• Daniel Mack's avatar
    cgroup: add support for eBPF programs · 30070984
    Daniel Mack authored
    This patch adds two sets of eBPF program pointers to struct cgroup.
    One for such that are directly pinned to a cgroup, and one for such
    that are effective for it.
    
    To illustrate the logic behind that, assume the following example
    cgroup hierarchy.
    
      A - B - C
            \ D - E
    
    If only B has a program attached, it will be effective for B, C, D
    and E. If D then attaches a program itself, that will be effective for
    both D and E, and the program in B will only affect B and C. Only one
    program of a given type is effective for a cgroup.
    
    Attaching and detaching programs will be done through the bpf(2)
    syscall. For now, ingress and egress inet socket filtering are the
    only supported use-cases.
    Signed-off-by: default avatarDaniel Mack <daniel@zonque.org>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    30070984
Kconfig 67.5 KB