From 99be52a0419eab6e0f77a95ce93a65ccf390ac54 Mon Sep 17 00:00:00 2001 From: Mehnaz Yunus Date: Thu, 4 Dec 2025 00:50:54 +0000 Subject: [PATCH] aya: Set attach mode flag to 0 in bpf_link_create --- aya/src/programs/cgroup_device.rs | 13 +++++++++++- aya/src/programs/cgroup_skb.rs | 30 ++++++++++++++++------------ aya/src/programs/cgroup_sock.rs | 27 +++++++++++++++---------- aya/src/programs/cgroup_sock_addr.rs | 27 +++++++++++++++---------- aya/src/programs/cgroup_sockopt.rs | 27 +++++++++++++++---------- aya/src/programs/cgroup_sysctl.rs | 13 +++++++++++- aya/src/programs/links.rs | 2 +- aya/src/programs/sock_ops.rs | 27 +++++++++++++++---------- 8 files changed, 106 insertions(+), 60 deletions(-) diff --git a/aya/src/programs/cgroup_device.rs b/aya/src/programs/cgroup_device.rs index ccbd01ba..fea531ef 100644 --- a/aya/src/programs/cgroup_device.rs +++ b/aya/src/programs/cgroup_device.rs @@ -1,5 +1,6 @@ //! Cgroup device programs. +use log::warn; use std::os::fd::AsFd; use aya_obj::generated::{ @@ -67,6 +68,10 @@ impl CgroupDevice { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupDevice::detach] + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -77,11 +82,17 @@ impl CgroupDevice { let cgroup_fd = cgroup.as_fd(); if KernelVersion::at_least(5, 7, 0) { + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } let link_fd = bpf_link_create( prog_fd, LinkTarget::Fd(cgroup_fd), BPF_CGROUP_DEVICE, - mode.into(), + 0, None, ) .map_err(|io_error| SyscallError { diff --git a/aya/src/programs/cgroup_skb.rs b/aya/src/programs/cgroup_skb.rs index 28f053bb..e8fd636b 100644 --- a/aya/src/programs/cgroup_skb.rs +++ b/aya/src/programs/cgroup_skb.rs @@ -1,11 +1,11 @@ //! Cgroup skb programs. -use std::{hash::Hash, os::fd::AsFd, path::Path}; - use aya_obj::generated::{ bpf_attach_type::{BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_INGRESS}, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SKB, }; +use log::warn; +use std::{hash::Hash, os::fd::AsFd, path::Path}; use crate::{ VerifierLogLevel, @@ -86,6 +86,10 @@ impl CgroupSkb { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSkb::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -101,17 +105,17 @@ impl CgroupSkb { CgroupSkbAttachType::Egress => BPF_CGROUP_INET_EGRESS, }; if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSkbLink::new(CgroupSkbLinkInner::Fd(FdLink::new( diff --git a/aya/src/programs/cgroup_sock.rs b/aya/src/programs/cgroup_sock.rs index 4b1b768e..84d9f678 100644 --- a/aya/src/programs/cgroup_sock.rs +++ b/aya/src/programs/cgroup_sock.rs @@ -1,5 +1,6 @@ //! Cgroup socket programs. +use log::warn; use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK; @@ -70,6 +71,10 @@ impl CgroupSock { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSock::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -80,17 +85,17 @@ impl CgroupSock { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockLink::new(CgroupSockLinkInner::Fd(FdLink::new( diff --git a/aya/src/programs/cgroup_sock_addr.rs b/aya/src/programs/cgroup_sock_addr.rs index 1a11abfb..82b5466d 100644 --- a/aya/src/programs/cgroup_sock_addr.rs +++ b/aya/src/programs/cgroup_sock_addr.rs @@ -1,5 +1,6 @@ //! Cgroup socket address programs. +use log::warn; use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK_ADDR; @@ -71,6 +72,10 @@ impl CgroupSockAddr { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSockAddr::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -81,17 +86,17 @@ impl CgroupSockAddr { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockAddrLink::new(CgroupSockAddrLinkInner::Fd( diff --git a/aya/src/programs/cgroup_sockopt.rs b/aya/src/programs/cgroup_sockopt.rs index 2bd9d6d7..c1ea3368 100644 --- a/aya/src/programs/cgroup_sockopt.rs +++ b/aya/src/programs/cgroup_sockopt.rs @@ -1,5 +1,6 @@ //! Cgroup socket option programs. +use log::warn; use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCKOPT; @@ -68,6 +69,10 @@ impl CgroupSockopt { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSockopt::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -78,17 +83,17 @@ impl CgroupSockopt { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockoptLink::new(CgroupSockoptLinkInner::Fd( diff --git a/aya/src/programs/cgroup_sysctl.rs b/aya/src/programs/cgroup_sysctl.rs index c98256bb..f8d96594 100644 --- a/aya/src/programs/cgroup_sysctl.rs +++ b/aya/src/programs/cgroup_sysctl.rs @@ -1,5 +1,6 @@ //! Cgroup sysctl programs. +use log::warn; use std::{hash::Hash, os::fd::AsFd}; use aya_obj::generated::{ @@ -66,6 +67,10 @@ impl CgroupSysctl { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSysctl::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -76,11 +81,17 @@ impl CgroupSysctl { let cgroup_fd = cgroup.as_fd(); if KernelVersion::at_least(5, 7, 0) { + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } let link_fd = bpf_link_create( prog_fd, LinkTarget::Fd(cgroup_fd), BPF_CGROUP_SYSCTL, - mode.into(), + 0, None, ) .map_err(|io_error| SyscallError { diff --git a/aya/src/programs/links.rs b/aya/src/programs/links.rs index 1a80f9e1..1868954a 100644 --- a/aya/src/programs/links.rs +++ b/aya/src/programs/links.rs @@ -38,7 +38,7 @@ pub trait Link: std::fmt::Debug + Eq + std::hash::Hash + 'static { } /// Program attachment mode. -#[derive(Clone, Copy, Debug, Default)] +#[derive(Clone, Copy, Debug, Default, PartialEq)] pub enum CgroupAttachMode { /// Allows only one BPF program in the cgroup subtree. #[default] diff --git a/aya/src/programs/sock_ops.rs b/aya/src/programs/sock_ops.rs index 01f3b100..28cb0b30 100644 --- a/aya/src/programs/sock_ops.rs +++ b/aya/src/programs/sock_ops.rs @@ -1,4 +1,5 @@ //! Socket option programs. +use log::warn; use std::os::fd::AsFd; use aya_obj::generated::{ @@ -65,6 +66,10 @@ impl SockOps { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [SockOps::detach]. + /// + /// # Warning + /// + /// attach modes other than CgroupAttachMode::default() may not be passed on to kernel BPF APIs pub fn attach( &mut self, cgroup: T, @@ -75,17 +80,17 @@ impl SockOps { let cgroup_fd = cgroup.as_fd(); let attach_type = BPF_CGROUP_SOCK_OPS; if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(SockOpsLink::new(SockOpsLinkInner::Fd(FdLink::new(link_fd))))