Message ID | 20230421162718.440230-9-daan.j.demeyer@gmail.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | BPF |
Headers | show |
Series | Add cgroup sockaddr hooks for unix sockets | expand |
On Fri, 21 Apr 2023 at 17:31, Daan De Meyer <daan.j.demeyer@gmail.com> wrote: > > Add the necessary plumbing to hook up the new cgroup unix sockaddr > hooks into bpftool. > > Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com> > --- > .../bpftool/Documentation/bpftool-cgroup.rst | 21 ++++++++++++++----- > tools/bpf/bpftool/cgroup.c | 17 ++++++++------- > tools/bpf/bpftool/common.c | 6 ++++++ > 3 files changed, 32 insertions(+), 12 deletions(-) > > diff --git a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst > index bd015ec9847b..a2d990fa623b 100644 > --- a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst > +++ b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst > @@ -34,13 +34,16 @@ CGROUP COMMANDS > | *ATTACH_TYPE* := { **cgroup_inet_ingress** | **cgroup_inet_egress** | > | **cgroup_inet_sock_create** | **cgroup_sock_ops** | > | **cgroup_device** | **cgroup_inet4_bind** | **cgroup_inet6_bind** | > -| **cgroup_inet4_post_bind** | **cgroup_inet6_post_bind** | > -| **cgroup_inet4_connect** | **cgroup_inet6_connect** | > +| **cgroup_unix_bind** | **cgroup_inet4_post_bind** | > +| **cgroup_inet6_post_bind** | **cgroup_inet4_connect** | > +| **cgroup_inet6_connect** | **cgroup_unix_connect** | > | **cgroup_inet4_getpeername** | **cgroup_inet6_getpeername** | > -| **cgroup_inet4_getsockname** | **cgroup_inet6_getsockname** | > -| **cgroup_udp4_sendmsg** | **cgroup_udp6_sendmsg** | > +| **cgroup_unix_getpeername** | **cgroup_inet4_getsockname** | > +| **cgroup_inet6_getsockname** | **cgroup_udp4_sendmsg** | > +| **cgroup_udp6_sendmsg** | **cgroup_unix_sendmsg** | > | **cgroup_udp4_recvmsg** | **cgroup_udp6_recvmsg** | > -| **cgroup_sysctl** | **cgroup_getsockopt** | **cgroup_setsockopt** | > +| **cgroup_unix_recvmsg** | **cgroup_sysctl** | > +| **cgroup_getsockopt** | **cgroup_setsockopt** | > | **cgroup_inet_sock_release** } > | *ATTACH_FLAGS* := { **multi** | **override** } > > @@ -98,25 +101,33 @@ DESCRIPTION > **device** device access (since 4.15); > **bind4** call to bind(2) for an inet4 socket (since 4.17); > **bind6** call to bind(2) for an inet6 socket (since 4.17); > + **bindun** call to bind(2) for a unix socket (since 6.3); > **post_bind4** return from bind(2) for an inet4 socket (since 4.17); > **post_bind6** return from bind(2) for an inet6 socket (since 4.17); > **connect4** call to connect(2) for an inet4 socket (since 4.17); > **connect6** call to connect(2) for an inet6 socket (since 4.17); > + **connectun** call to connect(2) for a unix socket (since 6.3); > **sendmsg4** call to sendto(2), sendmsg(2), sendmmsg(2) for an > unconnected udp4 socket (since 4.18); > **sendmsg6** call to sendto(2), sendmsg(2), sendmmsg(2) for an > unconnected udp6 socket (since 4.18); > + **sendmsgun** call to sendto(2), sendmsg(2), sendmmsg(2) for > + an unconnected unix socket (since 6.3); > **recvmsg4** call to recvfrom(2), recvmsg(2), recvmmsg(2) for > an unconnected udp4 socket (since 5.2); > **recvmsg6** call to recvfrom(2), recvmsg(2), recvmmsg(2) for > an unconnected udp6 socket (since 5.2); > + **recvmsgun** call to recvfrom(2), recvmsg(2), recvmmsg(2) for > + an unconnected unix socket (since 6.3); > **sysctl** sysctl access (since 5.2); > **getsockopt** call to getsockopt (since 5.3); > **setsockopt** call to setsockopt (since 5.3); > **getpeername4** call to getpeername(2) for an inet4 socket (since 5.8); > **getpeername6** call to getpeername(2) for an inet6 socket (since 5.8); > + **getpeernameun** call to getpeername(2) for a unix socket (since 6.3); > **getsockname4** call to getsockname(2) for an inet4 socket (since 5.8); > **getsockname6** call to getsockname(2) for an inet6 socket (since 5.8). > + **getsocknameun** call to getsockname(2) for a unix socket (since 6.3); > **sock_release** closing an userspace inet socket (since 5.9). > > **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG* > diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c > index ac846b0805b4..a9700e00064c 100644 > --- a/tools/bpf/bpftool/cgroup.c > +++ b/tools/bpf/bpftool/cgroup.c > @@ -26,13 +26,16 @@ > " ATTACH_TYPE := { cgroup_inet_ingress | cgroup_inet_egress |\n" \ > " cgroup_inet_sock_create | cgroup_sock_ops |\n" \ > " cgroup_device | cgroup_inet4_bind |\n" \ > - " cgroup_inet6_bind | cgroup_inet4_post_bind |\n" \ > - " cgroup_inet6_post_bind | cgroup_inet4_connect |\n" \ > - " cgroup_inet6_connect | cgroup_inet4_getpeername |\n" \ > - " cgroup_inet6_getpeername | cgroup_inet4_getsockname |\n" \ > - " cgroup_inet6_getsockname | cgroup_udp4_sendmsg |\n" \ > - " cgroup_udp6_sendmsg | cgroup_udp4_recvmsg |\n" \ > - " cgroup_udp6_recvmsg | cgroup_sysctl |\n" \ > + " cgroup_inet6_bind | cgroup_unix_bind |\n" \ > + " cgroup_inet4_post_bind | cgroup_inet6_post_bind |\n" \ > + " cgroup_inet4_connect | cgroup_inet6_connect |\n" \ > + " cgroup_unix_connect | cgroup_inet4_getpeername |\n" \ > + " cgroup_inet6_getpeername | cgroup_unix_getpeername |\n" \ > + " cgroup_inet4_getsockname | cgroup_inet6_getsockname |\n" \ > + " cgroup_unix_getsockname | cgroup_udp4_sendmsg |\n" \ > + " cgroup_udp6_sendmsg | cgroup_unix_sendmsg |\n" \ > + " cgroup_udp4_recvmsg | cgroup_udp6_recvmsg |\n" \ > + " cgroup_unix_recvmsg | cgroup_sysctl |\n" \ > " cgroup_getsockopt | cgroup_setsockopt |\n" \ > " cgroup_inet_sock_release }" > > diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c > index 5a73ccf14332..71c219b186aa 100644 > --- a/tools/bpf/bpftool/common.c > +++ b/tools/bpf/bpftool/common.c > @@ -1067,19 +1067,25 @@ const char *bpf_attach_type_input_str(enum bpf_attach_type t) > case BPF_CGROUP_DEVICE: return "device"; > case BPF_CGROUP_INET4_BIND: return "bind4"; > case BPF_CGROUP_INET6_BIND: return "bind6"; > + case BPF_CGROUP_UNIX_BIND: return "bindun"; > case BPF_CGROUP_INET4_CONNECT: return "connect4"; > case BPF_CGROUP_INET6_CONNECT: return "connect6"; > + case BPF_CGROUP_UNIX_CONNECT: return "connectun"; > case BPF_CGROUP_INET4_POST_BIND: return "post_bind4"; > case BPF_CGROUP_INET6_POST_BIND: return "post_bind6"; > case BPF_CGROUP_INET4_GETPEERNAME: return "getpeername4"; > case BPF_CGROUP_INET6_GETPEERNAME: return "getpeername6"; > + case BPF_CGROUP_UNIX_GETPEERNAME: return "getpeernameun"; > case BPF_CGROUP_INET4_GETSOCKNAME: return "getsockname4"; > case BPF_CGROUP_INET6_GETSOCKNAME: return "getsockname6"; > + case BPF_CGROUP_UNIX_GETSOCKNAME: return "getsocknameun"; > case BPF_CGROUP_UDP4_SENDMSG: return "sendmsg4"; > case BPF_CGROUP_UDP6_SENDMSG: return "sendmsg6"; > + case BPF_CGROUP_UNIX_SENDMSG: return "sendmsgun"; > case BPF_CGROUP_SYSCTL: return "sysctl"; > case BPF_CGROUP_UDP4_RECVMSG: return "recvmsg4"; > case BPF_CGROUP_UDP6_RECVMSG: return "recvmsg6"; > + case BPF_CGROUP_UNIX_RECVMSG: return "recvmsgun"; > case BPF_CGROUP_GETSOCKOPT: return "getsockopt"; > case BPF_CGROUP_SETSOCKOPT: return "setsockopt"; > case BPF_TRACE_RAW_TP: return "raw_tp"; > -- > 2.40.0 > Thanks a lot for this! I have two comments. First, function bpf_attach_type_input_str() is for legacy attach types names, those that bpftool used before commit 1ba5ad36e00f ("bpftool: Use libbpf_bpf_attach_type_str") and that are kept for backwards compatibility. Now we use type names provided by libbpf, so adding them to attach_type_name in libbpf as you do in patch 7 should be enough for bpftool to pick up the relevant names. The bpftool-cgroup.rst man page still uses the legacy names, which I didn't realise before your patch, and I'll need to fix. But for this patch I think we're good without adding alternative names, and by documenting the "cgroup/bindun" etc. forms in the man page. Another thing is that you updated the list of types to attach programs to cgroups, which is good, but ideally we would also need to document the new program "types" that we can pass on the command line to bpftool for loading programs, before attaching them (for example, we have "bpftool prog load <elf.o> </pinned/path> type cgroup/connect4"). This means updating do_help() in prog.c, the list in Documentation/bpftool-prog.rst, and BPFTOOL_PROG_LOAD_TYPES in bash-completion/bpftool. Could you please update them too? Thanks, Quentin
diff --git a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst index bd015ec9847b..a2d990fa623b 100644 --- a/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst +++ b/tools/bpf/bpftool/Documentation/bpftool-cgroup.rst @@ -34,13 +34,16 @@ CGROUP COMMANDS | *ATTACH_TYPE* := { **cgroup_inet_ingress** | **cgroup_inet_egress** | | **cgroup_inet_sock_create** | **cgroup_sock_ops** | | **cgroup_device** | **cgroup_inet4_bind** | **cgroup_inet6_bind** | -| **cgroup_inet4_post_bind** | **cgroup_inet6_post_bind** | -| **cgroup_inet4_connect** | **cgroup_inet6_connect** | +| **cgroup_unix_bind** | **cgroup_inet4_post_bind** | +| **cgroup_inet6_post_bind** | **cgroup_inet4_connect** | +| **cgroup_inet6_connect** | **cgroup_unix_connect** | | **cgroup_inet4_getpeername** | **cgroup_inet6_getpeername** | -| **cgroup_inet4_getsockname** | **cgroup_inet6_getsockname** | -| **cgroup_udp4_sendmsg** | **cgroup_udp6_sendmsg** | +| **cgroup_unix_getpeername** | **cgroup_inet4_getsockname** | +| **cgroup_inet6_getsockname** | **cgroup_udp4_sendmsg** | +| **cgroup_udp6_sendmsg** | **cgroup_unix_sendmsg** | | **cgroup_udp4_recvmsg** | **cgroup_udp6_recvmsg** | -| **cgroup_sysctl** | **cgroup_getsockopt** | **cgroup_setsockopt** | +| **cgroup_unix_recvmsg** | **cgroup_sysctl** | +| **cgroup_getsockopt** | **cgroup_setsockopt** | | **cgroup_inet_sock_release** } | *ATTACH_FLAGS* := { **multi** | **override** } @@ -98,25 +101,33 @@ DESCRIPTION **device** device access (since 4.15); **bind4** call to bind(2) for an inet4 socket (since 4.17); **bind6** call to bind(2) for an inet6 socket (since 4.17); + **bindun** call to bind(2) for a unix socket (since 6.3); **post_bind4** return from bind(2) for an inet4 socket (since 4.17); **post_bind6** return from bind(2) for an inet6 socket (since 4.17); **connect4** call to connect(2) for an inet4 socket (since 4.17); **connect6** call to connect(2) for an inet6 socket (since 4.17); + **connectun** call to connect(2) for a unix socket (since 6.3); **sendmsg4** call to sendto(2), sendmsg(2), sendmmsg(2) for an unconnected udp4 socket (since 4.18); **sendmsg6** call to sendto(2), sendmsg(2), sendmmsg(2) for an unconnected udp6 socket (since 4.18); + **sendmsgun** call to sendto(2), sendmsg(2), sendmmsg(2) for + an unconnected unix socket (since 6.3); **recvmsg4** call to recvfrom(2), recvmsg(2), recvmmsg(2) for an unconnected udp4 socket (since 5.2); **recvmsg6** call to recvfrom(2), recvmsg(2), recvmmsg(2) for an unconnected udp6 socket (since 5.2); + **recvmsgun** call to recvfrom(2), recvmsg(2), recvmmsg(2) for + an unconnected unix socket (since 6.3); **sysctl** sysctl access (since 5.2); **getsockopt** call to getsockopt (since 5.3); **setsockopt** call to setsockopt (since 5.3); **getpeername4** call to getpeername(2) for an inet4 socket (since 5.8); **getpeername6** call to getpeername(2) for an inet6 socket (since 5.8); + **getpeernameun** call to getpeername(2) for a unix socket (since 6.3); **getsockname4** call to getsockname(2) for an inet4 socket (since 5.8); **getsockname6** call to getsockname(2) for an inet6 socket (since 5.8). + **getsocknameun** call to getsockname(2) for a unix socket (since 6.3); **sock_release** closing an userspace inet socket (since 5.9). **bpftool cgroup detach** *CGROUP* *ATTACH_TYPE* *PROG* diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c index ac846b0805b4..a9700e00064c 100644 --- a/tools/bpf/bpftool/cgroup.c +++ b/tools/bpf/bpftool/cgroup.c @@ -26,13 +26,16 @@ " ATTACH_TYPE := { cgroup_inet_ingress | cgroup_inet_egress |\n" \ " cgroup_inet_sock_create | cgroup_sock_ops |\n" \ " cgroup_device | cgroup_inet4_bind |\n" \ - " cgroup_inet6_bind | cgroup_inet4_post_bind |\n" \ - " cgroup_inet6_post_bind | cgroup_inet4_connect |\n" \ - " cgroup_inet6_connect | cgroup_inet4_getpeername |\n" \ - " cgroup_inet6_getpeername | cgroup_inet4_getsockname |\n" \ - " cgroup_inet6_getsockname | cgroup_udp4_sendmsg |\n" \ - " cgroup_udp6_sendmsg | cgroup_udp4_recvmsg |\n" \ - " cgroup_udp6_recvmsg | cgroup_sysctl |\n" \ + " cgroup_inet6_bind | cgroup_unix_bind |\n" \ + " cgroup_inet4_post_bind | cgroup_inet6_post_bind |\n" \ + " cgroup_inet4_connect | cgroup_inet6_connect |\n" \ + " cgroup_unix_connect | cgroup_inet4_getpeername |\n" \ + " cgroup_inet6_getpeername | cgroup_unix_getpeername |\n" \ + " cgroup_inet4_getsockname | cgroup_inet6_getsockname |\n" \ + " cgroup_unix_getsockname | cgroup_udp4_sendmsg |\n" \ + " cgroup_udp6_sendmsg | cgroup_unix_sendmsg |\n" \ + " cgroup_udp4_recvmsg | cgroup_udp6_recvmsg |\n" \ + " cgroup_unix_recvmsg | cgroup_sysctl |\n" \ " cgroup_getsockopt | cgroup_setsockopt |\n" \ " cgroup_inet_sock_release }" diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c index 5a73ccf14332..71c219b186aa 100644 --- a/tools/bpf/bpftool/common.c +++ b/tools/bpf/bpftool/common.c @@ -1067,19 +1067,25 @@ const char *bpf_attach_type_input_str(enum bpf_attach_type t) case BPF_CGROUP_DEVICE: return "device"; case BPF_CGROUP_INET4_BIND: return "bind4"; case BPF_CGROUP_INET6_BIND: return "bind6"; + case BPF_CGROUP_UNIX_BIND: return "bindun"; case BPF_CGROUP_INET4_CONNECT: return "connect4"; case BPF_CGROUP_INET6_CONNECT: return "connect6"; + case BPF_CGROUP_UNIX_CONNECT: return "connectun"; case BPF_CGROUP_INET4_POST_BIND: return "post_bind4"; case BPF_CGROUP_INET6_POST_BIND: return "post_bind6"; case BPF_CGROUP_INET4_GETPEERNAME: return "getpeername4"; case BPF_CGROUP_INET6_GETPEERNAME: return "getpeername6"; + case BPF_CGROUP_UNIX_GETPEERNAME: return "getpeernameun"; case BPF_CGROUP_INET4_GETSOCKNAME: return "getsockname4"; case BPF_CGROUP_INET6_GETSOCKNAME: return "getsockname6"; + case BPF_CGROUP_UNIX_GETSOCKNAME: return "getsocknameun"; case BPF_CGROUP_UDP4_SENDMSG: return "sendmsg4"; case BPF_CGROUP_UDP6_SENDMSG: return "sendmsg6"; + case BPF_CGROUP_UNIX_SENDMSG: return "sendmsgun"; case BPF_CGROUP_SYSCTL: return "sysctl"; case BPF_CGROUP_UDP4_RECVMSG: return "recvmsg4"; case BPF_CGROUP_UDP6_RECVMSG: return "recvmsg6"; + case BPF_CGROUP_UNIX_RECVMSG: return "recvmsgun"; case BPF_CGROUP_GETSOCKOPT: return "getsockopt"; case BPF_CGROUP_SETSOCKOPT: return "setsockopt"; case BPF_TRACE_RAW_TP: return "raw_tp";
Add the necessary plumbing to hook up the new cgroup unix sockaddr hooks into bpftool. Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com> --- .../bpftool/Documentation/bpftool-cgroup.rst | 21 ++++++++++++++----- tools/bpf/bpftool/cgroup.c | 17 ++++++++------- tools/bpf/bpftool/common.c | 6 ++++++ 3 files changed, 32 insertions(+), 12 deletions(-)