aya: Set attach mode flag to 0 in bpf_link_create

Author: mehnazyunus

aya/src/programs/cgroup_device.rs

@@ -1,5 +1,6 @@
 //! Cgroup device programs.
 
+use log::warn;
 use std::os::fd::AsFd;
 
 use aya_obj::generated::{
@@ -67,6 +68,11 @@ impl CgroupDevice {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupDevice::detach]
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
+    /// On older kernels that use bpf_prog_attach, the attach mode is honored.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -77,11 +83,17 @@ impl CgroupDevice {
         let cgroup_fd = cgroup.as_fd();
 
         if KernelVersion::at_least(5, 7, 0) {
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
             let link_fd = bpf_link_create(
                 prog_fd,
                 LinkTarget::Fd(cgroup_fd),
                 BPF_CGROUP_DEVICE,
-                mode.into(),
+                0,
                 None,
             )
             .map_err(|io_error| SyscallError {

aya/src/programs/cgroup_skb.rs

@@ -1,11 +1,11 @@
 //! Cgroup skb programs.
 
-use std::{hash::Hash, os::fd::AsFd, path::Path};
-
 use aya_obj::generated::{
     bpf_attach_type::{BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_INGRESS},
     bpf_prog_type::BPF_PROG_TYPE_CGROUP_SKB,
 };
+use log::warn;
+use std::{hash::Hash, os::fd::AsFd, path::Path};
 
 use crate::{
     VerifierLogLevel,
@@ -86,6 +86,10 @@ impl CgroupSkb {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupSkb::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -101,17 +105,17 @@ impl CgroupSkb {
             CgroupSkbAttachType::Egress => BPF_CGROUP_INET_EGRESS,
         };
         if KernelVersion::at_least(5, 7, 0) {
-            let link_fd = bpf_link_create(
-                prog_fd,
-                LinkTarget::Fd(cgroup_fd),
-                attach_type,
-                mode.into(),
-                None,
-            )
-            .map_err(|io_error| SyscallError {
-                call: "bpf_link_create",
-                io_error,
-            })?;
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
+            let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
+                .map_err(|io_error| SyscallError {
+                    call: "bpf_link_create",
+                    io_error,
+                })?;
             self.data
                 .links
                 .insert(CgroupSkbLink::new(CgroupSkbLinkInner::Fd(FdLink::new(

aya/src/programs/cgroup_sock.rs

@@ -1,5 +1,6 @@
 //! Cgroup socket programs.
 
+use log::warn;
 use std::{hash::Hash, os::fd::AsFd, path::Path};
 
 use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK;
@@ -70,6 +71,10 @@ impl CgroupSock {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupSock::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create. On older kernels that use bpf_prog_attach, the attach mode is still honored.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -80,17 +85,17 @@ impl CgroupSock {
         let cgroup_fd = cgroup.as_fd();
         let attach_type = self.data.expected_attach_type.unwrap();
         if KernelVersion::at_least(5, 7, 0) {
-            let link_fd = bpf_link_create(
-                prog_fd,
-                LinkTarget::Fd(cgroup_fd),
-                attach_type,
-                mode.into(),
-                None,
-            )
-            .map_err(|io_error| SyscallError {
-                call: "bpf_link_create",
-                io_error,
-            })?;
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
+            let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
+                .map_err(|io_error| SyscallError {
+                    call: "bpf_link_create",
+                    io_error,
+                })?;
             self.data
                 .links
                 .insert(CgroupSockLink::new(CgroupSockLinkInner::Fd(FdLink::new(

aya/src/programs/cgroup_sock_addr.rs

@@ -1,5 +1,6 @@
 //! Cgroup socket address programs.
 
+use log::warn;
 use std::{hash::Hash, os::fd::AsFd, path::Path};
 
 use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
@@ -71,6 +72,11 @@ impl CgroupSockAddr {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupSockAddr::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`.
+    /// On older kernels (using `bpf_prog_attach`), the attach mode is honored.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -81,17 +87,17 @@ impl CgroupSockAddr {
         let cgroup_fd = cgroup.as_fd();
         let attach_type = self.data.expected_attach_type.unwrap();
         if KernelVersion::at_least(5, 7, 0) {
-            let link_fd = bpf_link_create(
-                prog_fd,
-                LinkTarget::Fd(cgroup_fd),
-                attach_type,
-                mode.into(),
-                None,
-            )
-            .map_err(|io_error| SyscallError {
-                call: "bpf_link_create",
-                io_error,
-            })?;
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
+            let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
+                .map_err(|io_error| SyscallError {
+                    call: "bpf_link_create",
+                    io_error,
+                })?;
             self.data
                 .links
                 .insert(CgroupSockAddrLink::new(CgroupSockAddrLinkInner::Fd(

aya/src/programs/cgroup_sockopt.rs

@@ -1,5 +1,6 @@
 //! Cgroup socket option programs.
 
+use log::warn;
 use std::{hash::Hash, os::fd::AsFd, path::Path};
 
 use aya_obj::generated::bpf_prog_type::BPF_PROG_TYPE_CGROUP_SOCKOPT;
@@ -68,6 +69,11 @@ impl CgroupSockopt {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupSockopt::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to
+    /// `bpf_link_create`. On older kernels, attach modes are honored.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -78,17 +84,17 @@ impl CgroupSockopt {
         let cgroup_fd = cgroup.as_fd();
         let attach_type = self.data.expected_attach_type.unwrap();
         if KernelVersion::at_least(5, 7, 0) {
-            let link_fd = bpf_link_create(
-                prog_fd,
-                LinkTarget::Fd(cgroup_fd),
-                attach_type,
-                mode.into(),
-                None,
-            )
-            .map_err(|io_error| SyscallError {
-                call: "bpf_link_create",
-                io_error,
-            })?;
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
+            let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
+                .map_err(|io_error| SyscallError {
+                    call: "bpf_link_create",
+                    io_error,
+                })?;
             self.data
                 .links
                 .insert(CgroupSockoptLink::new(CgroupSockoptLinkInner::Fd(

aya/src/programs/cgroup_sysctl.rs

@@ -1,5 +1,6 @@
 //! Cgroup sysctl programs.
 
+use log::warn;
 use std::{hash::Hash, os::fd::AsFd};
 
 use aya_obj::generated::{
@@ -66,6 +67,10 @@ impl CgroupSysctl {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [CgroupSysctl::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than CgroupAttachMode::default() are not passed to bpf_link_create.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -76,11 +81,17 @@ impl CgroupSysctl {
         let cgroup_fd = cgroup.as_fd();
 
         if KernelVersion::at_least(5, 7, 0) {
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
             let link_fd = bpf_link_create(
                 prog_fd,
                 LinkTarget::Fd(cgroup_fd),
                 BPF_CGROUP_SYSCTL,
-                mode.into(),
+                0,
                 None,
             )
             .map_err(|io_error| SyscallError {

aya/src/programs/links.rs

@@ -38,7 +38,7 @@ pub trait Link: std::fmt::Debug + Eq + std::hash::Hash + 'static {
 }
 
 /// Program attachment mode.
-#[derive(Clone, Copy, Debug, Default)]
+#[derive(Clone, Copy, Debug, Default, PartialEq)]
 pub enum CgroupAttachMode {
     /// Allows only one BPF program in the cgroup subtree.
     #[default]

aya/src/programs/sock_ops.rs

@@ -1,4 +1,5 @@
 //! Socket option programs.
+use log::warn;
 use std::os::fd::AsFd;
 
 use aya_obj::generated::{
@@ -65,6 +66,11 @@ impl SockOps {
     /// Attaches the program to the given cgroup.
     ///
     /// The returned value can be used to detach, see [SockOps::detach].
+    ///
+    /// # Warning
+    ///
+    /// On kernels 5.7.0 and later, attach modes other than `CgroupAttachMode::default()` are not passed to `bpf_link_create`.
+    /// On older kernels (using `bpf_prog_attach`), the attach mode is honored.
     pub fn attach<T: AsFd>(
         &mut self,
         cgroup: T,
@@ -75,17 +81,17 @@ impl SockOps {
         let cgroup_fd = cgroup.as_fd();
         let attach_type = BPF_CGROUP_SOCK_OPS;
         if KernelVersion::at_least(5, 7, 0) {
-            let link_fd = bpf_link_create(
-                prog_fd,
-                LinkTarget::Fd(cgroup_fd),
-                attach_type,
-                mode.into(),
-                None,
-            )
-            .map_err(|io_error| SyscallError {
-                call: "bpf_link_create",
-                io_error,
-            })?;
+            if mode != CgroupAttachMode::default() {
+                warn!(
+                    "CgroupAttachMode {:?} will not be passed on to bpf_link_create",
+                    mode
+                );
+            }
+            let link_fd = bpf_link_create(prog_fd, LinkTarget::Fd(cgroup_fd), attach_type, 0, None)
+                .map_err(|io_error| SyscallError {
+                    call: "bpf_link_create",
+                    io_error,
+                })?;
             self.data
                 .links
                 .insert(SockOpsLink::new(SockOpsLinkInner::Fd(FdLink::new(link_fd))))