Lines Matching +full:write +full:- +full:to +full:- +full:read

1 .. SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
8 provides cgroup-bpf hook for sysctl.
10 The hook has to be attached to a cgroup and will be called every time a
11 process inside that cgroup tries to read from or write to sysctl knob in proc.
16 ``BPF_CGROUP_SYSCTL`` attach type has to be used to attach
17 ``BPF_PROG_TYPE_CGROUP_SYSCTL`` program to a cgroup.
22 ``BPF_PROG_TYPE_CGROUP_SYSCTL`` provides access to the following context from
26         __u32 write;
30 * ``write`` indicates whether sysctl value is being read (``0``) or written
31   (``1``). This field is read-only.
33 * ``file_pos`` indicates file position sysctl is being accessed at, read
34   or written. This field is read-write. Writing to the field sets the starting
35   position in sysctl proc file ``read(2)`` will be reading from or ``write(2)``
36   will be writing to. Writing zero to the field can be used e.g. to override
37   whole sysctl value by ``bpf_sysctl_set_new_value()`` on ``write(2)`` even
38   when it's called by user space on ``file_pos > 0``. Writing non-zero
39   value to the field can be used to access part of sysctl value starting from
41   0``, e.g. writes to numeric sysctl entries must always be at file position
52 * ``0`` means "reject access to sysctl";
55 If program returns ``0`` user space will get ``-1`` from ``read(2)`` or
56 ``write(2)`` and ``errno`` will be set to ``EPERM``.
62 helpers focus on providing access to these properties:
64 * ``bpf_sysctl_get_name()`` to get sysctl name as it is visible in
67 * ``bpf_sysctl_get_current_value()`` to get string value currently held by
69   ``read(2)`` from and ``write(2)`` to sysctl;
71 * ``bpf_sysctl_get_new_value()`` to get new string value currently being
72   written to sysctl before actual write happens. This helper can be used only
73   on ``ctx->write == 1``;
75 * ``bpf_sysctl_set_new_value()`` to override new string value currently being
76   written to sysctl before actual write happens. Sysctl value will be
77   overridden starting from the current ``ctx->file_pos``. If the whole value
78   has to be overridden BPF program can set ``file_pos`` to zero before calling
79   to the helper. This helper can be used only on ``ctx->write == 1``. New
85 of integers, the following helpers can be used to get numeric value from the
88 * ``bpf_strtol()`` to convert initial part of the string to long integer
89   similar to user space `strtol(3)`_;
90 * ``bpf_strtoul()`` to convert initial part of the string to unsigned long
91   integer similar to user space `strtoul(3)`_;
99 sysctl name and value, parses string value to get vector of integers and uses
100 the result to make decision whether to allow or deny access to sysctl.
105 ``BPF_PROG_TYPE_CGROUP_SYSCTL`` is intended to be used in **trusted** root
106 environment, for example to monitor sysctl usage or catch unreasonable values
107 an application, running as root in a separate cgroup, is trying to set.
112 to read from / write to it and two such processes may run in different
114 security mechanism to limit sysctl usage.
116 As with any cgroup-bpf program additional care should be taken if an
117 application running as root in a cgroup should not be allowed to
122 .. _strtol(3): http://man7.org/linux/man-pages/man3/strtol.3p.html
123 .. _strtoul(3): http://man7.org/linux/man-pages/man3/strtoul.3p.html