bpf/progs/dev_cgroup.c

0001 /* Copyright (c) 2017 Facebook
0002  *
0003  * This program is free software; you can redistribute it and/or
0004  * modify it under the terms of version 2 of the GNU General Public
0005  * License as published by the Free Software Foundation.
0006  */
0007
0008 #include <linux/bpf.h>
0009 #include <linux/version.h>
0010 #include <bpf/bpf_helpers.h>
0011
0012 SEC("cgroup/dev")
0013 int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx)
0014 {
0015     short type = ctx->access_type & 0xFFFF;
0016 #ifdef DEBUG
0017     short access = ctx->access_type >> 16;
0018     char fmt[] = "  %d:%d    \n";
0019
0020     switch (type) {
0021     case BPF_DEVCG_DEV_BLOCK:
0022         fmt[0] = 'b';
0023         break;
0024     case BPF_DEVCG_DEV_CHAR:
0025         fmt[0] = 'c';
0026         break;
0027     default:
0028         fmt[0] = '?';
0029         break;
0030     }
0031
0032     if (access & BPF_DEVCG_ACC_READ)
0033         fmt[8] = 'r';
0034
0035     if (access & BPF_DEVCG_ACC_WRITE)
0036         fmt[9] = 'w';
0037
0038     if (access & BPF_DEVCG_ACC_MKNOD)
0039         fmt[10] = 'm';
0040
0041     bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor);
0042 #endif
0043
0044     /* Allow access to /dev/zero and /dev/random.
0045      * Forbid everything else.
0046      */
0047     if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR)
0048         return 0;
0049
0050     switch (ctx->minor) {
0051     case 5: /* 1:5 /dev/zero */
0052     case 9: /* 1:9 /dev/urandom */
0053         return 1;
0054     }
0055
0056     return 0;
0057 }
0058
0059 char _license[] SEC("license") = "GPL";