bpf: don't allow create maps of cgroup local storages

As there is one-to-one relation between a bpf program
and cgroup local storage map, there is no sense in
creating a map of cgroup local storage maps.

Forbid it explicitly to avoid possible side effects.

Signed-off-by: Roman Gushchin <guro@fb.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c
index 1da574612bea75dabfe60c6967dce9c55a5e662b..3bfbf4464416b747f1d76624df2393c2d7b95078 100644 (file)
--- a/kernel/bpf/map_in_map.c
+++ b/kernel/bpf/map_in_map.c
@@ -23,7 +23,8 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
         * is a runtime binding.  Doing static check alone
         * in the verifier is not enough.
         */
-       if (inner_map->map_type == BPF_MAP_TYPE_PROG_ARRAY) {
+       if (inner_map->map_type == BPF_MAP_TYPE_PROG_ARRAY ||
+           inner_map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE) {
                fdput(f);
                return ERR_PTR(-ENOTSUPP);
        }