io_uring/bpf_filter: allow filtering on contents of struct open_how

This adds custom filtering for IORING_OP_OPENAT and IORING_OP_OPENAT2,
where the open_how flags, mode, and resolve can be checked by filters.

Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/include/uapi/linux/io_uring/bpf_filter.h b/include/uapi/linux/io_uring/bpf_filter.h
index 4dbc89bbbf10dc34045ace6a8b3d8318045fb76a..220351b81bc0986a263f40e6f10cc25ab8e70d8d 100644 (file)
--- a/include/uapi/linux/io_uring/bpf_filter.h
+++ b/include/uapi/linux/io_uring/bpf_filter.h
@@ -22,6 +22,11 @@ struct io_uring_bpf_ctx {
                        __u32   type;
                        __u32   protocol;
                } socket;
+               struct {
+                       __u64   flags;
+                       __u64   mode;
+                       __u64   resolve;
+               } open;
        };
 };
 

diff --git a/io_uring/bpf_filter.c b/io_uring/bpf_filter.c
index 889fa915fa54c41ba98ca138aac8294ec5fbd641..ff723ec448281667f1912226bc05029082a28411 100644 (file)
--- a/io_uring/bpf_filter.c
+++ b/io_uring/bpf_filter.c
@@ -12,6 +12,7 @@
 #include "io_uring.h"
 #include "bpf_filter.h"
 #include "net.h"
+#include "openclose.h"
 
 struct io_bpf_filter {
        struct bpf_prog         *prog;
@@ -40,6 +41,11 @@ static void io_uring_populate_bpf_ctx(struct io_uring_bpf_ctx *bctx,
                bctx->pdu_size = sizeof(bctx->socket);
                io_socket_bpf_populate(bctx, req);
                break;
+       case IORING_OP_OPENAT:
+       case IORING_OP_OPENAT2:
+               bctx->pdu_size = sizeof(bctx->open);
+               io_openat_bpf_populate(bctx, req);
+               break;
        }
 }
 

diff --git a/io_uring/openclose.c b/io_uring/openclose.c
index 15dde9bd6ff67084e3645c588bc5ecbe0cebf4a2..31c687adf873e197aae72635b757ab510cd92fea 100644 (file)
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -85,6 +85,15 @@ static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
        return 0;
 }
 
+void io_openat_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req)
+{
+       struct io_open *open = io_kiocb_to_cmd(req, struct io_open);
+
+       bctx->open.flags = open->how.flags;
+       bctx->open.mode = open->how.mode;
+       bctx->open.resolve = open->how.resolve;
+}
+
 int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 {
        struct io_open *open = io_kiocb_to_cmd(req, struct io_open);

diff --git a/io_uring/openclose.h b/io_uring/openclose.h
index 4ca2a9935abc9c1e7da39f94b107839d4c80aefc..566739920658a52dd56cb8b7db833da4cb175a16 100644 (file)
--- a/io_uring/openclose.h
+++ b/io_uring/openclose.h
@@ -1,11 +1,14 @@
 // SPDX-License-Identifier: GPL-2.0
 
+#include "bpf_filter.h"
+
 int __io_close_fixed(struct io_ring_ctx *ctx, unsigned int issue_flags,
                     unsigned int offset);
 
 int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
 int io_openat(struct io_kiocb *req, unsigned int issue_flags);
 void io_open_cleanup(struct io_kiocb *req);
+void io_openat_bpf_populate(struct io_uring_bpf_ctx *bctx, struct io_kiocb *req);
 
 int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
 int io_openat2(struct io_kiocb *req, unsigned int issue_flags);