cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support

In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an explicit flag and instead requires us to use link.Anchor to specify where the program should be attached. Commit 216175a ("Upgrade Cilium's eBPF library version to 0.16") did update this correctly for the actual attaching logic, but when checking for kernel support we still passed BPF_F_REPLACE. This would result in a generic error being returned, which our feature-support checking logic would treat as being an error the indicates that BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6 kernels. It turns out that our debug logging saying that this unexpected error was happening was being output as a result of this change, but nobody noticed... Fixes: 216175a ("Upgrade Cilium's eBPF library version to 0.16") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar · Dec 6, 2024 · dea0e04 · dea0e04
1 parent 9453d59
commit dea0e04
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/libcontainer/cgroups/devices/ebpf_linux.go b/libcontainer/cgroups/devices/ebpf_linux.go
@@ -123,12 +123,15 @@ func haveBpfProgReplace() bool {
 		// BPF_CGROUP_DEVICE programs. If passing BPF_F_REPLACE gives us EINVAL
 		// we know that the feature isn't present.
 		err = link.RawAttachProgram(link.RawAttachProgramOptions{
-			// We rely on this fd being checked after attachFlags.
+			// We rely on this fd being checked after attachFlags in the kernel.
 			Target: int(devnull.Fd()),
-			// Attempt to "replace" bad fds with this program.
+			// Attempt to "replace" our BPF program with itself. This will
+			// always fail, but we should get -EINVAL if BPF_F_REPLACE is not
+			// supported.
+			Anchor:  link.ReplaceProgram(prog),
 			Program: prog,
 			Attach:  ebpf.AttachCGroupDevice,
-			Flags:   unix.BPF_F_ALLOW_MULTI | unix.BPF_F_REPLACE,
+			Flags:   unix.BPF_F_ALLOW_MULTI,
 		})
 		if errors.Is(err, unix.EINVAL) {
 			// not supported