cgroup: add support for eBPF programs
This patch adds two sets of eBPF program pointers to struct cgroup.
One for such that are directly pinned to a cgroup, and one for such
that are effective for it.
To illustrate the logic behind that, assume the following example
cgroup hierarchy.
A - B - C
\ D - E
If only B has a program attached, it will be effective for B, C, D
and E. If D then attaches a program itself, that will be effective for
both D and E, and the program in B will only affect B and C. Only one
program of a given type is effective for a cgroup.
Attaching and detaching programs will be done through the bpf(2)
syscall. For now, ingress and egress inet socket filtering are the
only supported use-cases.
Signed-off-by: Daniel Mack <daniel@zonque.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Daniel Mack
committed by
David S. Miller
David S. Miller
parent
0e33661de4
commit
3007098494
12
init/Kconfig
12
init/Kconfig
@@ -1154,6 +1154,18 @@ config CGROUP_PERF
|
||||
|
||||
Say N if unsure.
|
||||
|
||||
config CGROUP_BPF
|
||||
bool "Support for eBPF programs attached to cgroups"
|
||||
depends on BPF_SYSCALL && SOCK_CGROUP_DATA
|
||||
help
|
||||
Allow attaching eBPF programs to a cgroup using the bpf(2)
|
||||
syscall command BPF_PROG_ATTACH.
|
||||
|
||||
In which context these programs are accessed depends on the type
|
||||
of attachment. For instance, programs that are attached using
|
||||
BPF_CGROUP_INET_INGRESS will be executed on the ingress path of
|
||||
inet sockets.
|
||||
|
||||
config CGROUP_DEBUG
|
||||
bool "Example controller"
|
||||
default n
|
||||
|
||||
Reference in New Issue
Block a user