€•Ál      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ*/translations/zh_CN/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/zh_TW/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/it_IT/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ja_JP/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/ko_KR/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ*/translations/sp_SP/bpf/prog_cgroup_sysctl”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ3SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)”h]”hŒ3SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒD/var/lib/git/docbuild/linux/Documentation/bpf/prog_cgroup_sysctl.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒBPF_PROG_TYPE_CGROUP_SYSCTL”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ	paragraph”“”)”}”(hŒnThis document describes ``BPF_PROG_TYPE_CGROUP_SYSCTL`` program type that
provides cgroup-bpf hook for sysctl.”h]”(hŒThis document describes ”…””}”(hhËhžhhŸNh NubhŒliteral”“”)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhhËubhŒ7 program type that
provides cgroup-bpf hook for sysctl.”…””}”(hhËhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hŒ–The hook has to be attached to a cgroup and will be called every time a
process inside that cgroup tries to read from or write to sysctl knob in proc.”h]”hŒ–The hook has to be attached to a cgroup and will be called every time a
process inside that cgroup tries to read from or write to sysctl knob in proc.”…””}”(hhíhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K
hh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒ1. Attach type”h]”hŒ1. Attach type”…””}”(hhþhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hhûhžhhŸh³h KubhÊ)”}”(hŒo``BPF_CGROUP_SYSCTL`` attach type has to be used to attach
``BPF_PROG_TYPE_CGROUP_SYSCTL`` program to a cgroup.”h]”(hÔ)”}”(hŒ``BPF_CGROUP_SYSCTL``”h]”hŒBPF_CGROUP_SYSCTL”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj  ubhŒ& attach type has to be used to attach
”…””}”(hj  hžhhŸNh NubhÔ)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj  ubhŒ program to a cgroup.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khhûhžhubeh}”(h]”Œattach-type”ah ]”h"]”Œ1. attach type”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ
2. Context”h]”hŒ
2. Context”…””}”(hjE  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjB  hžhhŸh³h KubhÊ)”}”(hŒ[``BPF_PROG_TYPE_CGROUP_SYSCTL`` provides access to the following context from
BPF program::”h]”(hÔ)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjS  ubhŒ; provides access to the following context from
BPF program:”…””}”(hjS  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhjB  hžhubhŒliteral_block”“”)”}”(hŒ;struct bpf_sysctl {
    __u32 write;
    __u32 file_pos;
};”h]”hŒ;struct bpf_sysctl {
    __u32 write;
    __u32 file_pos;
};”…””}”hjq  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jo  hŸh³h KhjB  hžhubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒl``write`` indicates whether sysctl value is being read (``0``) or written
(``1``). This field is read-only.
”h]”hÊ)”}”(hŒk``write`` indicates whether sysctl value is being read (``0``) or written
(``1``). This field is read-only.”h]”(hÔ)”}”(hŒ	``write``”h]”hŒwrite”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjŠ  ubhŒ/ indicates whether sysctl value is being read (”…””}”(hjŠ  hžhhŸNh NubhÔ)”}”(hŒ``0``”h]”hŒ0”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjŠ  ubhŒ) or written
(”…””}”(hjŠ  hžhhŸNh NubhÔ)”}”(hŒ``1``”h]”hŒ1”…””}”(hj²  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjŠ  ubhŒ). This field is read-only.”…””}”(hjŠ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khj†  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  hžhhŸh³h Nubj…  )”}”(hXÔ  ``file_pos`` indicates file position sysctl is being accessed at, read
or written. This field is read-write. Writing to the field sets the starting
position in sysctl proc file ``read(2)`` will be reading from or ``write(2)``
will be writing to. Writing zero to the field can be used e.g. to override
whole sysctl value by ``bpf_sysctl_set_new_value()`` on ``write(2)`` even
when it's called by user space on ``file_pos > 0``. Writing non-zero
value to the field can be used to access part of sysctl value starting from
specified ``file_pos``. Not all sysctl support access with ``file_pos !=
0``, e.g. writes to numeric sysctl entries must always be at file position
``0``. See also ``kernel.sysctl_writes_strict`` sysctl.
”h]”hÊ)”}”(hXÓ  ``file_pos`` indicates file position sysctl is being accessed at, read
or written. This field is read-write. Writing to the field sets the starting
position in sysctl proc file ``read(2)`` will be reading from or ``write(2)``
will be writing to. Writing zero to the field can be used e.g. to override
whole sysctl value by ``bpf_sysctl_set_new_value()`` on ``write(2)`` even
when it's called by user space on ``file_pos > 0``. Writing non-zero
value to the field can be used to access part of sysctl value starting from
specified ``file_pos``. Not all sysctl support access with ``file_pos !=
0``, e.g. writes to numeric sysctl entries must always be at file position
``0``. See also ``kernel.sysctl_writes_strict`` sysctl.”h]”(hÔ)”}”(hŒ``file_pos``”h]”hŒfile_pos”…””}”(hjØ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ¥ indicates file position sysctl is being accessed at, read
or written. This field is read-write. Writing to the field sets the starting
position in sysctl proc file ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``read(2)``”h]”hŒread(2)”…””}”(hjê  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ will be reading from or ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``write(2)``”h]”hŒwrite(2)”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒb
will be writing to. Writing zero to the field can be used e.g. to override
whole sysctl value by ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``bpf_sysctl_set_new_value()``”h]”hŒbpf_sysctl_set_new_value()”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ on ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``write(2)``”h]”hŒwrite(2)”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ* even
when itâ€™s called by user space on ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``file_pos > 0``”h]”hŒfile_pos > 0”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒi. Writing non-zero
value to the field can be used to access part of sysctl value starting from
specified ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``file_pos``”h]”hŒfile_pos”…””}”(hjD  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ%. Not all sysctl support access with ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``file_pos !=
0``”h]”hŒfile_pos !=
0”…””}”(hjV  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒH, e.g. writes to numeric sysctl entries must always be at file position
”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``0``”h]”hŒ0”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ. See also ”…””}”(hjÔ  hžhhŸNh NubhÔ)”}”(hŒ``kernel.sysctl_writes_strict``”h]”hŒkernel.sysctl_writes_strict”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjÔ  ubhŒ sysctl.”…””}”(hjÔ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K!hjÐ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j  hŸh³h KhjB  hžhubhÊ)”}”(hŒISee `linux/bpf.h`_ for more details on how context field can be accessed.”h]”(hŒSee ”…””}”(hj   hžhhŸNh NubhŒ	reference”“”)”}”(hŒ`linux/bpf.h`_”h]”hŒlinux/bpf.h”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œlinux/bpf.h”Œrefuri”Œ../../include/uapi/linux/bpf.h”uh1j¨  hj   Œresolved”KubhŒ7 for more details on how context field can be accessed.”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K,hjB  hžhubeh}”(h]”Œcontext”ah ]”h"]”Œ
2. context”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ3. Return code”h]”hŒ3. Return code”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÏ  hžhhŸh³h K/ubhÊ)”}”(hŒV``BPF_PROG_TYPE_CGROUP_SYSCTL`` program must return one of the following
return codes:”h]”(hÔ)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjà  ubhŒ7 program must return one of the following
return codes:”…””}”(hjà  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K1hjÏ  hžhubj€  )”}”(hhh]”(j…  )”}”(hŒ&``0`` means "reject access to sysctl";”h]”hÊ)”}”(hj  h]”(hÔ)”}”(hŒ``0``”h]”hŒ0”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj  ubhŒ% means â€œreject access to sysctlâ€;”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K4hjÿ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjü  hžhhŸh³h Nubj…  )”}”(hŒ#``1`` means "proceed with access".
”h]”hÊ)”}”(hŒ"``1`` means "proceed with access".”h]”(hÔ)”}”(hŒ``1``”h]”hŒ1”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj(  ubhŒ! means â€œproceed with accessâ€.”…””}”(hj(  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K5hj$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjü  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jž  jŸ  uh1j  hŸh³h K4hjÏ  hžhubhÊ)”}”(hŒ|If program returns ``0`` user space will get ``-1`` from ``read(2)`` or
``write(2)`` and ``errno`` will be set to ``EPERM``.”h]”(hŒIf program returns ”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ``0``”h]”hŒ0”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ user space will get ”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ``-1``”h]”hŒ-1”…””}”(hjj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ from ”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ``read(2)``”h]”hŒread(2)”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ or
”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ``write(2)``”h]”hŒwrite(2)”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ and ”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ	``errno``”h]”hŒerrno”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ will be set to ”…””}”(hjP  hžhhŸNh NubhÔ)”}”(hŒ	``EPERM``”h]”hŒEPERM”…””}”(hj²  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjP  ubhŒ.”…””}”(hjP  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K7hjÏ  hžhubeh}”(h]”Œreturn-code”ah ]”h"]”Œ3. return code”ah$]”h&]”uh1h´hh¶hžhhŸh³h K/ubhµ)”}”(hhh]”(hº)”}”(hŒ
4. Helpers”h]”hŒ
4. Helpers”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÒ  hžhhŸh³h K;ubhÊ)”}”(hŒ‚Since sysctl knob is represented by a name and a value, sysctl specific BPF
helpers focus on providing access to these properties:”h]”hŒ‚Since sysctl knob is represented by a name and a value, sysctl specific BPF
helpers focus on providing access to these properties:”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K=hjÒ  hžhubj€  )”}”(hhh]”(j…  )”}”(hŒt``bpf_sysctl_get_name()`` to get sysctl name as it is visible in
``/proc/sys`` into provided by BPF program buffer;
”h]”hÊ)”}”(hŒs``bpf_sysctl_get_name()`` to get sysctl name as it is visible in
``/proc/sys`` into provided by BPF program buffer;”h]”(hÔ)”}”(hŒ``bpf_sysctl_get_name()``”h]”hŒbpf_sysctl_get_name()”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjø  ubhŒ( to get sysctl name as it is visible in
”…””}”(hjø  hžhhŸNh NubhÔ)”}”(hŒ``/proc/sys``”h]”hŒ	/proc/sys”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjø  ubhŒ% into provided by BPF program buffer;”…””}”(hjø  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K@hjô  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjñ  hžhhŸh³h Nubj…  )”}”(hŒÃ``bpf_sysctl_get_current_value()`` to get string value currently held by
sysctl into provided by BPF program buffer. This helper is available on both
``read(2)`` from and ``write(2)`` to sysctl;
”h]”hÊ)”}”(hŒÂ``bpf_sysctl_get_current_value()`` to get string value currently held by
sysctl into provided by BPF program buffer. This helper is available on both
``read(2)`` from and ``write(2)`` to sysctl;”h]”(hÔ)”}”(hŒ"``bpf_sysctl_get_current_value()``”h]”hŒbpf_sysctl_get_current_value()”…””}”(hj4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj0  ubhŒt to get string value currently held by
sysctl into provided by BPF program buffer. This helper is available on both
”…””}”(hj0  hžhhŸNh NubhÔ)”}”(hŒ``read(2)``”h]”hŒread(2)”…””}”(hjF  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj0  ubhŒ
 from and ”…””}”(hj0  hžhhŸNh NubhÔ)”}”(hŒ``write(2)``”h]”hŒwrite(2)”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj0  ubhŒ to sysctl;”…””}”(hj0  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KChj,  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjñ  hžhhŸh³h Nubj…  )”}”(hŒ«``bpf_sysctl_get_new_value()`` to get new string value currently being
written to sysctl before actual write happens. This helper can be used only
on ``ctx->write == 1``;
”h]”hÊ)”}”(hŒª``bpf_sysctl_get_new_value()`` to get new string value currently being
written to sysctl before actual write happens. This helper can be used only
on ``ctx->write == 1``;”h]”(hÔ)”}”(hŒ``bpf_sysctl_get_new_value()``”h]”hŒbpf_sysctl_get_new_value()”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjz  ubhŒx to get new string value currently being
written to sysctl before actual write happens. This helper can be used only
on ”…””}”(hjz  hžhhŸNh NubhÔ)”}”(hŒ``ctx->write == 1``”h]”hŒctx->write == 1”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjz  ubhŒ;”…””}”(hjz  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KGhjv  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjñ  hžhhŸh³h Nubj…  )”}”(hXè  ``bpf_sysctl_set_new_value()`` to override new string value currently being
written to sysctl before actual write happens. Sysctl value will be
overridden starting from the current ``ctx->file_pos``. If the whole value
has to be overridden BPF program can set ``file_pos`` to zero before calling
to the helper. This helper can be used only on ``ctx->write == 1``. New
string value set by the helper is treated and verified by kernel same way as
an equivalent string passed by user space.
”h]”hÊ)”}”(hXç  ``bpf_sysctl_set_new_value()`` to override new string value currently being
written to sysctl before actual write happens. Sysctl value will be
overridden starting from the current ``ctx->file_pos``. If the whole value
has to be overridden BPF program can set ``file_pos`` to zero before calling
to the helper. This helper can be used only on ``ctx->write == 1``. New
string value set by the helper is treated and verified by kernel same way as
an equivalent string passed by user space.”h]”(hÔ)”}”(hŒ``bpf_sysctl_set_new_value()``”h]”hŒbpf_sysctl_set_new_value()”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj²  ubhŒ— to override new string value currently being
written to sysctl before actual write happens. Sysctl value will be
overridden starting from the current ”…””}”(hj²  hžhhŸNh NubhÔ)”}”(hŒ``ctx->file_pos``”h]”hŒctx->file_pos”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj²  ubhŒ>. If the whole value
has to be overridden BPF program can set ”…””}”(hj²  hžhhŸNh NubhÔ)”}”(hŒ``file_pos``”h]”hŒfile_pos”…””}”(hjÚ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj²  ubhŒG to zero before calling
to the helper. This helper can be used only on ”…””}”(hj²  hžhhŸNh NubhÔ)”}”(hŒ``ctx->write == 1``”h]”hŒctx->write == 1”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj²  ubhŒ}. New
string value set by the helper is treated and verified by kernel same way as
an equivalent string passed by user space.”…””}”(hj²  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KKhj®  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hjñ  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jž  jŸ  uh1j  hŸh³h K@hjÒ  hžhubhÊ)”}”(hŒîBPF program sees sysctl value same way as user space does in proc filesystem,
i.e. as a string. Since many sysctl values represent an integer or a vector
of integers, the following helpers can be used to get numeric value from the
string:”h]”hŒîBPF program sees sysctl value same way as user space does in proc filesystem,
i.e. as a string. Since many sysctl values represent an integer or a vector
of integers, the following helpers can be used to get numeric value from the
string:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KShjÒ  hžhubj€  )”}”(hhh]”(j…  )”}”(hŒj``bpf_strtol()`` to convert initial part of the string to long integer
similar to user space `strtol(3)`_;”h]”hÊ)”}”(hŒj``bpf_strtol()`` to convert initial part of the string to long integer
similar to user space `strtol(3)`_;”h]”(hÔ)”}”(hŒ``bpf_strtol()``”h]”hŒbpf_strtol()”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj%  ubhŒM to convert initial part of the string to long integer
similar to user space ”…””}”(hj%  hžhhŸNh Nubj©  )”}”(hŒ`strtol(3)`_”h]”hŒ	strtol(3)”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ	strtol(3)”jº  Œ3http://man7.org/linux/man-pages/man3/strtol.3p.html”uh1j¨  hj%  j¼  KubhŒ;”…””}”(hj%  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KXhj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  hžhhŸh³h Nubj…  )”}”(hŒv``bpf_strtoul()`` to convert initial part of the string to unsigned long
integer similar to user space `strtoul(3)`_;
”h]”hÊ)”}”(hŒu``bpf_strtoul()`` to convert initial part of the string to unsigned long
integer similar to user space `strtoul(3)`_;”h]”(hÔ)”}”(hŒ``bpf_strtoul()``”h]”hŒbpf_strtoul()”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj`  ubhŒV to convert initial part of the string to unsigned long
integer similar to user space ”…””}”(hj`  hžhhŸNh Nubj©  )”}”(hŒ`strtoul(3)`_”h]”hŒ
strtoul(3)”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ
strtoul(3)”jº  Œ4http://man7.org/linux/man-pages/man3/strtoul.3p.html”uh1j¨  hj`  j¼  KubhŒ;”…””}”(hj`  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KZhj\  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jž  jŸ  uh1j  hŸh³h KXhjÒ  hžhubhÊ)”}”(hŒ>See `linux/bpf.h`_ for more details on helpers described here.”h]”(hŒSee ”…””}”(hj  hžhhŸNh Nubj©  )”}”(hŒ`linux/bpf.h`_”h]”hŒlinux/bpf.h”…””}”(hj¥  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œlinux/bpf.h”jº  j»  uh1j¨  hj  j¼  KubhŒ, for more details on helpers described here.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K]hjÒ  hžhubeh}”(h]”Œhelpers”ah ]”h"]”Œ
4. helpers”ah$]”h&]”uh1h´hh¶hžhhŸh³h K;ubhµ)”}”(hhh]”(hº)”}”(hŒ5. Examples”h]”hŒ5. Examples”…””}”(hjÊ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÇ  hžhhŸh³h K`ubhÊ)”}”(hŒÝSee `test_sysctl_prog.c`_ for an example of BPF program in C that access
sysctl name and value, parses string value to get vector of integers and uses
the result to make decision whether to allow or deny access to sysctl.”h]”(hŒSee ”…””}”(hjØ  hžhhŸNh Nubj©  )”}”(hŒ`test_sysctl_prog.c`_”h]”hŒtest_sysctl_prog.c”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œtest_sysctl_prog.c”jº  Œ:../../tools/testing/selftests/bpf/progs/test_sysctl_prog.c”uh1j¨  hjØ  j¼  KubhŒÄ for an example of BPF program in C that access
sysctl name and value, parses string value to get vector of integers and uses
the result to make decision whether to allow or deny access to sysctl.”…””}”(hjØ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KbhjÇ  hžhubeh}”(h]”Œexamples”ah ]”h"]”Œ5. examples”ah$]”h&]”uh1h´hh¶hžhhŸh³h K`ubhµ)”}”(hhh]”(hº)”}”(hŒ6. Notes”h]”hŒ6. Notes”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KgubhÊ)”}”(hŒà``BPF_PROG_TYPE_CGROUP_SYSCTL`` is intended to be used in **trusted** root
environment, for example to monitor sysctl usage or catch unreasonable values
an application, running as root in a separate cgroup, is trying to set.”h]”(hÔ)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhj  ubhŒ is intended to be used in ”…””}”(hj  hžhhŸNh NubhŒstrong”“”)”}”(hŒ**trusted**”h]”hŒtrusted”…””}”(hj,  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j*  hj  ubhŒ› root
environment, for example to monitor sysctl usage or catch unreasonable values
an application, running as root in a separate cgroup, is trying to set.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kihj  hžhubhÊ)”}”(hX¥  Since `task_dfl_cgroup(current)` is called at `sys_read` / `sys_write` time it
may return results different from that at `sys_open` time, i.e. process that
opened sysctl file in proc filesystem may differ from process that is trying
to read from / write to it and two such processes may run in different
cgroups, what means ``BPF_PROG_TYPE_CGROUP_SYSCTL`` should not be used as a
security mechanism to limit sysctl usage.”h]”(hŒSince ”…””}”(hjD  hžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ`task_dfl_cgroup(current)`”h]”hŒtask_dfl_cgroup(current)”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjD  ubhŒ is called at ”…””}”(hjD  hžhhŸNh NubjM  )”}”(hŒ
`sys_read`”h]”hŒsys_read”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjD  ubhŒ / ”…””}”(hjD  hžhhŸNh NubjM  )”}”(hŒ`sys_write`”h]”hŒ	sys_write”…””}”(hjr  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjD  ubhŒ3 time it
may return results different from that at ”…””}”(hjD  hžhhŸNh NubjM  )”}”(hŒ
`sys_open`”h]”hŒsys_open”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjD  ubhŒÁ time, i.e. process that
opened sysctl file in proc filesystem may differ from process that is trying
to read from / write to it and two such processes may run in different
cgroups, what means ”…””}”(hjD  hžhhŸNh NubhÔ)”}”(hŒ``BPF_PROG_TYPE_CGROUP_SYSCTL``”h]”hŒBPF_PROG_TYPE_CGROUP_SYSCTL”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÓhjD  ubhŒB should not be used as a
security mechanism to limit sysctl usage.”…””}”(hjD  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kmhj  hžhubhÊ)”}”(hŒ»As with any cgroup-bpf program additional care should be taken if an
application running as root in a cgroup should not be allowed to
detach/replace BPF program attached by administrator.”h]”hŒ»As with any cgroup-bpf program additional care should be taken if an
application running as root in a cgroup should not be allowed to
detach/replace BPF program attached by administrator.”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kthj  hžhubh¢)”}”(hŒLinks”h]”hŒLinks”…””}”hj¼  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hj  hžhhŸh³h KxubhŒtarget”“”)”}”(hŒ/.. _linux/bpf.h: ../../include/uapi/linux/bpf.h”h]”h}”(h]”Œlinux-bpf-h”ah ]”h"]”Œlinux/bpf.h”ah$]”h&]”jº  j»  uh1jÊ  h Kyhj  hžhhŸh³Œ
referenced”KubjË  )”}”(hŒB.. _strtol(3): http://man7.org/linux/man-pages/man3/strtol.3p.html”h]”h}”(h]”Œstrtol-3”ah ]”h"]”Œ	strtol(3)”ah$]”h&]”jº  jK  uh1jÊ  h Kzhj  hžhhŸh³jØ  KubjË  )”}”(hŒD.. _strtoul(3): http://man7.org/linux/man-pages/man3/strtoul.3p.html”h]”h}”(h]”Œ	strtoul-3”ah ]”h"]”Œ
strtoul(3)”ah$]”h&]”jº  j†  uh1jÊ  h K{hj  hžhhŸh³jØ  KubjË  )”}”(hŒU.. _test_sysctl_prog.c:
   ../../tools/testing/selftests/bpf/progs/test_sysctl_prog.c”h]”h}”(h]”Œtest-sysctl-prog-c”ah ]”h"]”Œtest_sysctl_prog.c”ah$]”h&]”jº  jð  uh1jÊ  h K|hj  hžhhŸh³jØ  Kubeh}”(h]”Œnotes”ah ]”h"]”Œ6. notes”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kgubeh}”(h]”Œbpf-prog-type-cgroup-sysctl”ah ]”h"]”Œbpf_prog_type_cgroup_sysctl”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j0  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œlinux/bpf.h”]”(jª  j¥  eŒ	strtol(3)”]”j;  aŒ
strtoul(3)”]”jv  aŒtest_sysctl_prog.c”]”jà  auŒrefids”}”Œnameids”}”(j
  j  j?  j<  jÌ  jÉ  jÏ  jÌ  jÄ  jÁ  j   jý  j  jÿ  jÕ  jÒ  jâ  jß  jî  jë  jú  j÷  uŒ	nametypes”}”(j
  ‰j?  ‰jÌ  ‰jÏ  ‰jÄ  ‰j   ‰j  ‰jÕ  ˆjâ  ˆjî  ˆjú  ˆuh}”(j  h¶j<  hûjÉ  jB  jÌ  jÏ  jÁ  jÒ  jý  jÇ  jÿ  j  jÒ  jÌ  jß  jÙ  jë  jå  j÷  jñ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.