Add support for BPF_PROG_TYPE_CGROUP_DEVICE #466
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kernel 4.15 added a new eBPF program that can be used with cgroup v2 to control & observe device access (e.g. read, write, mknod) - `BPF_PROG_TYPE_CGROUP_DEVICE`. We add the ability to create these programs with the `cgroup_device` proc macro which creates the `cgroup/dev` link section. Device details are available to the eBPF program in `DeviceContext`. The userspace representation is provided with the `CgroupDevice` structure. Fixes: aya-rs#212 Signed-off-by: Milan <milan@mdaverde.com>
✅ Deploy Preview for aya-rs-docs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
alessandrod
reviewed
Dec 14, 2022
aya/src/programs/cgroup_device.rs
Outdated
| sys::{bpf_link_create, bpf_prog_attach, kernel_version}, | ||
| }; | ||
|
|
||
| /// A program used to watch or prevent device interaction from a cgroup |
There was a problem hiding this comment.
Missing period at the end of the sentence
| pub fn load(&mut self) -> Result<(), ProgramError> { | ||
| load_program(BPF_PROG_TYPE_CGROUP_DEVICE, &mut self.data) | ||
| } | ||
| /// Attaches the program to the given cgroup. |
There was a problem hiding this comment.
Add newline before comment pls
Signed-off-by: Milan <milan@mdaverde.com>
vadorovsky
requested changes
Dec 15, 2022
vadorovsky
requested changes
Dec 15, 2022
There was a problem hiding this comment.
Suggestions for fixing the CI errors from here:
https://github.com/aya-rs/aya/actions/runs/3698602058/jobs/6265097628
| /// use aya::programs::CgroupDevice; | ||
| /// | ||
| /// let cgroup = std::fs::File::open("/sys/fs/cgroup/unified")?; | ||
| /// let program: &mut CgroupDevice = bpf.program_mut("cgroup_dev").unwrap().try_into()?; |
There was a problem hiding this comment.
Suggested change
| /// let program: &mut CgroupDevice = bpf.program_mut("cgroup_dev").unwrap().try_into()?; | |
| /// # let mut bpf = Bpf::load_file("ebpf_programs.o")?; | |
| /// let program: &mut CgroupDevice = bpf.program_mut("cgroup_dev").unwrap().try_into()?; |
bpf variable is missing
There was a problem hiding this comment.
Done, went ahead and drew from CgroupSysctl's docs!
| /// let cgroup = std::fs::File::open("/sys/fs/cgroup/unified")?; | ||
| /// let program: &mut CgroupDevice = bpf.program_mut("cgroup_dev").unwrap().try_into()?; | ||
| /// program.load()?; | ||
| /// program.attach(cgroup)?; |
There was a problem hiding this comment.
Suggested change
| /// program.attach(cgroup)?; | |
| /// program.attach(cgroup)?; | |
| /// # Ok::<(), anyhow::Error>((()) |
Otherwise you can't use ? for handling errors, because your code isn't returning any Result.
dave-tucker
added
feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Kernel 4.15 added a new eBPF program that can be used with cgroup v2 to control & observe device access (e.g. read, write, mknod) -
BPF_PROG_TYPE_CGROUP_DEVICE.We add the ability to create these programs with the
cgroup_deviceproc macro which creates thecgroup/devlink section. Device details are available to the eBPF program inDeviceContext.The userspace representation is provided with the
CgroupDevicestructure.An example use this eBPF program can be seen here: aya-cgroup-dev-example
Fixes: #212
Signed-off-by: Milan milan@mdaverde.com