From b1fea0fbec6091c1aa142300fe8ae1ed1a151747 Mon Sep 17 00:00:00 2001 From: Mehnaz Yunus Date: Thu, 4 Dec 2025 00:50:54 +0000 Subject: [PATCH] aya: Set attach mode flag to 0 in bpf_link_create --- aya/src/programs/cgroup_device.rs | 14 +++++++++++++- aya/src/programs/cgroup_skb.rs | 27 ++++++++++++++++----------- aya/src/programs/cgroup_sock.rs | 27 ++++++++++++++++----------- aya/src/programs/cgroup_sock_addr.rs | 28 +++++++++++++++++----------- aya/src/programs/cgroup_sockopt.rs | 28 +++++++++++++++++----------- aya/src/programs/cgroup_sysctl.rs | 13 ++++++++++++- aya/src/programs/links.rs | 2 +- aya/src/programs/sock_ops.rs | 28 +++++++++++++++++----------- 8 files changed, 109 insertions(+), 58 deletions(-) diff --git a/aya/src/programs/cgroup_device.rs b/aya/src/programs/cgroup_device.rs index ccbd01ba..dfe09cf2 100644 --- a/aya/src/programs/cgroup_device.rs +++ b/aya/src/programs/cgroup_device.rs @@ -5,6 +5,7 @@ use std::os::fd::AsFd; use aya_obj::generated::{ bpf_attach_type::BPF_CGROUP_DEVICE, bpf_prog_type::BPF_PROG_TYPE_CGROUP_DEVICE, }; +use log::warn; use crate::{ programs::{ @@ -67,6 +68,11 @@ impl CgroupDevice { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupDevice::detach] + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. + /// On older kernels that use bpf_prog_attach, the attach mode is honored. pub fn attach( &mut self, cgroup: T, @@ -77,11 +83,17 @@ impl CgroupDevice { let cgroup_fd = cgroup.as_fd(); if KernelVersion::at_least(5, 7, 0) { + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } let link_fd = bpf_link_create( prog_fd, LinkTarget::Fd(cgroup_fd), BPF_CGROUP_DEVICE, - mode.into(), + 0, None, ) .map_err(|io_error| SyscallError { diff --git a/aya/src/programs/cgroup_skb.rs b/aya/src/programs/cgroup_skb.rs index 28f053bb..79cf13e0 100644 --- a/aya/src/programs/cgroup_skb.rs +++ b/aya/src/programs/cgroup_skb.rs @@ -6,6 +6,7 @@ use aya_obj::generated::{ bpf_attach_type::{BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_INGRESS}, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SKB, }; +use log::warn; use crate::{ VerifierLogLevel, @@ -86,6 +87,10 @@ impl CgroupSkb { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSkb::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. pub fn attach( &mut self, cgroup: T, @@ -101,17 +106,17 @@ impl CgroupSkb { CgroupSkbAttachType::Egress => BPF_CGROUP_INET_EGRESS, }; if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSkbLink::new(CgroupSkbLinkInner::Fd(FdLink::new( diff --git a/aya/src/programs/cgroup_sock.rs b/aya/src/programs/cgroup_sock.rs index 4b1b768e..386fbc92 100644 --- a/aya/src/programs/cgroup_sock.rs +++ b/aya/src/programs/cgroup_sock.rs @@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK; pub use aya_obj::programs::CgroupSockAttachType; +use log::warn; use crate::{ VerifierLogLevel, @@ -70,6 +71,10 @@ impl CgroupSock { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSock::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. On older kernels that use bpf_prog_attach, the attach mode is still honored. pub fn attach( &mut self, cgroup: T, @@ -80,17 +85,17 @@ impl CgroupSock { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockLink::new(CgroupSockLinkInner::Fd(FdLink::new( diff --git a/aya/src/programs/cgroup_sock_addr.rs b/aya/src/programs/cgroup_sock_addr.rs index 1a11abfb..d83c1364 100644 --- a/aya/src/programs/cgroup_sock_addr.rs +++ b/aya/src/programs/cgroup_sock_addr.rs @@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK_ADDR; pub use aya_obj::programs::CgroupSockAddrAttachType; +use log::warn; use crate::{ VerifierLogLevel, @@ -71,6 +72,11 @@ impl CgroupSockAddr { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSockAddr::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`. + /// On older kernels (using `bpf_prog_attach`), the attach mode is honored. pub fn attach( &mut self, cgroup: T, @@ -81,17 +87,17 @@ impl CgroupSockAddr { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockAddrLink::new(CgroupSockAddrLinkInner::Fd( diff --git a/aya/src/programs/cgroup_sockopt.rs b/aya/src/programs/cgroup_sockopt.rs index 2bd9d6d7..b34e21d4 100644 --- a/aya/src/programs/cgroup_sockopt.rs +++ b/aya/src/programs/cgroup_sockopt.rs @@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path}; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCKOPT; pub use aya_obj::programs::CgroupSockoptAttachType; +use log::warn; use crate::{ VerifierLogLevel, @@ -68,6 +69,11 @@ impl CgroupSockopt { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSockopt::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to + /// `bpf_link_create`. On older kernels, attach modes are honored. pub fn attach( &mut self, cgroup: T, @@ -78,17 +84,17 @@ impl CgroupSockopt { let cgroup_fd = cgroup.as_fd(); let attach_type = self.data.expected_attach_type.unwrap(); if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(CgroupSockoptLink::new(CgroupSockoptLinkInner::Fd( diff --git a/aya/src/programs/cgroup_sysctl.rs b/aya/src/programs/cgroup_sysctl.rs index c98256bb..6ccc516e 100644 --- a/aya/src/programs/cgroup_sysctl.rs +++ b/aya/src/programs/cgroup_sysctl.rs @@ -5,6 +5,7 @@ use std::{hash::Hash, os::fd::AsFd}; use aya_obj::generated::{ bpf_attach_type::BPF_CGROUP_SYSCTL, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SYSCTL, }; +use log::warn; use crate::{ programs::{ @@ -66,6 +67,10 @@ impl CgroupSysctl { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [CgroupSysctl::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. pub fn attach( &mut self, cgroup: T, @@ -76,11 +81,17 @@ impl CgroupSysctl { let cgroup_fd = cgroup.as_fd(); if KernelVersion::at_least(5, 7, 0) { + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } let link_fd = bpf_link_create( prog_fd, LinkTarget::Fd(cgroup_fd), BPF_CGROUP_SYSCTL, - mode.into(), + 0, None, ) .map_err(|io_error| SyscallError { diff --git a/aya/src/programs/links.rs b/aya/src/programs/links.rs index 1a80f9e1..1868954a 100644 --- a/aya/src/programs/links.rs +++ b/aya/src/programs/links.rs @@ -38,7 +38,7 @@ pub trait Link: std::fmt::Debug + Eq + std::hash::Hash + 'static { } /// Program attachment mode. -#[derive(Clone, Copy, Debug, Default)] +#[derive(Clone, Copy, Debug, Default, PartialEq)] pub enum CgroupAttachMode { /// Allows only one BPF program in the cgroup subtree. #[default] diff --git a/aya/src/programs/sock_ops.rs b/aya/src/programs/sock_ops.rs index 01f3b100..d420f361 100644 --- a/aya/src/programs/sock_ops.rs +++ b/aya/src/programs/sock_ops.rs @@ -4,6 +4,7 @@ use std::os::fd::AsFd; use aya_obj::generated::{ bpf_attach_type::BPF_CGROUP_SOCK_OPS, bpf_prog_type::BPF_PROG_TYPE_SOCK_OPS, }; +use log::warn; use crate::{ programs::{ @@ -65,6 +66,11 @@ impl SockOps { /// Attaches the program to the given cgroup. /// /// The returned value can be used to detach, see [SockOps::detach]. + /// + /// # Warning + /// + /// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`. + /// On older kernels (using `bpf_prog_attach`), the attach mode is honored. pub fn attach( &mut self, cgroup: T, @@ -75,17 +81,17 @@ impl SockOps { let cgroup_fd = cgroup.as_fd(); let attach_type = BPF_CGROUP_SOCK_OPS; if KernelVersion::at_least(5, 7, 0) { - let link_fd = bpf_link_create( - prog_fd, - LinkTarget::Fd(cgroup_fd), - attach_type, - mode.into(), - None, - ) - .map_err(|io_error| SyscallError { - call: "bpf_link_create", - io_error, - })?; + if mode != CgroupAttachMode::default() { + warn!( + "CgroupAttachMode {:?} will not be passed on to bpf_link_create", + mode + ); + } + let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None) + .map_err(|io_error| SyscallError { + call: "bpf_link_create", + io_error, + })?; self.data .links .insert(SockOpsLink::new(SockOpsLinkInner::Fd(FdLink::new(link_fd))))