1. 10 Nov, 2017 17 commits
  2. 08 Nov, 2017 15 commits
  3. 06 Nov, 2017 1 commit
  4. 05 Nov, 2017 7 commits
    • David S. Miller's avatar
      Merge branch 'eBPF-based-device-cgroup-controller' · 2798b80b
      David S. Miller authored
      Roman Gushchin says:
      
      ====================
      eBPF-based device cgroup controller
      
      This patchset introduces an eBPF-based device controller for cgroup v2.
      
      Patches (1) and (2) are a preparational work required to share some code
        with the existing device controller implementation.
      Patch (3) is the main patch, which introduces a new bpf prog type
        and all necessary infrastructure.
      Patch (4) moves cgroup_helpers.c/h to use them by patch (4).
      Patch (5) implements an example of eBPF program which controls access
        to device files and corresponding userspace test.
      
      v3:
        Renamed constants introduced by patch (3) to BPF_DEVCG_*
      
      v2:
        Added patch (1).
      
      v1:
        https://lkml.org/lkml/2017/11/1/363
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2798b80b
    • Roman Gushchin's avatar
      selftests/bpf: add a test for device cgroup controller · 37f1ba09
      Roman Gushchin authored
      Add a test for device cgroup controller.
      
      The test loads a simple bpf program which logs all
      device access attempts using trace_printk() and forbids
      all operations except operations with /dev/zero and
      /dev/urandom.
      
      Then the test creates and joins a test cgroup, and attaches
      the bpf program to it.
      
      Then it tries to perform some simple device operations
      and checks the result:
      
        create /dev/null (should fail)
        create /dev/zero (should pass)
        copy data from /dev/urandom to /dev/zero (should pass)
        copy data from /dev/urandom to /dev/full (should fail)
        copy data from /dev/random to /dev/zero (should fail)
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37f1ba09
    • Roman Gushchin's avatar
      bpf: move cgroup_helpers from samples/bpf/ to tools/testing/selftesting/bpf/ · 9d1f1594
      Roman Gushchin authored
      The purpose of this move is to use these files in bpf tests.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d1f1594
    • Roman Gushchin's avatar
      bpf, cgroup: implement eBPF-based device controller for cgroup v2 · ebc614f6
      Roman Gushchin authored
      Cgroup v2 lacks the device controller, provided by cgroup v1.
      This patch adds a new eBPF program type, which in combination
      of previously added ability to attach multiple eBPF programs
      to a cgroup, will provide a similar functionality, but with some
      additional flexibility.
      
      This patch introduces a BPF_PROG_TYPE_CGROUP_DEVICE program type.
      A program takes major and minor device numbers, device type
      (block/character) and access type (mknod/read/write) as parameters
      and returns an integer which defines if the operation should be
      allowed or terminated with -EPERM.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ebc614f6
    • Roman Gushchin's avatar
      device_cgroup: prepare code for bpf-based device controller · ecf8fecb
      Roman Gushchin authored
      This is non-functional change to prepare the device cgroup code
      for adding eBPF-based controller for cgroups v2.
      
      The patch performs the following changes:
      1) __devcgroup_inode_permission() and devcgroup_inode_mknod()
         are moving to the device-cgroup.h and converting into static inline.
      2) __devcgroup_check_permission() is exported.
      3) devcgroup_check_permission() wrapper is introduced to be used
         by both existing and new bpf-based implementations.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecf8fecb
    • Roman Gushchin's avatar
      device_cgroup: add DEVCG_ prefix to ACC_* and DEV_* constants · 67e306fd
      Roman Gushchin authored
      Rename device type and access type constants defined in
      security/device_cgroup.c by adding the DEVCG_ prefix.
      
      The reason behind this renaming is to make them global namespace
      friendly, as they will be moved to the corresponding header file
      by following patches.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67e306fd
    • David S. Miller's avatar
      Merge tag 'mlx5-updates-2017-11-04' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 488e5b30
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5-updates-2017-11-04
      
      This series includes:
      
      From Huy: dscp to priority mapping for Ethernet packet.
      
      ===================================================
      First six patches enable differentiated services code point (dscp) to
      priority mapping for Ethernet packet. Once this feature is
      enabled, the packet is routed to the corresponding priority based on its
      dscp. User can combine this feature with priority flow control (pfc)
      feature to have priority flow control based on the dscp.
      
      Firmware interface:
      Mellanox firmware provides two control knobs for this feature:
        QPTS register allow changing the trust state between dscp and
        pcp mode. The default is pcp mode. Once in dscp mode, firmware will
        route the packet based on its dscp value if the dscp field exists.
      
        QPDPM register allow mapping a specific dscp (0 to 63) to a
        specific priority (0 to 7). By default, all the dscps are mapped to
        priority zero.
      
      Software interface:
      This feature is controlled via application priority TLV. IEEE
      specification P802.1Qcd/D2.1 defines priority selector id 5 for
      application priority TLV. This APP TLV selector defines DSCP to priority
      map. This APP TLV can be sent by the switch or can be set locally using
      software such as lldptool. In mlx5 drivers, we add the support for net
      dcb's getapp and setapp call back. Mlx5 driver only handles the selector
      id 5 application entry (dscp application priority application entry).
      If user sends multiple dscp to priority APP TLV entries on the same
      dscp, the last sent one will take effect. All the previous sent will be
      deleted.
      
      The firmware trust state (in QPTS register) is changed based on the
      number of dscp to priority application entries. When the first dscp to
      priority application entry is added by the user, the trust state is
      changed to dscp. When the last dscp to priority application entry is
      deleted by the user, the trust state is changed to pcp.
      
      When the port is in DSCP trust state, the transmit queue is selected
      based on the dscp of the skb.
      
      When the port is in DSCP trust state and vport inline mode is not NONE,
      firmware requires mlx5 driver to copy the IP header to the
      wqe ethernet segment inline header if the skb has it.
      This is done by changing the transmit queue sq's min inline mode to L3.
      Note that the min inline mode of sqs that belong to other features
      such as xdpsq, icosq are not modified.
      ===================================================
      
      Plus to the dscp series, some small misc changes are include as well:
      
      From Inbar, Ethtool msglvl support and some debug prints in DCBNL logic
      From Or Gerlitz, Enlarge the NIC TC offload table size
      From Rabie, Initialize destination_flow struct to 0
      From Feras, Add inner TTC table to IPoIB flow steering
      From Tal, Enable CQE based moderation on TX CQ
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      488e5b30