ebpf: replace the existing program on update

giuseppe · giuseppe · commit 84949c9b6af7 · 2020-05-10T22:08:13.000+02:00
on a container update, make sure the existing eBPF program is
completely replaced.

Signed-off-by: Giuseppe Scrivano &lt;gscrivan@redhat.com&gt;
diff --git a/src/libcrun/ebpf.c b/src/libcrun/ebpf.c
@@ -293,15 +293,90 @@ bpf_program_complete_dev (struct bpf_program *program, libcrun_error_t *err arg_
   return program;
 }
 
+static int
+ebpf_attach_program (int fd, int dirfd, libcrun_error_t *err)
+{
+  const int MAX_ATTEMPTS = 20;
+  int attempt;
+
+  for (attempt = 0;; attempt++)
+    {
+      cleanup_close int replacefd = -1;
+      union bpf_attr attr;
+      uint32_t progs[2];
+      int ret;
+
+      memset (&attr, 0, sizeof (attr));
+      attr.query.target_fd = dirfd;
+      attr.query.attach_type = BPF_CGROUP_DEVICE;
+      attr.query.prog_cnt = sizeof (progs) / sizeof (progs[0]);
+      attr.query.prog_ids = (uint64_t) &progs;
+
+      ret = bpf (BPF_PROG_QUERY, &attr, sizeof (attr));
+      if (UNLIKELY (ret < 0))
+        return crun_make_error (err, errno, "bpf query");
+
+      if (attr.query.prog_cnt > 1)
+        return crun_make_error (err, 0, "invalid device cgroup state, more than one program installed");
+
+      if (attr.query.prog_cnt == 1)
+        {
+#ifdef BPF_F_REPLACE
+          memset (&attr, 0, sizeof (attr));
+          attr.prog_id = progs[0];
+          replacefd = bpf (BPF_PROG_GET_FD_BY_ID, &attr, sizeof (attr));
+          if (UNLIKELY (replacefd < 0))
+            {
+              if (errno == ENOENT && attempt < MAX_ATTEMPTS)
+                {
+                  /* Another update might have raced and updated, try again.  */
+                  continue;
+                }
+              return crun_make_error (err, errno, "cannot open existing eBPF program");
+            }
+#else
+          return crun_make_error (err, 0, "eBPF program already configured");
+#endif
+        }
+
+      memset (&attr, 0, sizeof (attr));
+      attr.attach_type = BPF_CGROUP_DEVICE;
+      attr.target_fd = dirfd;
+      attr.attach_bpf_fd = fd;
+#ifdef BPF_F_REPLACE
+      attr.attach_flags = BPF_F_ALLOW_MULTI | ((replacefd >= 0) ? BPF_F_REPLACE : 0);
+      attr.replace_bpf_fd = replacefd;
+#else
+      attr.attach_flags = BPF_F_ALLOW_MULTI;
+#endif
+
+      ret = bpf (BPF_PROG_ATTACH, &attr, sizeof (attr));
+      if (UNLIKELY (ret < 0))
+        {
+          if (errno == ENOENT && replacefd >= 0 && attempt < MAX_ATTEMPTS)
+            {
+              /* Another update might have already updated the cgroup, try again.  */
+              continue;
+            }
+          if (errno == EINVAL && replacefd >= 0)
+            return crun_make_error (err, errno, "bpf attach.  The kernel might not support BPF_F_REPLACE");
+          return crun_make_error (err, errno, "bpf attach");
+        }
+
+      return 0;
+    }
+}
+
 int
 libcrun_ebpf_load (struct bpf_program *program, int dirfd, const char *pin, libcrun_error_t *err)
 {
 #ifndef HAVE_EBPF
   return crun_make_error (err, 0, "eBPF not supported");
 #else
-  int fd, ret;
+  cleanup_close int fd = -1;
   union bpf_attr attr;
   struct rlimit limit;
+  int ret;
 
   limit.rlim_cur = RLIM_INFINITY;
   limit.rlim_max = RLIM_INFINITY;
@@ -329,30 +404,26 @@ libcrun_ebpf_load (struct bpf_program *program, int dirfd, const char *pin, libc
 
       fd = bpf (BPF_PROG_LOAD, &attr, sizeof (attr));
       if (fd < 0)
-        return crun_make_error (err, errno, "bpf create %s", log);
+        return crun_make_error (err, errno, "bpf create `%s`", log);
     }
 
-  memset (&attr, 0, sizeof (attr));
-  attr.attach_type = BPF_CGROUP_DEVICE;
-  attr.target_fd = dirfd;
-  attr.attach_bpf_fd = fd;
-  attr.attach_flags = BPF_F_ALLOW_MULTI;
-
-  ret = bpf (BPF_PROG_ATTACH, &attr, sizeof (attr));
-  if (ret < 0)
-    return crun_make_error (err, errno, "bpf attach");
+  ret = ebpf_attach_program (fd, dirfd, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
 
   /* Optionally pin the program to the specified path.  */
   if (pin)
     {
+      unlink (pin);
+
       memset (&attr, 0, sizeof (attr));
       attr.pathname = (uint64_t) pin;
       attr.bpf_fd = fd;
       ret = bpf (BPF_OBJ_PIN, &attr, sizeof (attr));
       if (ret < 0)
-        return crun_make_error (err, errno, "bpf pin to %s", pin);
+        return crun_make_error (err, errno, "bpf pin to `%s`", pin);
     }
 
-  return fd;
+  return 0;
 #endif
 }
