yanguangshaonian
/
aya
mirror of https://github.com/aya-rs/aya
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

aya: Set attach mode flag to 0 in bpf_link_create

Browse Source
reviewable/pr1408/r2
Mehnaz Yunus 2 weeks ago
parent a22ec3792a
commit b1fea0fbec
8 changed files with 109 additions and 58 deletions
Show Stats Download Patch File Download Diff File

14
aya/src/programs/cgroup_device.rs
Unescape Escape View File

@ -5,6 +5,7 @@ use std::os::fd::AsFd;
use aya_obj::generated::{ use aya_obj::generated::{
bpf_attach_type::BPF_CGROUP_DEVICE, bpf_prog_type::BPF_PROG_TYPE_CGROUP_DEVICE, bpf_attach_type::BPF_CGROUP_DEVICE, bpf_prog_type::BPF_PROG_TYPE_CGROUP_DEVICE,
}; };
use log::warn;
use crate::{ use crate::{
programs::{ programs::{
@ -67,6 +68,11 @@ impl CgroupDevice {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupDevice::detach] /// The returned value can be used to detach, see [CgroupDevice::detach]
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
/// On older kernels that use bpf_prog_attach, the attach mode is honored.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -77,11 +83,17 @@ impl CgroupDevice {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
if mode != CgroupAttachMode::default() {
warn!(
"CgroupAttachMode {:?} will not be passed on to bpf_link_create",
mode
);
}
let link_fd = bpf_link_create( let link_fd = bpf_link_create(
prog_fd, prog_fd,
LinkTarget::Fd(cgroup_fd), LinkTarget::Fd(cgroup_fd),
BPF_CGROUP_DEVICE, BPF_CGROUP_DEVICE,
mode.into(), 0,
None, None,
) )
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {

19
aya/src/programs/cgroup_skb.rs
Unescape Escape View File

@ -6,6 +6,7 @@ use aya_obj::generated::{
bpf_attach_type::{BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_INGRESS}, bpf_attach_type::{BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_INGRESS},
bpf_prog_type::BPF_PROG_TYPE_CGROUP_SKB, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SKB,
}; };
use log::warn;
use crate::{ use crate::{
VerifierLogLevel, VerifierLogLevel,
@ -86,6 +87,10 @@ impl CgroupSkb {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupSkb::detach]. /// The returned value can be used to detach, see [CgroupSkb::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -101,13 +106,13 @@ impl CgroupSkb {
CgroupSkbAttachType::Egress => BPF_CGROUP_INET_EGRESS, CgroupSkbAttachType::Egress => BPF_CGROUP_INET_EGRESS,
}; };
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
let link_fd = bpf_link_create( if mode != CgroupAttachMode::default() {
prog_fd, warn!(
LinkTarget::Fd(cgroup_fd), "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
attach_type, mode
mode.into(), );
None, }
) let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {
call: "bpf_link_create", call: "bpf_link_create",
io_error, io_error,

19
aya/src/programs/cgroup_sock.rs
Unescape Escape View File

@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path};
use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK;
pub use aya_obj::programs::CgroupSockAttachType; pub use aya_obj::programs::CgroupSockAttachType;
use log::warn;
use crate::{ use crate::{
VerifierLogLevel, VerifierLogLevel,
@ -70,6 +71,10 @@ impl CgroupSock {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupSock::detach]. /// The returned value can be used to detach, see [CgroupSock::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. On older kernels that use bpf_prog_attach, the attach mode is still honored.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -80,13 +85,13 @@ impl CgroupSock {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
let attach_type = self.data.expected_attach_type.unwrap(); let attach_type = self.data.expected_attach_type.unwrap();
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
let link_fd = bpf_link_create( if mode != CgroupAttachMode::default() {
prog_fd, warn!(
LinkTarget::Fd(cgroup_fd), "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
attach_type, mode
mode.into(), );
None, }
) let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {
call: "bpf_link_create", call: "bpf_link_create",
io_error, io_error,

20
aya/src/programs/cgroup_sock_addr.rs
Unescape Escape View File

@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path};
use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK_ADDR; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
pub use aya_obj::programs::CgroupSockAddrAttachType; pub use aya_obj::programs::CgroupSockAddrAttachType;
use log::warn;
use crate::{ use crate::{
VerifierLogLevel, VerifierLogLevel,
@ -71,6 +72,11 @@ impl CgroupSockAddr {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupSockAddr::detach]. /// The returned value can be used to detach, see [CgroupSockAddr::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`.
/// On older kernels (using `bpf_prog_attach`), the attach mode is honored.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -81,13 +87,13 @@ impl CgroupSockAddr {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
let attach_type = self.data.expected_attach_type.unwrap(); let attach_type = self.data.expected_attach_type.unwrap();
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
let link_fd = bpf_link_create( if mode != CgroupAttachMode::default() {
prog_fd, warn!(
LinkTarget::Fd(cgroup_fd), "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
attach_type, mode
mode.into(), );
None, }
) let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {
call: "bpf_link_create", call: "bpf_link_create",
io_error, io_error,

20
aya/src/programs/cgroup_sockopt.rs
Unescape Escape View File

@ -4,6 +4,7 @@ use std::{hash::Hash, os::fd::AsFd, path::Path};
use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCKOPT; use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCKOPT;
pub use aya_obj::programs::CgroupSockoptAttachType; pub use aya_obj::programs::CgroupSockoptAttachType;
use log::warn;
use crate::{ use crate::{
VerifierLogLevel, VerifierLogLevel,
@ -68,6 +69,11 @@ impl CgroupSockopt {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupSockopt::detach]. /// The returned value can be used to detach, see [CgroupSockopt::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to
/// `bpf_link_create`. On older kernels, attach modes are honored.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -78,13 +84,13 @@ impl CgroupSockopt {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
let attach_type = self.data.expected_attach_type.unwrap(); let attach_type = self.data.expected_attach_type.unwrap();
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
let link_fd = bpf_link_create( if mode != CgroupAttachMode::default() {
prog_fd, warn!(
LinkTarget::Fd(cgroup_fd), "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
attach_type, mode
mode.into(), );
None, }
) let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {
call: "bpf_link_create", call: "bpf_link_create",
io_error, io_error,

13
aya/src/programs/cgroup_sysctl.rs
Unescape Escape View File

@ -5,6 +5,7 @@ use std::{hash::Hash, os::fd::AsFd};
use aya_obj::generated::{ use aya_obj::generated::{
bpf_attach_type::BPF_CGROUP_SYSCTL, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SYSCTL, bpf_attach_type::BPF_CGROUP_SYSCTL, bpf_prog_type::BPF_PROG_TYPE_CGROUP_SYSCTL,
}; };
use log::warn;
use crate::{ use crate::{
programs::{ programs::{
@ -66,6 +67,10 @@ impl CgroupSysctl {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [CgroupSysctl::detach]. /// The returned value can be used to detach, see [CgroupSysctl::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -76,11 +81,17 @@ impl CgroupSysctl {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
if mode != CgroupAttachMode::default() {
warn!(
"CgroupAttachMode {:?} will not be passed on to bpf_link_create",
mode
);
}
let link_fd = bpf_link_create( let link_fd = bpf_link_create(
prog_fd, prog_fd,
LinkTarget::Fd(cgroup_fd), LinkTarget::Fd(cgroup_fd),
BPF_CGROUP_SYSCTL, BPF_CGROUP_SYSCTL,
mode.into(), 0,
None, None,
) )
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {

2
aya/src/programs/links.rs
Unescape Escape View File

@ -38,7 +38,7 @@ pub trait Link: std::fmt::Debug + Eq + std::hash::Hash + 'static {
} }
/// Program attachment mode. /// Program attachment mode.
#[derive(Clone, Copy, Debug, Default)] #[derive(Clone, Copy, Debug, Default, PartialEq)]
pub enum CgroupAttachMode { pub enum CgroupAttachMode {
/// Allows only one BPF program in the cgroup subtree. /// Allows only one BPF program in the cgroup subtree.
#[default] #[default]

20
aya/src/programs/sock_ops.rs
Unescape Escape View File

@ -4,6 +4,7 @@ use std::os::fd::AsFd;
use aya_obj::generated::{ use aya_obj::generated::{
bpf_attach_type::BPF_CGROUP_SOCK_OPS, bpf_prog_type::BPF_PROG_TYPE_SOCK_OPS, bpf_attach_type::BPF_CGROUP_SOCK_OPS, bpf_prog_type::BPF_PROG_TYPE_SOCK_OPS,
}; };
use log::warn;
use crate::{ use crate::{
programs::{ programs::{
@ -65,6 +66,11 @@ impl SockOps {
/// Attaches the program to the given cgroup. /// Attaches the program to the given cgroup.
/// ///
/// The returned value can be used to detach, see [SockOps::detach]. /// The returned value can be used to detach, see [SockOps::detach].
///
/// # Warning
///
/// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`.
/// On older kernels (using `bpf_prog_attach`), the attach mode is honored.
pub fn attach<T: AsFd>( pub fn attach<T: AsFd>(
&mut self, &mut self,
cgroup: T, cgroup: T,
@ -75,13 +81,13 @@ impl SockOps {
let cgroup_fd = cgroup.as_fd(); let cgroup_fd = cgroup.as_fd();
let attach_type = BPF_CGROUP_SOCK_OPS; let attach_type = BPF_CGROUP_SOCK_OPS;
if KernelVersion::at_least(5, 7, 0) { if KernelVersion::at_least(5, 7, 0) {
let link_fd = bpf_link_create( if mode != CgroupAttachMode::default() {
prog_fd, warn!(
LinkTarget::Fd(cgroup_fd), "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
attach_type, mode
mode.into(), );
None, }
) let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
.map_err(|io_error| SyscallError { .map_err(|io_error| SyscallError {
call: "bpf_link_create", call: "bpf_link_create",
io_error, io_error,

Write Preview
Loading…
Cancel
Save