[PATCH] bpftool: Query only cgroup-related attach types

[PATCH] bpftool: Query only cgroup-related attach types

[Kenta Tada]

When CONFIG_NETKIT=y,
bpftool-cgroup shows error even if the cgroup's path is correct:

$ bpftool cgroup tree /sys/fs/cgroup
CgroupPath
ID       AttachType      AttachFlags     Name
Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address

From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.

bpftool-cgroup should query just only cgroup-related attach types.

Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
---
 tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 6 deletions(-)

diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
index af6898c0f388..bb2703aa4756 100644
--- a/tools/bpf/bpftool/cgroup.c
+++ b/tools/bpf/bpftool/cgroup.c
@@ -19,6 +19,39 @@
 
 #include "main.h"
 
+static const bool cgroup_attach_types[] = {
+	[BPF_CGROUP_INET_INGRESS] = true,
+	[BPF_CGROUP_INET_EGRESS] = true,
+	[BPF_CGROUP_INET_SOCK_CREATE] = true,
+	[BPF_CGROUP_INET_SOCK_RELEASE] = true,
+	[BPF_CGROUP_INET4_BIND] = true,
+	[BPF_CGROUP_INET6_BIND] = true,
+	[BPF_CGROUP_INET4_POST_BIND] = true,
+	[BPF_CGROUP_INET6_POST_BIND] = true,
+	[BPF_CGROUP_INET4_CONNECT] = true,
+	[BPF_CGROUP_INET6_CONNECT] = true,
+	[BPF_CGROUP_UNIX_CONNECT] = true,
+	[BPF_CGROUP_INET4_GETPEERNAME] = true,
+	[BPF_CGROUP_INET6_GETPEERNAME] = true,
+	[BPF_CGROUP_UNIX_GETPEERNAME] = true,
+	[BPF_CGROUP_INET4_GETSOCKNAME] = true,
+	[BPF_CGROUP_INET6_GETSOCKNAME] = true,
+	[BPF_CGROUP_UNIX_GETSOCKNAME] = true,
+	[BPF_CGROUP_UDP4_SENDMSG] = true,
+	[BPF_CGROUP_UDP6_SENDMSG] = true,
+	[BPF_CGROUP_UNIX_SENDMSG] = true,
+	[BPF_CGROUP_UDP4_RECVMSG] = true,
+	[BPF_CGROUP_UDP6_RECVMSG] = true,
+	[BPF_CGROUP_UNIX_RECVMSG] = true,
+	[BPF_CGROUP_SOCK_OPS] = true,
+	[BPF_CGROUP_DEVICE] = true,
+	[BPF_CGROUP_SYSCTL] = true,
+	[BPF_CGROUP_GETSOCKOPT] = true,
+	[BPF_CGROUP_SETSOCKOPT] = true,
+	[BPF_LSM_CGROUP] = true,
+	[__MAX_BPF_ATTACH_TYPE] = false,
+};
+
 #define HELP_SPEC_ATTACH_FLAGS						\
 	"ATTACH_FLAGS := { multi | override }"
 
@@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
 	bool no_prog = true;
 
 	for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
-		int count = count_attached_bpf_progs(cgroup_fd, type);
+		if (cgroup_attach_types[type]) {
+			int count = count_attached_bpf_progs(cgroup_fd, type);
 
-		if (count < 0 && errno != EINVAL)
-			return -1;
+			if (count < 0 && errno != EINVAL)
+				return -1;
 
-		if (count > 0) {
-			no_prog = false;
-			break;
+			if (count > 0) {
+				no_prog = false;
+				break;
+			}
 		}
 	}
 
-- 
2.43.0

Re: [PATCH] bpftool: Query only cgroup-related attach types

[Quentin Monnet]

On 29/05/2024 14:10, Kenta Tada wrote:
> When CONFIG_NETKIT=y,
> bpftool-cgroup shows error even if the cgroup's path is correct:
> 
> $ bpftool cgroup tree /sys/fs/cgroup
> CgroupPath
> ID       AttachType      AttachFlags     Name
> Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address
> 
> From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
> I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.
> 
> bpftool-cgroup should query just only cgroup-related attach types.
> 
> Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
> ---
>  tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
>  1 file changed, 41 insertions(+), 6 deletions(-)
> 
> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> index af6898c0f388..bb2703aa4756 100644
> --- a/tools/bpf/bpftool/cgroup.c
> +++ b/tools/bpf/bpftool/cgroup.c
> @@ -19,6 +19,39 @@
>  
>  #include "main.h"
>  
> +static const bool cgroup_attach_types[] = {
> +	[BPF_CGROUP_INET_INGRESS] = true,
> +	[BPF_CGROUP_INET_EGRESS] = true,
> +	[BPF_CGROUP_INET_SOCK_CREATE] = true,
> +	[BPF_CGROUP_INET_SOCK_RELEASE] = true,
> +	[BPF_CGROUP_INET4_BIND] = true,
> +	[BPF_CGROUP_INET6_BIND] = true,
> +	[BPF_CGROUP_INET4_POST_BIND] = true,
> +	[BPF_CGROUP_INET6_POST_BIND] = true,
> +	[BPF_CGROUP_INET4_CONNECT] = true,
> +	[BPF_CGROUP_INET6_CONNECT] = true,
> +	[BPF_CGROUP_UNIX_CONNECT] = true,
> +	[BPF_CGROUP_INET4_GETPEERNAME] = true,
> +	[BPF_CGROUP_INET6_GETPEERNAME] = true,
> +	[BPF_CGROUP_UNIX_GETPEERNAME] = true,
> +	[BPF_CGROUP_INET4_GETSOCKNAME] = true,
> +	[BPF_CGROUP_INET6_GETSOCKNAME] = true,
> +	[BPF_CGROUP_UNIX_GETSOCKNAME] = true,
> +	[BPF_CGROUP_UDP4_SENDMSG] = true,
> +	[BPF_CGROUP_UDP6_SENDMSG] = true,
> +	[BPF_CGROUP_UNIX_SENDMSG] = true,
> +	[BPF_CGROUP_UDP4_RECVMSG] = true,
> +	[BPF_CGROUP_UDP6_RECVMSG] = true,
> +	[BPF_CGROUP_UNIX_RECVMSG] = true,
> +	[BPF_CGROUP_SOCK_OPS] = true,
> +	[BPF_CGROUP_DEVICE] = true,
> +	[BPF_CGROUP_SYSCTL] = true,
> +	[BPF_CGROUP_GETSOCKOPT] = true,
> +	[BPF_CGROUP_SETSOCKOPT] = true,
> +	[BPF_LSM_CGROUP] = true,
> +	[__MAX_BPF_ATTACH_TYPE] = false,
> +};


Thanks for this!

I can't say I'm glad to see another version of the list of
cgroup-related attach types (in addition to HELP_SPEC_ATTACH_TYPES and
to the manual page). But the alternative would be to explicitly skip
BPF_NETKIT_PRIMARY, which is not great, either. Too bad we don't have a
way to check whether the type is cgroup-related in libbpf or from the
bpf.h headers; but I don't think there's much interest to add it there,
so we'll probably have the array. We should account for it in
tools/testing/selftests/bpf/test_bpftool_synctypes.py, but I can do this
as a follow-up if you don't feel like messing up with the Python script.


> +
>  #define HELP_SPEC_ATTACH_FLAGS						\
>  	"ATTACH_FLAGS := { multi | override }"
>  
> @@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
>  	bool no_prog = true;
>  
>  	for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
> -		int count = count_attached_bpf_progs(cgroup_fd, type);
> +		if (cgroup_attach_types[type]) {


Please change here:

                int count;

                if (!cgroup_attach_types[type])
                        continue;

And no need to further indent the rest of the block.


> +			int count = count_attached_bpf_progs(cgroup_fd, type);
>  
> -		if (count < 0 && errno != EINVAL)
> -			return -1;
> +			if (count < 0 && errno != EINVAL)
> +				return -1;
>  
> -		if (count > 0) {
> -			no_prog = false;
> -			break;
> +			if (count > 0) {
> +				no_prog = false;
> +				break;
> +			}
>  		}
>  	}
>  

Re: [PATCH] bpftool: Query only cgroup-related attach types

[Kenta Tada]

On 2024/05/30 5:22, Quentin Monnet wrote:
> On 29/05/2024 14:10, Kenta Tada wrote:
>> When CONFIG_NETKIT=y,
>> bpftool-cgroup shows error even if the cgroup's path is correct:
>>
>> $ bpftool cgroup tree /sys/fs/cgroup
>> CgroupPath
>> ID       AttachType      AttachFlags     Name
>> Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address
>>
>> From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
>> I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.
>>
>> bpftool-cgroup should query just only cgroup-related attach types.
>>
>> Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
>> ---
>>  tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
>>  1 file changed, 41 insertions(+), 6 deletions(-)
>>
>> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>> index af6898c0f388..bb2703aa4756 100644
>> --- a/tools/bpf/bpftool/cgroup.c
>> +++ b/tools/bpf/bpftool/cgroup.c
>> @@ -19,6 +19,39 @@
>>  
>>  #include "main.h"
>>  
>> +static const bool cgroup_attach_types[] = {
>> +	[BPF_CGROUP_INET_INGRESS] = true,
>> +	[BPF_CGROUP_INET_EGRESS] = true,
>> +	[BPF_CGROUP_INET_SOCK_CREATE] = true,
>> +	[BPF_CGROUP_INET_SOCK_RELEASE] = true,
>> +	[BPF_CGROUP_INET4_BIND] = true,
>> +	[BPF_CGROUP_INET6_BIND] = true,
>> +	[BPF_CGROUP_INET4_POST_BIND] = true,
>> +	[BPF_CGROUP_INET6_POST_BIND] = true,
>> +	[BPF_CGROUP_INET4_CONNECT] = true,
>> +	[BPF_CGROUP_INET6_CONNECT] = true,
>> +	[BPF_CGROUP_UNIX_CONNECT] = true,
>> +	[BPF_CGROUP_INET4_GETPEERNAME] = true,
>> +	[BPF_CGROUP_INET6_GETPEERNAME] = true,
>> +	[BPF_CGROUP_UNIX_GETPEERNAME] = true,
>> +	[BPF_CGROUP_INET4_GETSOCKNAME] = true,
>> +	[BPF_CGROUP_INET6_GETSOCKNAME] = true,
>> +	[BPF_CGROUP_UNIX_GETSOCKNAME] = true,
>> +	[BPF_CGROUP_UDP4_SENDMSG] = true,
>> +	[BPF_CGROUP_UDP6_SENDMSG] = true,
>> +	[BPF_CGROUP_UNIX_SENDMSG] = true,
>> +	[BPF_CGROUP_UDP4_RECVMSG] = true,
>> +	[BPF_CGROUP_UDP6_RECVMSG] = true,
>> +	[BPF_CGROUP_UNIX_RECVMSG] = true,
>> +	[BPF_CGROUP_SOCK_OPS] = true,
>> +	[BPF_CGROUP_DEVICE] = true,
>> +	[BPF_CGROUP_SYSCTL] = true,
>> +	[BPF_CGROUP_GETSOCKOPT] = true,
>> +	[BPF_CGROUP_SETSOCKOPT] = true,
>> +	[BPF_LSM_CGROUP] = true,
>> +	[__MAX_BPF_ATTACH_TYPE] = false,
>> +};
> 
> 
> Thanks for this!
> 
> I can't say I'm glad to see another version of the list of
> cgroup-related attach types (in addition to HELP_SPEC_ATTACH_TYPES and
> to the manual page). But the alternative would be to explicitly skip
> BPF_NETKIT_PRIMARY, which is not great, either. Too bad we don't have a
> way to check whether the type is cgroup-related in libbpf or from the
> bpf.h headers; but I don't think there's much interest to add it there,
> so we'll probably have the array. We should account for it in
> tools/testing/selftests/bpf/test_bpftool_synctypes.py, but I can do this
> as a follow-up if you don't feel like messing up with the Python script.

I think some bpf management tools require how to get cgroup-related attach types.
So I'm interested in adding the new API to check whether the type is cgroup-related in libbpf.

Thank you for the information about test_bpftool_synctypes.py.
BTW, I'm getting some syntax warnings when I use test_bpftool_synctypes.py in Python 3.12.
Python 3.12 changes the behavior of incorrect escape sequences.
To try test_bpftool_synctypes, I add r to the head and fix it in my local environment.

> 
> 
>> +
>>  #define HELP_SPEC_ATTACH_FLAGS						\
>>  	"ATTACH_FLAGS := { multi | override }"
>>  
>> @@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
>>  	bool no_prog = true;
>>  
>>  	for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
>> -		int count = count_attached_bpf_progs(cgroup_fd, type);
>> +		if (cgroup_attach_types[type]) {
> 
> 
> Please change here:
> 
>                 int count;
> 
>                 if (!cgroup_attach_types[type])
>                         continue;
> 
> And no need to further indent the rest of the block.
> 
> 
>> +			int count = count_attached_bpf_progs(cgroup_fd, type);
>>  
>> -		if (count < 0 && errno != EINVAL)
>> -			return -1;
>> +			if (count < 0 && errno != EINVAL)
>> +				return -1;
>>  
>> -		if (count > 0) {
>> -			no_prog = false;
>> -			break;
>> +			if (count > 0) {
>> +				no_prog = false;
>> +				break;
>> +			}
>>  		}
>>  	}
>>  
> 

Re: [PATCH] bpftool: Query only cgroup-related attach types

[Andrii Nakryiko]

On Wed, May 29, 2024 at 6:10 AM Kenta Tada <tadakentaso@gmail.com> wrote:
>
> When CONFIG_NETKIT=y,
> bpftool-cgroup shows error even if the cgroup's path is correct:
>
> $ bpftool cgroup tree /sys/fs/cgroup
> CgroupPath
> ID       AttachType      AttachFlags     Name
> Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address
>
> From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
> I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.
>
> bpftool-cgroup should query just only cgroup-related attach types.
>
> Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
> ---
>  tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
>  1 file changed, 41 insertions(+), 6 deletions(-)
>
> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> index af6898c0f388..bb2703aa4756 100644
> --- a/tools/bpf/bpftool/cgroup.c
> +++ b/tools/bpf/bpftool/cgroup.c
> @@ -19,6 +19,39 @@
>
>  #include "main.h"
>
> +static const bool cgroup_attach_types[] = {
> +       [BPF_CGROUP_INET_INGRESS] = true,
> +       [BPF_CGROUP_INET_EGRESS] = true,
> +       [BPF_CGROUP_INET_SOCK_CREATE] = true,
> +       [BPF_CGROUP_INET_SOCK_RELEASE] = true,
> +       [BPF_CGROUP_INET4_BIND] = true,
> +       [BPF_CGROUP_INET6_BIND] = true,
> +       [BPF_CGROUP_INET4_POST_BIND] = true,
> +       [BPF_CGROUP_INET6_POST_BIND] = true,
> +       [BPF_CGROUP_INET4_CONNECT] = true,
> +       [BPF_CGROUP_INET6_CONNECT] = true,
> +       [BPF_CGROUP_UNIX_CONNECT] = true,
> +       [BPF_CGROUP_INET4_GETPEERNAME] = true,
> +       [BPF_CGROUP_INET6_GETPEERNAME] = true,
> +       [BPF_CGROUP_UNIX_GETPEERNAME] = true,
> +       [BPF_CGROUP_INET4_GETSOCKNAME] = true,
> +       [BPF_CGROUP_INET6_GETSOCKNAME] = true,
> +       [BPF_CGROUP_UNIX_GETSOCKNAME] = true,
> +       [BPF_CGROUP_UDP4_SENDMSG] = true,
> +       [BPF_CGROUP_UDP6_SENDMSG] = true,
> +       [BPF_CGROUP_UNIX_SENDMSG] = true,
> +       [BPF_CGROUP_UDP4_RECVMSG] = true,
> +       [BPF_CGROUP_UDP6_RECVMSG] = true,
> +       [BPF_CGROUP_UNIX_RECVMSG] = true,
> +       [BPF_CGROUP_SOCK_OPS] = true,
> +       [BPF_CGROUP_DEVICE] = true,
> +       [BPF_CGROUP_SYSCTL] = true,
> +       [BPF_CGROUP_GETSOCKOPT] = true,
> +       [BPF_CGROUP_SETSOCKOPT] = true,
> +       [BPF_LSM_CGROUP] = true,
> +       [__MAX_BPF_ATTACH_TYPE] = false,
> +};
> +
>  #define HELP_SPEC_ATTACH_FLAGS                                         \
>         "ATTACH_FLAGS := { multi | override }"
>
> @@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
>         bool no_prog = true;
>
>         for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {

instead of iterating over all possible attach types and then checking
if attach type is cgroup-related, why not have an array of just cgroup
attach types and iterate it directly?

pw-bot: cr


> -               int count = count_attached_bpf_progs(cgroup_fd, type);
> +               if (cgroup_attach_types[type]) {
> +                       int count = count_attached_bpf_progs(cgroup_fd, type);
>
> -               if (count < 0 && errno != EINVAL)
> -                       return -1;
> +                       if (count < 0 && errno != EINVAL)
> +                               return -1;
>
> -               if (count > 0) {
> -                       no_prog = false;
> -                       break;
> +                       if (count > 0) {
> +                               no_prog = false;
> +                               break;
> +                       }
>                 }
>         }
>
> --
> 2.43.0
>

Re: [PATCH] bpftool: Query only cgroup-related attach types

[Kenta Tada]

On 2024/05/31 6:20, Andrii Nakryiko wrote:
> On Wed, May 29, 2024 at 6:10 AM Kenta Tada <tadakentaso@gmail.com> wrote:
>>
>> When CONFIG_NETKIT=y,
>> bpftool-cgroup shows error even if the cgroup's path is correct:
>>
>> $ bpftool cgroup tree /sys/fs/cgroup
>> CgroupPath
>> ID       AttachType      AttachFlags     Name
>> Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address
>>
>> From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
>> I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.
>>
>> bpftool-cgroup should query just only cgroup-related attach types.
>>
>> Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
>> ---
>>  tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
>>  1 file changed, 41 insertions(+), 6 deletions(-)
>>
>> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>> index af6898c0f388..bb2703aa4756 100644
>> --- a/tools/bpf/bpftool/cgroup.c
>> +++ b/tools/bpf/bpftool/cgroup.c
>> @@ -19,6 +19,39 @@
>>
>>  #include "main.h"
>>
>> +static const bool cgroup_attach_types[] = {
>> +       [BPF_CGROUP_INET_INGRESS] = true,
>> +       [BPF_CGROUP_INET_EGRESS] = true,
>> +       [BPF_CGROUP_INET_SOCK_CREATE] = true,
>> +       [BPF_CGROUP_INET_SOCK_RELEASE] = true,
>> +       [BPF_CGROUP_INET4_BIND] = true,
>> +       [BPF_CGROUP_INET6_BIND] = true,
>> +       [BPF_CGROUP_INET4_POST_BIND] = true,
>> +       [BPF_CGROUP_INET6_POST_BIND] = true,
>> +       [BPF_CGROUP_INET4_CONNECT] = true,
>> +       [BPF_CGROUP_INET6_CONNECT] = true,
>> +       [BPF_CGROUP_UNIX_CONNECT] = true,
>> +       [BPF_CGROUP_INET4_GETPEERNAME] = true,
>> +       [BPF_CGROUP_INET6_GETPEERNAME] = true,
>> +       [BPF_CGROUP_UNIX_GETPEERNAME] = true,
>> +       [BPF_CGROUP_INET4_GETSOCKNAME] = true,
>> +       [BPF_CGROUP_INET6_GETSOCKNAME] = true,
>> +       [BPF_CGROUP_UNIX_GETSOCKNAME] = true,
>> +       [BPF_CGROUP_UDP4_SENDMSG] = true,
>> +       [BPF_CGROUP_UDP6_SENDMSG] = true,
>> +       [BPF_CGROUP_UNIX_SENDMSG] = true,
>> +       [BPF_CGROUP_UDP4_RECVMSG] = true,
>> +       [BPF_CGROUP_UDP6_RECVMSG] = true,
>> +       [BPF_CGROUP_UNIX_RECVMSG] = true,
>> +       [BPF_CGROUP_SOCK_OPS] = true,
>> +       [BPF_CGROUP_DEVICE] = true,
>> +       [BPF_CGROUP_SYSCTL] = true,
>> +       [BPF_CGROUP_GETSOCKOPT] = true,
>> +       [BPF_CGROUP_SETSOCKOPT] = true,
>> +       [BPF_LSM_CGROUP] = true,
>> +       [__MAX_BPF_ATTACH_TYPE] = false,
>> +};
>> +
>>  #define HELP_SPEC_ATTACH_FLAGS                                         \
>>         "ATTACH_FLAGS := { multi | override }"
>>
>> @@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
>>         bool no_prog = true;
>>
>>         for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
> 
> instead of iterating over all possible attach types and then checking
> if attach type is cgroup-related, why not have an array of just cgroup
> attach types and iterate it directly?
> 
> pw-bot: cr

The size of the bool array is smaller than saving each attachment type as the value in an integer array.
But either is fine.

I think the problem is that we don't increase the list of cgroup attach types in multiple files.
Do you have any plans to add the new API to check whether the attach type is cgroup-related in libbpf?
I want to call the new API in this patch.

> 
> 
>> -               int count = count_attached_bpf_progs(cgroup_fd, type);
>> +               if (cgroup_attach_types[type]) {
>> +                       int count = count_attached_bpf_progs(cgroup_fd, type);
>>
>> -               if (count < 0 && errno != EINVAL)
>> -                       return -1;
>> +                       if (count < 0 && errno != EINVAL)
>> +                               return -1;
>>
>> -               if (count > 0) {
>> -                       no_prog = false;
>> -                       break;
>> +                       if (count > 0) {
>> +                               no_prog = false;
>> +                               break;
>> +                       }
>>                 }
>>         }
>>
>> --
>> 2.43.0
>>

Re: [PATCH] bpftool: Query only cgroup-related attach types

[Andrii Nakryiko]

On Fri, May 31, 2024 at 6:04 AM Kenta Tada <tadakentaso@gmail.com> wrote:
>
> On 2024/05/31 6:20, Andrii Nakryiko wrote:
> > On Wed, May 29, 2024 at 6:10 AM Kenta Tada <tadakentaso@gmail.com> wrote:
> >>
> >> When CONFIG_NETKIT=y,
> >> bpftool-cgroup shows error even if the cgroup's path is correct:
> >>
> >> $ bpftool cgroup tree /sys/fs/cgroup
> >> CgroupPath
> >> ID       AttachType      AttachFlags     Name
> >> Error: can't query bpf programs attached to /sys/fs/cgroup: No such device or address
> >>
> >> From strace and kernel tracing, I found netkit returned ENXIO and this command failed.
> >> I think this AttachType(BPF_NETKIT_PRIMARY) is not relevant to cgroup.
> >>
> >> bpftool-cgroup should query just only cgroup-related attach types.
> >>
> >> Signed-off-by: Kenta Tada <tadakentaso@gmail.com>
> >> ---
> >>  tools/bpf/bpftool/cgroup.c | 47 +++++++++++++++++++++++++++++++++-----
> >>  1 file changed, 41 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> >> index af6898c0f388..bb2703aa4756 100644
> >> --- a/tools/bpf/bpftool/cgroup.c
> >> +++ b/tools/bpf/bpftool/cgroup.c
> >> @@ -19,6 +19,39 @@
> >>
> >>  #include "main.h"
> >>
> >> +static const bool cgroup_attach_types[] = {
> >> +       [BPF_CGROUP_INET_INGRESS] = true,
> >> +       [BPF_CGROUP_INET_EGRESS] = true,
> >> +       [BPF_CGROUP_INET_SOCK_CREATE] = true,
> >> +       [BPF_CGROUP_INET_SOCK_RELEASE] = true,
> >> +       [BPF_CGROUP_INET4_BIND] = true,
> >> +       [BPF_CGROUP_INET6_BIND] = true,
> >> +       [BPF_CGROUP_INET4_POST_BIND] = true,
> >> +       [BPF_CGROUP_INET6_POST_BIND] = true,
> >> +       [BPF_CGROUP_INET4_CONNECT] = true,
> >> +       [BPF_CGROUP_INET6_CONNECT] = true,
> >> +       [BPF_CGROUP_UNIX_CONNECT] = true,
> >> +       [BPF_CGROUP_INET4_GETPEERNAME] = true,
> >> +       [BPF_CGROUP_INET6_GETPEERNAME] = true,
> >> +       [BPF_CGROUP_UNIX_GETPEERNAME] = true,
> >> +       [BPF_CGROUP_INET4_GETSOCKNAME] = true,
> >> +       [BPF_CGROUP_INET6_GETSOCKNAME] = true,
> >> +       [BPF_CGROUP_UNIX_GETSOCKNAME] = true,
> >> +       [BPF_CGROUP_UDP4_SENDMSG] = true,
> >> +       [BPF_CGROUP_UDP6_SENDMSG] = true,
> >> +       [BPF_CGROUP_UNIX_SENDMSG] = true,
> >> +       [BPF_CGROUP_UDP4_RECVMSG] = true,
> >> +       [BPF_CGROUP_UDP6_RECVMSG] = true,
> >> +       [BPF_CGROUP_UNIX_RECVMSG] = true,
> >> +       [BPF_CGROUP_SOCK_OPS] = true,
> >> +       [BPF_CGROUP_DEVICE] = true,
> >> +       [BPF_CGROUP_SYSCTL] = true,
> >> +       [BPF_CGROUP_GETSOCKOPT] = true,
> >> +       [BPF_CGROUP_SETSOCKOPT] = true,
> >> +       [BPF_LSM_CGROUP] = true,
> >> +       [__MAX_BPF_ATTACH_TYPE] = false,
> >> +};
> >> +
> >>  #define HELP_SPEC_ATTACH_FLAGS                                         \
> >>         "ATTACH_FLAGS := { multi | override }"
> >>
> >> @@ -187,14 +220,16 @@ static int cgroup_has_attached_progs(int cgroup_fd)
> >>         bool no_prog = true;
> >>
> >>         for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
> >
> > instead of iterating over all possible attach types and then checking
> > if attach type is cgroup-related, why not have an array of just cgroup
> > attach types and iterate it directly?
> >
> > pw-bot: cr
>
> The size of the bool array is smaller than saving each attachment type as the value in an integer array.
> But either is fine.

Those few bytes don't matter, it's about it being a cleaner approach.
You only iterate meaningful types, instead of iterating everything and
skipping some. In the grand scheme of things it's not that important,
but I'd go with the list approach as more natural to understand.

>
> I think the problem is that we don't increase the list of cgroup attach types in multiple files.
> Do you have any plans to add the new API to check whether the attach type is cgroup-related in libbpf?
> I want to call the new API in this patch.

I'm not convinced we need this API. cgroup-specific attach types are
just one possible subset of attach types, not sure it's a good idea to
add a dedicated filtering API for that in libbpf.

>
> >
> >
> >> -               int count = count_attached_bpf_progs(cgroup_fd, type);
> >> +               if (cgroup_attach_types[type]) {
> >> +                       int count = count_attached_bpf_progs(cgroup_fd, type);
> >>
> >> -               if (count < 0 && errno != EINVAL)
> >> -                       return -1;
> >> +                       if (count < 0 && errno != EINVAL)
> >> +                               return -1;
> >>
> >> -               if (count > 0) {
> >> -                       no_prog = false;
> >> -                       break;
> >> +                       if (count > 0) {
> >> +                               no_prog = false;
> >> +                               break;
> >> +                       }
> >>                 }
> >>         }
> >>
> >> --
> >> 2.43.0
> >>
>