bpf_cgroup_from_id currently ends up doing a check on whether the cgroup
being looked up is a descendant of the root cgroup of the current task's
cgroup namespace. This leads to unreliable results since this kfunc can
be invoked from any arbitrary context, for any arbitrary value of
current. Fix this by removing namespace-awarness in the kfunc, and
include a test that detects such a case and fails without the fix.
Kumar Kartikeya Dwivedi (2):
bpf: Do not limit bpf_cgroup_from_id to current's namespace
selftests/bpf: Add a test for bpf_cgroup_from_id lookup in non-root
cgns
include/linux/cgroup.h | 2 +-
kernel/bpf/cgroup_iter.c | 2 +-
kernel/bpf/helpers.c | 2 +-
kernel/cgroup/cgroup.c | 7 ++-
.../selftests/bpf/prog_tests/cgrp_kfunc.c | 48 +++++++++++++++++++
.../selftests/bpf/progs/cgrp_kfunc_success.c | 12 +++++
6 files changed, 69 insertions(+), 4 deletions(-)
base-commit: fa479132845e94b60068fad01c2a9979b3efe2dc
--
2.47.3
