiyun
74*4882a593Smuzhiyun struct bpf_insn *prog;
75*4882a593Smuzhiyun size_t insns_cnt;
76*4882a593Smuzhiyun void *p;
77*4882a593Smuzhiyun int ret;
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun insns_cnt = sizeof(prog_start) + sizeof(prog_end);
80*4882a593Smuzhiyun if (idx)
81*4882a593Smuzhiyun insns_cnt += sizeof(prog_dev);
82*4882a593Smuzhiyun
83*4882a593Smuzhiyun if (mark)
84*4882a593Smuzhiyun insns_cnt += sizeof(prog_mark);
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun if (prio)
87*4882a593Smuzhiyun insns_cnt += sizeof(prog_prio);
88*4882a593Smuzhiyun
89*4882a593Smuzhiyun p = prog = malloc(insns_cnt);
90*4882a593Smuzhiyun if (!prog) {
91*4882a593Smuzhiyun fprintf(stderr, "Failed to allocate memory for instructions\n");
92*4882a593Smuzhiyun return EXIT_FAILURE;
93*4882a593Smuzhiyun }
94*4882a593Smuzhiyun
95*4882a593Smuzhiyun memcpy(p, prog_start, sizeof(prog_start));
96*4882a593Smuzhiyun p += sizeof(prog_start);
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun if (idx) {
99*4882a593Smuzhiyun memcpy(p, prog_dev, sizeof(prog_dev));
100*4882a593Smuzhiyun p += sizeof(prog_dev);
101*4882a593Smuzhiyun }
102*4882a593Smuzhiyun
103*4882a593Smuzhiyun if (mark) {
104*4882a593Smuzhiyun memcpy(p, prog_mark, sizeof(prog_mark));
105*4882a593Smuzhiyun p += sizeof(prog_mark);
106*4882a593Smuzhiyun }
107*4882a593Smuzhiyun
108*4882a593Smuzhiyun if (prio) {
109*4882a593Smuzhiyun memcpy(p, prog_prio, sizeof(prog_prio));
110*4882a593Smuzhiyun p += sizeof(prog_prio);
111*4882a593Smuzhiyun }
112*4882a593Smuzhiyun
113*4882a593Smuzhiyun memcpy(p, prog_end, sizeof(prog_end));
114*4882a593Smuzhiyun p += sizeof(prog_end);
115*4882a593Smuzhiyun
116*4882a593Smuzhiyun insns_cnt /= sizeof(struct bpf_insn);
117*4882a593Smuzhiyun
118*4882a593Smuzhiyun ret = bpf_load_program(BPF_PROG_TYPE_CGROUP_SOCK, prog, insns_cnt,
119*4882a593Smuzhiyun "GPL", 0, bpf_log_buf, BPF_LOG_BUF_SIZE);
120*4882a593Smuzhiyun
121*4882a593Smuzhiyun free(prog);
122*4882a593Smuzhiyun
123*4882a593Smuzhiyun return ret;
124*4882a593Smuzhiyun }
125*4882a593Smuzhiyun
get_bind_to_device(int sd,char * name,size_t len)126*4882a593Smuzhiyun static int get_bind_to_device(int sd, char *name, size_t len)
127*4882a593Smuzhiyun {
128*4882a593Smuzhiyun socklen_t optlen = len;
129*4882a593Smuzhiyun int rc;
130*4882a593Smuzhiyun
131*4882a593Smuzhiyun name[0] = '\0';
132*4882a593Smuzhiyun rc = getsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, name, &optlen);
133*4882a593Smuzhiyun if (rc < 0)
134*4882a593Smuzhiyun perror("setsockopt(SO_BINDTODEVICE)");
135*4882a593Smuzhiyun
136*4882a593Smuzhiyun return rc;
137*4882a593Smuzhiyun }
138*4882a593Smuzhiyun
get_somark(int sd)139*4882a593Smuzhiyun static unsigned int get_somark(int sd)
140*4882a593Smuzhiyun {
141*4882a593Smuzhiyun unsigned int mark = 0;
142*4882a593Smuzhiyun socklen_t optlen = sizeof(mark);
143*4882a593Smuzhiyun int rc;
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun rc = getsockopt(sd, SOL_SOCKET, SO_MARK, &mark, &optlen);
146*4882a593Smuzhiyun if (rc < 0)
147*4882a593Smuzhiyun perror("getsockopt(SO_MARK)");
148*4882a593Smuzhiyun
149*4882a593Smuzhiyun return mark;
150*4882a593Smuzhiyun }
151*4882a593Smuzhiyun
get_priority(int sd)152*4882a593Smuzhiyun static unsigned int get_priority(int sd)
153*4882a593Smuzhiyun {
154*4882a593Smuzhiyun unsigned int prio = 0;
155*4882a593Smuzhiyun socklen_t optlen = sizeof(prio);
156*4882a593Smuzhiyun int rc;
157*4882a593Smuzhiyun
158*4882a593Smuzhiyun rc = getsockopt(sd, SOL_SOCKET, SO_PRIORITY, &prio, &optlen);
159*4882a593Smuzhiyun if (rc < 0)
160*4882a593Smuzhiyun perror("getsockopt(SO_PRIORITY)");
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun return prio;
163*4882a593Smuzhiyun }
164*4882a593Smuzhiyun
show_sockopts(int family)165*4882a593Smuzhiyun static int show_sockopts(int family)
166*4882a593Smuzhiyun {
167*4882a593Smuzhiyun unsigned int mark, prio;
168*4882a593Smuzhiyun char name[16];
169*4882a593Smuzhiyun int sd;
170*4882a593Smuzhiyun
171*4882a593Smuzhiyun sd = socket(family, SOCK_DGRAM, 17);
172*4882a593Smuzhiyun if (sd < 0) {
173*4882a593Smuzhiyun perror("socket");
174*4882a593Smuzhiyun return 1;
175*4882a593Smuzhiyun }
176*4882a593Smuzhiyun
177*4882a593Smuzhiyun if (get_bind_to_device(sd, name, sizeof(name)) < 0)
178*4882a593Smuzhiyun return 1;
179*4882a593Smuzhiyun
180*4882a593Smuzhiyun mark = get_somark(sd);
181*4882a593Smuzhiyun prio = get_priority(sd);
182*4882a593Smuzhiyun
183*4882a593Smuzhiyun close(sd);
184*4882a593Smuzhiyun
185*4882a593Smuzhiyun printf("sd %d: dev %s, mark %u, priority %u\n", sd, name, mark, prio);
186*4882a593Smuzhiyun
187*4882a593Smuzhiyun return 0;
188*4882a593Smuzhiyun }
189*4882a593Smuzhiyun
usage(const char * argv0)190*4882a593Smuzhiyun static int usage(const char *argv0)
191*4882a593Smuzhiyun {
192*4882a593Smuzhiyun printf("Usage:\n");
193*4882a593Smuzhiyun printf(" Attach a program\n");
194*4882a593Smuzhiyun printf(" %s -b bind-to-dev -m mark -p prio cg-path\n", argv0);
195*4882a593Smuzhiyun printf("\n");
196*4882a593Smuzhiyun printf(" Detach a program\n");
197*4882a593Smuzhiyun printf(" %s -d cg-path\n", argv0);
198*4882a593Smuzhiyun printf("\n");
199*4882a593Smuzhiyun printf(" Show inherited socket settings (mark, priority, and device)\n");
200*4882a593Smuzhiyun printf(" %s [-6]\n", argv0);
201*4882a593Smuzhiyun return EXIT_FAILURE;
202*4882a593Smuzhiyun }
203*4882a593Smuzhiyun
main(int argc,char ** argv)204*4882a593Smuzhiyun int main(int argc, char **argv)
205*4882a593Smuzhiyun {
206*4882a593Smuzhiyun __u32 idx = 0, mark = 0, prio = 0;
207*4882a593Smuzhiyun const char *cgrp_path = NULL;
208*4882a593Smuzhiyun int cg_fd, prog_fd, ret;
209*4882a593Smuzhiyun int family = PF_INET;
210*4882a593Smuzhiyun int do_attach = 1;
211*4882a593Smuzhiyun int rc;
212*4882a593Smuzhiyun
213*4882a593Smuzhiyun while ((rc = getopt(argc, argv, "db:m:p:6")) != -1) {
214*4882a593Smuzhiyun switch (rc) {
215*4882a593Smuzhiyun case 'd':
216*4882a593Smuzhiyun do_attach = 0;
217*4882a593Smuzhiyun break;
218*4882a593Smuzhiyun case 'b':
219*4882a593Smuzhiyun idx = if_nametoindex(optarg);
220*4882a593Smuzhiyun if (!idx) {
221*4882a593Smuzhiyun idx = strtoumax(optarg, NULL, 0);
222*4882a593Smuzhiyun if (!idx) {
223*4882a593Smuzhiyun printf("Invalid device name\n");
224*4882a593Smuzhiyun return EXIT_FAILURE;
225*4882a593Smuzhiyun }
226*4882a593Smuzhiyun }
227*4882a593Smuzhiyun break;
228*4882a593Smuzhiyun case 'm':
229*4882a593Smuzhiyun mark = strtoumax(optarg, NULL, 0);
230*4882a593Smuzhiyun break;
231*4882a593Smuzhiyun case 'p':
232*4882a593Smuzhiyun prio = strtoumax(optarg, NULL, 0);
233*4882a593Smuzhiyun break;
234*4882a593Smuzhiyun case '6':
235*4882a593Smuzhiyun family = PF_INET6;
236*4882a593Smuzhiyun break;
237*4882a593Smuzhiyun default:
238*4882a593Smuzhiyun return usage(argv[0]);
239*4882a593Smuzhiyun }
240*4882a593Smuzhiyun }
241*4882a593Smuzhiyun
242*4882a593Smuzhiyun if (optind == argc)
243*4882a593Smuzhiyun return show_sockopts(family);
244*4882a593Smuzhiyun
245*4882a593Smuzhiyun cgrp_path = argv[optind];
246*4882a593Smuzhiyun if (!cgrp_path) {
247*4882a593Smuzhiyun fprintf(stderr, "cgroup path not given\n");
248*4882a593Smuzhiyun return EXIT_FAILURE;
249*4882a593Smuzhiyun }
250*4882a593Smuzhiyun
251*4882a593Smuzhiyun if (do_attach && !idx && !mark && !prio) {
252*4882a593Smuzhiyun fprintf(stderr,
253*4882a593Smuzhiyun "One of device, mark or priority must be given\n");
254*4882a593Smuzhiyun return EXIT_FAILURE;
255*4882a593Smuzhiyun }
256*4882a593Smuzhiyun
257*4882a593Smuzhiyun cg_fd = open(cgrp_path, O_DIRECTORY | O_RDONLY);
258*4882a593Smuzhiyun if (cg_fd < 0) {
259*4882a593Smuzhiyun printf("Failed to open cgroup path: '%s'\n", strerror(errno));
260*4882a593Smuzhiyun return EXIT_FAILURE;
261*4882a593Smuzhiyun }
262*4882a593Smuzhiyun
263*4882a593Smuzhiyun if (do_attach) {
264*4882a593Smuzhiyun prog_fd = prog_load(idx, mark, prio);
265*4882a593Smuzhiyun if (prog_fd < 0) {
266*4882a593Smuzhiyun printf("Failed to load prog: '%s'\n", strerror(errno));
267*4882a593Smuzhiyun printf("Output from kernel verifier:\n%s\n-------\n",
268*4882a593Smuzhiyun bpf_log_buf);
269*4882a593Smuzhiyun return EXIT_FAILURE;
270*4882a593Smuzhiyun }
271*4882a593Smuzhiyun
272*4882a593Smuzhiyun ret = bpf_prog_attach(prog_fd, cg_fd,
273*4882a593Smuzhiyun BPF_CGROUP_INET_SOCK_CREATE, 0);
274*4882a593Smuzhiyun if (ret < 0) {
275*4882a593Smuzhiyun printf("Failed to attach prog to cgroup: '%s'\n",
276*4882a593Smuzhiyun strerror(errno));
277*4882a593Smuzhiyun return EXIT_FAILURE;
278*4882a593Smuzhiyun }
279*4882a593Smuzhiyun } else {
280*4882a593Smuzhiyun ret = bpf_prog_detach(cg_fd, BPF_CGROUP_INET_SOCK_CREATE);
281*4882a593Smuzhiyun if (ret < 0) {
282*4882a593Smuzhiyun printf("Failed to detach prog from cgroup: '%s'\n",
283*4882a593Smuzhiyun strerror(errno));
284*4882a593Smuzhiyun return EXIT_FAILURE;
285*4882a593Smuzhiyun }
286*4882a593Smuzhiyun }
287*4882a593Smuzhiyun
288*4882a593Smuzhiyun close(cg_fd);
289*4882a593Smuzhiyun return EXIT_SUCCESS;
290*4882a593Smuzhiyun }
291