Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Libbpfgo cgroup attach #196

Merged
merged 2 commits into from
Jul 28, 2022
Merged

Libbpfgo cgroup attach #196

merged 2 commits into from
Jul 28, 2022

Conversation

rafaeldtinoco
Copy link
Contributor

commit e47fe84
Author: Rafael David Tinoco rafaeldtinoco@gmail.com
Date: Sun Jul 24 01:26:42 2022

BPFProg: create AttachCgroup to allow Cgroup link attachments

Create AttachCgroup(string) to allow the following program types:

- BPF_PROG_TYPE_CGROUP_SKB
- BPF_PROG_TYPE_CGROUP_SOCK
- BPF_PROG_TYPE_CGROUP_DEVICE
- BPF_PROG_TYPE_CGROUP_SOCK_ADDR
- BPF_PROG_TYPE_CGROUP_SYSCTL
- BPF_PROG_TYPE_CGROUP_SOCKOPT

to be attached to a cgroupv2 directory file descriptor, such as:

- /sys/fs/cgroup/unified
- /sys/fs/cgroup/unified/user.slice/user-1000.slice

and on...

Those eBPF program types will be triggered for all processes within the
cgroupv2 they were attached to.

commit f531670
Author: Rafael David Tinoco rafaeldtinoco@gmail.com
Date: Sat Jul 23 23:57:36 2022

BPFProg: move AttachLSM to a correct place

- Keep doAttach...() function together

@rafaeldtinoco
BPFProg: move AttachLSM to a correct place
f531670 
- Keep doAttach...() function together
@rafaeldtinoco
Copy link
Contributor Author

This was tested with:

https://github.com/rafaeldtinoco/drafts/tree/net-tests

image

image

And it picks sockets created for all tasks within the attached cgroup fd:

image

@rafaeldtinoco rafaeldtinoco mentioned this pull request Jul 24, 2022
Open
33 tasks
@rafaeldtinoco
Copy link
Contributor Author

I'm not adding a selftest yet because I want to first finish the proof-of-concept and check if there are any other needs. Then I'll create a simple selftest for the cgroup attachment feature (after this PR).

@rafaeldtinoco
BPFProg: create AttachCgroup to allow Cgroup link attachments
0c5d783 
Create AttachCgroup(string) to allow the following program types:

- BPF_PROG_TYPE_CGROUP_SKB
- BPF_PROG_TYPE_CGROUP_SOCK
- BPF_PROG_TYPE_CGROUP_DEVICE
- BPF_PROG_TYPE_CGROUP_SOCK_ADDR
- BPF_PROG_TYPE_CGROUP_SYSCTL
- BPF_PROG_TYPE_CGROUP_SOCKOPT

to be attached to a cgroupv2 directory file descriptor, such as:

- /sys/fs/cgroup/unified
- /sys/fs/cgroup/unified/user.slice/user-1000.slice

and on...

Those eBPF program types will be triggered for all processes within the
cgroupv2 they were attached to.
@rafaeldtinoco
Copy link
Contributor Author

@yanivagman could you +1 this one ?

yanivagman
yanivagman approved these changes Jul 27, 2022
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rafaeldtinoco rafaeldtinoco merged commit 40a7f68 into aquasecurity:main Jul 28, 2022
@rafaeldtinoco rafaeldtinoco deleted the libbpfgo-cgroup-attach branch July 28, 2022 13:07
@mozillazg mozillazg mentioned this pull request Aug 9, 2022
Merged
@geyslan geyslan mentioned this pull request Aug 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

@grantseltzer grantseltzer Awaiting requested review from grantseltzer

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rafaeldtinoco @yanivagman