1 /* eBPF example program:
3 * - Creates arraymap in kernel with 4 bytes keys and 8 byte values
7 * The eBPF program accesses the map passed in to store two pieces of
8 * information. The number of invocations of the program, which maps
9 * to the number of packets received, is stored to key 0. Key 1 is
10 * incremented on each iteration by the number of bytes stored in
11 * the skb. The program also stores the number of received bytes
12 * in the cgroup storage.
14 * - Attaches the new program to a cgroup using BPF_PROG_ATTACH
16 * - Every second, reads map[0] and map[1] to see how many bytes and
17 * packets were seen on any socket of tasks in the given cgroup.
25 #include <sys/resource.h>
29 #include <linux/bpf.h>
33 #include "bpf_rlimit.h"
34 #include "cgroup_helpers.h"
37 #define BAR "/foo/bar/"
38 #define PING_CMD "ping -c1 -w1 127.0.0.1 > /dev/null"
40 char bpf_log_buf[BPF_LOG_BUF_SIZE];
42 static int prog_load(int verdict)
45 struct bpf_insn prog[] = {
46 BPF_MOV64_IMM(BPF_REG_0, verdict), /* r0 = verdict */
49 size_t insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
51 ret = bpf_load_program(BPF_PROG_TYPE_CGROUP_SKB,
52 prog, insns_cnt, "GPL", 0,
53 bpf_log_buf, BPF_LOG_BUF_SIZE);
56 log_err("Loading program");
57 printf("Output from verifier:\n%s\n-------\n", bpf_log_buf);
63 static int test_foo_bar(void)
65 int drop_prog, allow_prog, foo = 0, bar = 0, rc = 0;
67 allow_prog = prog_load(1);
71 drop_prog = prog_load(0);
75 if (setup_cgroup_environment())
78 /* Create cgroup /foo, get fd, and join it */
79 foo = create_and_get_cgroup(FOO);
86 if (bpf_prog_attach(drop_prog, foo, BPF_CGROUP_INET_EGRESS,
87 BPF_F_ALLOW_OVERRIDE)) {
88 log_err("Attaching prog to /foo");
92 printf("Attached DROP prog. This ping in cgroup /foo should fail...\n");
93 assert(system(PING_CMD) != 0);
95 /* Create cgroup /foo/bar, get fd, and join it */
96 bar = create_and_get_cgroup(BAR);
100 if (join_cgroup(BAR))
103 printf("Attached DROP prog. This ping in cgroup /foo/bar should fail...\n");
104 assert(system(PING_CMD) != 0);
106 if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS,
107 BPF_F_ALLOW_OVERRIDE)) {
108 log_err("Attaching prog to /foo/bar");
112 printf("Attached PASS prog. This ping in cgroup /foo/bar should pass...\n");
113 assert(system(PING_CMD) == 0);
115 if (bpf_prog_detach(bar, BPF_CGROUP_INET_EGRESS)) {
116 log_err("Detaching program from /foo/bar");
120 printf("Detached PASS from /foo/bar while DROP is attached to /foo.\n"
121 "This ping in cgroup /foo/bar should fail...\n");
122 assert(system(PING_CMD) != 0);
124 if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS,
125 BPF_F_ALLOW_OVERRIDE)) {
126 log_err("Attaching prog to /foo/bar");
130 if (bpf_prog_detach(foo, BPF_CGROUP_INET_EGRESS)) {
131 log_err("Detaching program from /foo");
135 printf("Attached PASS from /foo/bar and detached DROP from /foo.\n"
136 "This ping in cgroup /foo/bar should pass...\n");
137 assert(system(PING_CMD) == 0);
139 if (bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS,
140 BPF_F_ALLOW_OVERRIDE)) {
141 log_err("Attaching prog to /foo/bar");
145 if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 0)) {
147 log_err("Unexpected success attaching prog to /foo/bar");
151 if (bpf_prog_detach(bar, BPF_CGROUP_INET_EGRESS)) {
152 log_err("Detaching program from /foo/bar");
156 if (!bpf_prog_detach(foo, BPF_CGROUP_INET_EGRESS)) {
158 log_err("Unexpected success in double detach from /foo");
162 if (bpf_prog_attach(allow_prog, foo, BPF_CGROUP_INET_EGRESS, 0)) {
163 log_err("Attaching non-overridable prog to /foo");
167 if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS, 0)) {
169 log_err("Unexpected success attaching non-overridable prog to /foo/bar");
173 if (!bpf_prog_attach(allow_prog, bar, BPF_CGROUP_INET_EGRESS,
174 BPF_F_ALLOW_OVERRIDE)) {
176 log_err("Unexpected success attaching overridable prog to /foo/bar");
180 if (!bpf_prog_attach(allow_prog, foo, BPF_CGROUP_INET_EGRESS,
181 BPF_F_ALLOW_OVERRIDE)) {
183 log_err("Unexpected success attaching overridable prog to /foo");
187 if (bpf_prog_attach(drop_prog, foo, BPF_CGROUP_INET_EGRESS, 0)) {
188 log_err("Attaching different non-overridable prog to /foo");
200 cleanup_cgroup_environment();
202 printf("### override:PASS\n");
204 printf("### override:FAIL\n");
208 static int map_fd = -1;
210 static int prog_load_cnt(int verdict, int val)
212 int cgroup_storage_fd, percpu_cgroup_storage_fd;
215 map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 8, 1, 0);
217 printf("failed to create map '%s'\n", strerror(errno));
221 cgroup_storage_fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
222 sizeof(struct bpf_cgroup_storage_key), 8, 0, 0);
223 if (cgroup_storage_fd < 0) {
224 printf("failed to create map '%s'\n", strerror(errno));
228 percpu_cgroup_storage_fd = bpf_create_map(
229 BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE,
230 sizeof(struct bpf_cgroup_storage_key), 8, 0, 0);
231 if (percpu_cgroup_storage_fd < 0) {
232 printf("failed to create map '%s'\n", strerror(errno));
236 struct bpf_insn prog[] = {
237 BPF_MOV32_IMM(BPF_REG_0, 0),
238 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
241 BPF_LD_MAP_FD(BPF_REG_1, map_fd),
242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
244 BPF_MOV64_IMM(BPF_REG_1, val), /* r1 = 1 */
245 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_0, BPF_REG_1, 0, 0), /* xadd r0 += r1 */
247 BPF_LD_MAP_FD(BPF_REG_1, cgroup_storage_fd),
248 BPF_MOV64_IMM(BPF_REG_2, 0),
249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
250 BPF_MOV64_IMM(BPF_REG_1, val),
251 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_0, BPF_REG_1, 0, 0),
253 BPF_LD_MAP_FD(BPF_REG_1, percpu_cgroup_storage_fd),
254 BPF_MOV64_IMM(BPF_REG_2, 0),
255 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
256 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 0x1),
258 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
260 BPF_MOV64_IMM(BPF_REG_0, verdict), /* r0 = verdict */
263 size_t insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
266 ret = bpf_load_program(BPF_PROG_TYPE_CGROUP_SKB,
267 prog, insns_cnt, "GPL", 0,
268 bpf_log_buf, BPF_LOG_BUF_SIZE);
271 log_err("Loading program");
272 printf("Output from verifier:\n%s\n-------\n", bpf_log_buf);
275 close(cgroup_storage_fd);
280 static int test_multiprog(void)
282 __u32 prog_ids[4], prog_cnt = 0, attach_flags, saved_prog_id;
283 int cg1 = 0, cg2 = 0, cg3 = 0, cg4 = 0, cg5 = 0, key = 0;
284 int drop_prog, allow_prog[6] = {}, rc = 0;
285 unsigned long long value;
288 for (i = 0; i < 6; i++) {
289 allow_prog[i] = prog_load_cnt(1, 1 << i);
293 drop_prog = prog_load_cnt(0, 1);
297 if (setup_cgroup_environment())
300 cg1 = create_and_get_cgroup("/cg1");
303 cg2 = create_and_get_cgroup("/cg1/cg2");
306 cg3 = create_and_get_cgroup("/cg1/cg2/cg3");
309 cg4 = create_and_get_cgroup("/cg1/cg2/cg3/cg4");
312 cg5 = create_and_get_cgroup("/cg1/cg2/cg3/cg4/cg5");
316 if (join_cgroup("/cg1/cg2/cg3/cg4/cg5"))
319 if (bpf_prog_attach(allow_prog[0], cg1, BPF_CGROUP_INET_EGRESS,
320 BPF_F_ALLOW_MULTI)) {
321 log_err("Attaching prog to cg1");
324 if (!bpf_prog_attach(allow_prog[0], cg1, BPF_CGROUP_INET_EGRESS,
325 BPF_F_ALLOW_MULTI)) {
326 log_err("Unexpected success attaching the same prog to cg1");
329 if (bpf_prog_attach(allow_prog[1], cg1, BPF_CGROUP_INET_EGRESS,
330 BPF_F_ALLOW_MULTI)) {
331 log_err("Attaching prog2 to cg1");
334 if (bpf_prog_attach(allow_prog[2], cg2, BPF_CGROUP_INET_EGRESS,
335 BPF_F_ALLOW_OVERRIDE)) {
336 log_err("Attaching prog to cg2");
339 if (bpf_prog_attach(allow_prog[3], cg3, BPF_CGROUP_INET_EGRESS,
340 BPF_F_ALLOW_MULTI)) {
341 log_err("Attaching prog to cg3");
344 if (bpf_prog_attach(allow_prog[4], cg4, BPF_CGROUP_INET_EGRESS,
345 BPF_F_ALLOW_OVERRIDE)) {
346 log_err("Attaching prog to cg4");
349 if (bpf_prog_attach(allow_prog[5], cg5, BPF_CGROUP_INET_EGRESS, 0)) {
350 log_err("Attaching prog to cg5");
353 assert(system(PING_CMD) == 0);
354 assert(bpf_map_lookup_elem(map_fd, &key, &value) == 0);
355 assert(value == 1 + 2 + 8 + 32);
357 /* query the number of effective progs in cg5 */
358 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, BPF_F_QUERY_EFFECTIVE,
359 NULL, NULL, &prog_cnt) == 0);
360 assert(prog_cnt == 4);
361 /* retrieve prog_ids of effective progs in cg5 */
362 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, BPF_F_QUERY_EFFECTIVE,
363 &attach_flags, prog_ids, &prog_cnt) == 0);
364 assert(prog_cnt == 4);
365 assert(attach_flags == 0);
366 saved_prog_id = prog_ids[0];
367 /* check enospc handling */
370 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, BPF_F_QUERY_EFFECTIVE,
371 &attach_flags, prog_ids, &prog_cnt) == -1 &&
373 assert(prog_cnt == 4);
374 /* check that prog_ids are returned even when buffer is too small */
375 assert(prog_ids[0] == saved_prog_id);
376 /* retrieve prog_id of single attached prog in cg5 */
378 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, 0,
379 NULL, prog_ids, &prog_cnt) == 0);
380 assert(prog_cnt == 1);
381 assert(prog_ids[0] == saved_prog_id);
383 /* detach bottom program and ping again */
384 if (bpf_prog_detach2(-1, cg5, BPF_CGROUP_INET_EGRESS)) {
385 log_err("Detaching prog from cg5");
389 assert(bpf_map_update_elem(map_fd, &key, &value, 0) == 0);
390 assert(system(PING_CMD) == 0);
391 assert(bpf_map_lookup_elem(map_fd, &key, &value) == 0);
392 assert(value == 1 + 2 + 8 + 16);
394 /* detach 3rd from bottom program and ping again */
396 if (!bpf_prog_detach2(0, cg3, BPF_CGROUP_INET_EGRESS)) {
397 log_err("Unexpected success on detach from cg3");
400 if (bpf_prog_detach2(allow_prog[3], cg3, BPF_CGROUP_INET_EGRESS)) {
401 log_err("Detaching from cg3");
405 assert(bpf_map_update_elem(map_fd, &key, &value, 0) == 0);
406 assert(system(PING_CMD) == 0);
407 assert(bpf_map_lookup_elem(map_fd, &key, &value) == 0);
408 assert(value == 1 + 2 + 16);
410 /* detach 2nd from bottom program and ping again */
411 if (bpf_prog_detach2(-1, cg4, BPF_CGROUP_INET_EGRESS)) {
412 log_err("Detaching prog from cg4");
416 assert(bpf_map_update_elem(map_fd, &key, &value, 0) == 0);
417 assert(system(PING_CMD) == 0);
418 assert(bpf_map_lookup_elem(map_fd, &key, &value) == 0);
419 assert(value == 1 + 2 + 4);
422 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, BPF_F_QUERY_EFFECTIVE,
423 &attach_flags, prog_ids, &prog_cnt) == 0);
424 assert(prog_cnt == 3);
425 assert(attach_flags == 0);
426 assert(bpf_prog_query(cg5, BPF_CGROUP_INET_EGRESS, 0,
427 NULL, prog_ids, &prog_cnt) == 0);
428 assert(prog_cnt == 0);
434 for (i = 0; i < 6; i++)
435 if (allow_prog[i] > 0)
436 close(allow_prog[i]);
442 cleanup_cgroup_environment();
444 printf("### multi:PASS\n");
446 printf("### multi:FAIL\n");
450 int main(int argc, char **argv)
458 return test_multiprog();