162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci#include <linux/stddef.h> 462306a36Sopenharmony_ci#include <linux/bpf.h> 562306a36Sopenharmony_ci#include <sys/types.h> 662306a36Sopenharmony_ci#include <sys/socket.h> 762306a36Sopenharmony_ci#include <bpf/bpf_helpers.h> 862306a36Sopenharmony_ci#include <bpf/bpf_endian.h> 962306a36Sopenharmony_ci 1062306a36Sopenharmony_cistatic __always_inline int bind_prog(struct bpf_sock_addr *ctx, int family) 1162306a36Sopenharmony_ci{ 1262306a36Sopenharmony_ci struct bpf_sock *sk; 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ci sk = ctx->sk; 1562306a36Sopenharmony_ci if (!sk) 1662306a36Sopenharmony_ci return 0; 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ci if (sk->family != family) 1962306a36Sopenharmony_ci return 0; 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_ci if (ctx->type != SOCK_STREAM) 2262306a36Sopenharmony_ci return 0; 2362306a36Sopenharmony_ci 2462306a36Sopenharmony_ci /* Return 1 OR'ed with the first bit set to indicate 2562306a36Sopenharmony_ci * that CAP_NET_BIND_SERVICE should be bypassed. 2662306a36Sopenharmony_ci */ 2762306a36Sopenharmony_ci if (ctx->user_port == bpf_htons(111)) 2862306a36Sopenharmony_ci return (1 | 2); 2962306a36Sopenharmony_ci 3062306a36Sopenharmony_ci return 1; 3162306a36Sopenharmony_ci} 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ciSEC("cgroup/bind4") 3462306a36Sopenharmony_ciint bind_v4_prog(struct bpf_sock_addr *ctx) 3562306a36Sopenharmony_ci{ 3662306a36Sopenharmony_ci return bind_prog(ctx, AF_INET); 3762306a36Sopenharmony_ci} 3862306a36Sopenharmony_ci 3962306a36Sopenharmony_ciSEC("cgroup/bind6") 4062306a36Sopenharmony_ciint bind_v6_prog(struct bpf_sock_addr *ctx) 4162306a36Sopenharmony_ci{ 4262306a36Sopenharmony_ci return bind_prog(ctx, AF_INET6); 4362306a36Sopenharmony_ci} 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_cichar _license[] SEC("license") = "GPL"; 46