Lsm cgroup api #1135
Lsm cgroup api #1135
Conversation
✅ Deploy Preview for aya-rs-docs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Please avoid opening a new PR each time. There are comments I left in #1131 that remain unaddressed. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
92a61ab to
6a0721a
Compare
|
@tamird sorry, since we have changed the way we implemented api, i thought it deserved a new pr. For the comments that remain unaddressed; Am i missing something other than what is stated in your comments? |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
6a0721a to
91ff050
Compare
Cargo.toml
Outdated
| @@ -78,7 +78,7 @@ indoc = { version = "2.0", default-features = false } | |||
| libc = { version = "0.2.105", default-features = false } | |||
| log = { version = "0.4", default-features = false } | |||
| netns-rs = { version = "0.1", default-features = false } | |||
| nix = { version = "0.29.0", default-features = false } | |||
| nix = { version = "0.29.0", default-features = true } | |||
There was a problem hiding this comment.
Per comment in the previous review this should be:
nix = { version = "0.29.0", default-features = false }
| @@ -28,6 +28,7 @@ test-case = { workspace = true } | |||
| test-log = { workspace = true, features = ["log"] } | |||
| tokio = { workspace = true, features = ["macros", "rt-multi-thread", "time"] } | |||
| xdpilone = { workspace = true } | |||
| nix = { workspace = true, features = ["process"] } | |||
There was a problem hiding this comment.
You would add any other features that were required from nix here.
I assume you needed something from the default featureset given the change in the main Cargo.toml.
aya-ebpf-macros/src/lsm.rs
Outdated
| @@ -19,6 +19,7 @@ impl Lsm { | |||
| let hook = pop_string_arg(&mut args, "hook"); | |||
| let sleepable = pop_bool_arg(&mut args, "sleepable"); | |||
| err_on_unknown_args(&args)?; | |||
|
|
|||
aya-ebpf-macros/src/lsm.rs
Outdated
| @@ -39,15 +40,15 @@ impl Lsm { | |||
| block: _, | |||
| } = item; | |||
| let section_prefix = if *sleepable { "lsm.s" } else { "lsm" }; | |||
| let section_name: Cow<'_, _> = if let Some(hook) = hook { | |||
| format!("{}/{}", section_prefix, hook).into() | |||
| let section_name: Cow<'_, _> = if let Some(name) = hook { | |||
There was a problem hiding this comment.
There's no need to rename these variables.
| } else { | ||
| section_prefix.into() | ||
| }; | ||
| let fn_name = &sig.ident; |
There was a problem hiding this comment.
Also no need to move this line.
There was a problem hiding this comment.
sorry but i didnt understand the problem on this one, can you elobarate on this ?
aya/src/programs/lsm.rs
Outdated
| /// [1]: https://elixir.bootlin.com/linux/latest/source/include/linux/lsm_hook_defs.h | ||
| #[derive(Debug)] | ||
| #[doc(alias = "BPF_PROG_TYPE_LSM")] | ||
| pub struct Lsm { | ||
| pub(crate) data: ProgramData<LsmLink>, | ||
| pub(crate) attach_type: LsmAttachType, |
aya/src/programs/lsm.rs
Outdated
| @@ -60,7 +62,7 @@ impl Lsm { | |||
| /// * `lsm_hook_name` - full name of the LSM hook that the program should | |||
| /// be attached to | |||
| pub fn load(&mut self, lsm_hook_name: &str, btf: &Btf) -> Result<(), ProgramError> { | |||
| self.data.expected_attach_type = Some(BPF_LSM_MAC); | |||
| self.data.expected_attach_type = Some(self.attach_type.into()); | |||
aya/src/programs/lsm_cgroup.rs
Outdated
| /// The minimum kernel version required to use this feature is 6.0. | ||
| /// | ||
| /// # Examples | ||
| /// ## LSM with cgroup attachment type |
There was a problem hiding this comment.
if i remove this subheading, should i also remove it from lsm.rs ?
| /// program.load("security_bprm_exec", &btf)?; | ||
| /// program.attach(file)?; | ||
| /// # Ok::<(), LsmError>(()) | ||
| /// ``` |
There was a problem hiding this comment.
I think you might need a newline after the end of the code block.
| let prog_fd = self.fd()?; | ||
| let prog_fd = prog_fd.as_fd(); | ||
| let cgroup_fd = cgroup.as_fd(); | ||
| let attach_type = self.data.expected_attach_type.unwrap(); |
There was a problem hiding this comment.
| let attach_type = self.data.expected_attach_type.unwrap(); | |
| let attach_type = Some(BPF_LSM_CGROUP); |
|
Please let us know when the tests are passing, or if you need help understanding the failures. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
91ff050 to
f2493ab
Compare
|
@dave-tucker thanks for your detailed feedback, i have updated the commit accordingly. Let me know if things are good to go for this one. |
| @@ -649,14 +651,17 @@ impl<'a> EbpfLoader<'a> { | |||
| ProgramSection::RawTracePoint => Program::RawTracePoint(RawTracePoint { | |||
| data: ProgramData::new(prog_name, obj, btf_fd, *verifier_log_level), | |||
| }), | |||
| ProgramSection::Lsm { sleepable } => { | |||
| ProgramSection::Lsm { sleepable , .. } => { | |||
| @@ -1,7 +1,6 @@ | |||
| //! LSM probes. | |||
| use crate::{ | |||
| @@ -967,7 +979,6 @@ impl_from_pin!( | |||
| CgroupSysctl, | |||
| LircMode2, | |||
| PerfEvent, | |||
| Lsm, | |||
Hi @vadorovsky, @dave-tucker,
This is the refactored work based on the discussion we have had on discord.
Let me know if i missed anything.
Best
This change is