From e623414959de067bed533a630b3f061a37485ba2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 6 Dec 2024 17:45:25 +1100 Subject: [PATCH] [1.2] cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support (This is a cherry-pick of dea0e04dd93d3922083e68667d20aac532d31129.) In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an explicit flag and instead requires us to use link.Anchor to specify where the program should be attached. Commit 216175a9ca84 ("Upgrade Cilium's eBPF library version to 0.16") did update this correctly for the actual attaching logic, but when checking for kernel support we still passed BPF_F_REPLACE. This would result in a generic error being returned, which our feature-support checking logic would treat as being an error the indicates that BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6 kernels. It turns out that our debug logging saying that this unexpected error was happening was being output as a result of this change, but nobody noticed... Fixes: 216175a9ca84 ("Upgrade Cilium's eBPF library version to 0.16") Signed-off-by: Aleksa Sarai --- libcontainer/cgroups/devices/ebpf_linux.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libcontainer/cgroups/devices/ebpf_linux.go b/libcontainer/cgroups/devices/ebpf_linux.go index 1d3999e664d..0e808e29b32 100644 --- a/libcontainer/cgroups/devices/ebpf_linux.go +++ b/libcontainer/cgroups/devices/ebpf_linux.go @@ -123,12 +123,15 @@ func haveBpfProgReplace() bool { // BPF_CGROUP_DEVICE programs. If passing BPF_F_REPLACE gives us EINVAL // we know that the feature isn't present. err = link.RawAttachProgram(link.RawAttachProgramOptions{ - // We rely on this fd being checked after attachFlags. + // We rely on this fd being checked after attachFlags in the kernel. Target: int(devnull.Fd()), - // Attempt to "replace" bad fds with this program. + // Attempt to "replace" our BPF program with itself. This will + // always fail, but we should get -EINVAL if BPF_F_REPLACE is not + // supported. + Anchor: link.ReplaceProgram(prog), Program: prog, Attach: ebpf.AttachCGroupDevice, - Flags: unix.BPF_F_ALLOW_MULTI | unix.BPF_F_REPLACE, + Flags: unix.BPF_F_ALLOW_MULTI, }) if errors.Is(err, unix.EINVAL) { // not supported