[PATCHSET v5] Inherited restrictions and BPF filtering

[Jens Axboe <axboe@kernel.dk>]

Hi,

Followup to v4 here:

https://lore.kernel.org/io-uring/20260116224356.399361-1-axboe@kernel.dk/

Due to some feedback from Christian, ended up redoing the filter side of
this to use cBPF rather than eBPF. This provides better support for the
some of the intended use case of this, like containers, as eBPF cannot
be used unprivileged there. This obviously comes with a bit of pain on
the usability front, as you now need to write filters in cBPF bytecode.
I did keep the API such that eBPF filters can be added as well, but that
can be a separate patch. Since the BPF type is just a minor part of this
change, most of the code is exactly the same as before.

As before, filters can be registered with directly with a ring, or with
the calling task. Filters registered with a ring only affect that ring,
while filters registered with a task will affect any ring subsequently
created. Additionally, task filters are inherited across fork. For both
the original task and any of its children, once registered, only further
restrictions may be added. A forked child initially starts with a
reference to its parent table. If the parent makes changes to that
table, they will also affect the child. The exception being if the child
registers further filters - in that case, the filters table is COW'ed
and the reference is dropped to the parent table.

Kernel branch can be found here:

https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-bpf-restrictions.2

and a liburing branch with support helpers and a fairly substantial test
case can be found here:

https://git.kernel.org/pub/scm/linux/kernel/git/axboe/liburing.git/log/?h=bpf-restrictions

 include/linux/io_uring.h                 |  14 +-
 include/linux/io_uring_types.h           |  13 +
 include/linux/sched.h                    |   1 +
 include/uapi/linux/io_uring.h            |  10 +
 include/uapi/linux/io_uring/bpf_filter.h |  54 +++
 io_uring/Kconfig                         |   5 +
 io_uring/Makefile                        |   1 +
 io_uring/bpf_filter.c                    | 430 +++++++++++++++++++++++
 io_uring/bpf_filter.h                    |  48 +++
 io_uring/io_uring.c                      |  48 +++
 io_uring/io_uring.h                      |   1 +
 io_uring/net.c                           |   9 +
 io_uring/net.h                           |   6 +
 io_uring/register.c                      |  76 ++++
 io_uring/tctx.c                          |  42 ++-
 kernel/fork.c                            |   5 +
 16 files changed, 753 insertions(+), 10 deletions(-)

Changes since v4
- Drop eBPF and switch to cBPF instead. This is a bit of a pain on the
  userspace side obviously, as you now have to write bytecode. But it's
  necessary for supporting some of the use cases we care about, like
  containers.
- Add ctx->bpf_filters cache to reduce dereferences needed to get to
  the filter table.
- Do fast "no filter exists for this opcode" check.
- Fix bug with dummy filter in iterating and running filters.
- Fix bug with ring inheriting task filters for classic filters.
- Move uapi headers to io_uring/bpf_filter.h
- Add Kconfig CONFIG_IO_URING_BPF symbol

-- 
Jens Axboe