bpf: Allow cgroup sock filters to use get_current_uid_gid helper

Allow BPF programs run on sock create to use the get_current_uid_gid
helper. IPv4 and IPv6 sockets are created in a process context so
there is always a valid uid/gid

Signed-off-by: David Ahern <dsahern@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/core/filter.c b/net/core/filter.c
index f51b9690adf3e81c0191e23fd4329dc3df9142bb..9dad3e7e2e101819248c31317c6ca772586317e3 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3149,6 +3149,20 @@ bpf_base_func_proto(enum bpf_func_id func_id)
        }
 }
 
+static const struct bpf_func_proto *
+sock_filter_func_proto(enum bpf_func_id func_id)
+{
+       switch (func_id) {
+       /* inet and inet6 sockets are created in a process
+        * context so there is always a valid uid/gid
+        */
+       case BPF_FUNC_get_current_uid_gid:
+               return &bpf_get_current_uid_gid_proto;
+       default:
+               return bpf_base_func_proto(func_id);
+       }
+}
+
 static const struct bpf_func_proto *
 sk_filter_func_proto(enum bpf_func_id func_id)
 {
@@ -4233,7 +4247,7 @@ const struct bpf_verifier_ops lwt_xmit_prog_ops = {
 };
 
 const struct bpf_verifier_ops cg_sock_prog_ops = {
-       .get_func_proto         = bpf_base_func_proto,
+       .get_func_proto         = sock_filter_func_proto,
        .is_valid_access        = sock_filter_is_valid_access,
        .convert_ctx_access     = sock_filter_convert_ctx_access,
 };