1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) 2 // Copyright (C) 2017 Facebook 3 // Author: Roman Gushchin <guro@fb.com> 4 5 #define _XOPEN_SOURCE 500 6 #include <errno.h> 7 #include <fcntl.h> 8 #include <ftw.h> 9 #include <mntent.h> 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include <sys/stat.h> 14 #include <sys/types.h> 15 #include <unistd.h> 16 17 #include <bpf.h> 18 19 #include "main.h" 20 21 #define HELP_SPEC_ATTACH_FLAGS \ 22 "ATTACH_FLAGS := { multi | override }" 23 24 #define HELP_SPEC_ATTACH_TYPES \ 25 " ATTACH_TYPE := { ingress | egress | sock_create |\n" \ 26 " sock_ops | device | bind4 | bind6 |\n" \ 27 " post_bind4 | post_bind6 | connect4 |\n" \ 28 " connect6 | sendmsg4 | sendmsg6 |\n" \ 29 " recvmsg4 | recvmsg6 | sysctl |\n" \ 30 " getsockopt | setsockopt }" 31 32 static unsigned int query_flags; 33 34 static const char * const attach_type_strings[] = { 35 [BPF_CGROUP_INET_INGRESS] = "ingress", 36 [BPF_CGROUP_INET_EGRESS] = "egress", 37 [BPF_CGROUP_INET_SOCK_CREATE] = "sock_create", 38 [BPF_CGROUP_SOCK_OPS] = "sock_ops", 39 [BPF_CGROUP_DEVICE] = "device", 40 [BPF_CGROUP_INET4_BIND] = "bind4", 41 [BPF_CGROUP_INET6_BIND] = "bind6", 42 [BPF_CGROUP_INET4_CONNECT] = "connect4", 43 [BPF_CGROUP_INET6_CONNECT] = "connect6", 44 [BPF_CGROUP_INET4_POST_BIND] = "post_bind4", 45 [BPF_CGROUP_INET6_POST_BIND] = "post_bind6", 46 [BPF_CGROUP_UDP4_SENDMSG] = "sendmsg4", 47 [BPF_CGROUP_UDP6_SENDMSG] = "sendmsg6", 48 [BPF_CGROUP_SYSCTL] = "sysctl", 49 [BPF_CGROUP_UDP4_RECVMSG] = "recvmsg4", 50 [BPF_CGROUP_UDP6_RECVMSG] = "recvmsg6", 51 [BPF_CGROUP_GETSOCKOPT] = "getsockopt", 52 [BPF_CGROUP_SETSOCKOPT] = "setsockopt", 53 [__MAX_BPF_ATTACH_TYPE] = NULL, 54 }; 55 56 static enum bpf_attach_type parse_attach_type(const char *str) 57 { 58 enum bpf_attach_type type; 59 60 for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) { 61 if (attach_type_strings[type] && 62 is_prefix(str, attach_type_strings[type])) 63 return type; 64 } 65 66 return __MAX_BPF_ATTACH_TYPE; 67 } 68 69 static int show_bpf_prog(int id, const char *attach_type_str, 70 const char *attach_flags_str, 71 int level) 72 { 73 struct bpf_prog_info info = {}; 74 __u32 info_len = sizeof(info); 75 int prog_fd; 76 77 prog_fd = bpf_prog_get_fd_by_id(id); 78 if (prog_fd < 0) 79 return -1; 80 81 if (bpf_obj_get_info_by_fd(prog_fd, &info, &info_len)) { 82 close(prog_fd); 83 return -1; 84 } 85 86 if (json_output) { 87 jsonw_start_object(json_wtr); 88 jsonw_uint_field(json_wtr, "id", info.id); 89 jsonw_string_field(json_wtr, "attach_type", 90 attach_type_str); 91 jsonw_string_field(json_wtr, "attach_flags", 92 attach_flags_str); 93 jsonw_string_field(json_wtr, "name", info.name); 94 jsonw_end_object(json_wtr); 95 } else { 96 printf("%s%-8u %-15s %-15s %-15s\n", level ? " " : "", 97 info.id, 98 attach_type_str, 99 attach_flags_str, 100 info.name); 101 } 102 103 close(prog_fd); 104 return 0; 105 } 106 107 static int count_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type) 108 { 109 __u32 prog_cnt = 0; 110 int ret; 111 112 ret = bpf_prog_query(cgroup_fd, type, query_flags, NULL, 113 NULL, &prog_cnt); 114 if (ret) 115 return -1; 116 117 return prog_cnt; 118 } 119 120 static int cgroup_has_attached_progs(int cgroup_fd) 121 { 122 enum bpf_attach_type type; 123 bool no_prog = true; 124 125 for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) { 126 int count = count_attached_bpf_progs(cgroup_fd, type); 127 128 if (count < 0 && errno != EINVAL) 129 return -1; 130 131 if (count > 0) { 132 no_prog = false; 133 break; 134 } 135 } 136 137 return no_prog ? 0 : 1; 138 } 139 static int show_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type, 140 int level) 141 { 142 const char *attach_flags_str; 143 __u32 prog_ids[1024] = {0}; 144 __u32 prog_cnt, iter; 145 __u32 attach_flags; 146 char buf[32]; 147 int ret; 148 149 prog_cnt = ARRAY_SIZE(prog_ids); 150 ret = bpf_prog_query(cgroup_fd, type, query_flags, &attach_flags, 151 prog_ids, &prog_cnt); 152 if (ret) 153 return ret; 154 155 if (prog_cnt == 0) 156 return 0; 157 158 switch (attach_flags) { 159 case BPF_F_ALLOW_MULTI: 160 attach_flags_str = "multi"; 161 break; 162 case BPF_F_ALLOW_OVERRIDE: 163 attach_flags_str = "override"; 164 break; 165 case 0: 166 attach_flags_str = ""; 167 break; 168 default: 169 snprintf(buf, sizeof(buf), "unknown(%x)", attach_flags); 170 attach_flags_str = buf; 171 } 172 173 for (iter = 0; iter < prog_cnt; iter++) 174 show_bpf_prog(prog_ids[iter], attach_type_strings[type], 175 attach_flags_str, level); 176 177 return 0; 178 } 179 180 static int do_show(int argc, char **argv) 181 { 182 enum bpf_attach_type type; 183 int has_attached_progs; 184 const char *path; 185 int cgroup_fd; 186 int ret = -1; 187 188 query_flags = 0; 189 190 if (!REQ_ARGS(1)) 191 return -1; 192 path = GET_ARG(); 193 194 while (argc) { 195 if (is_prefix(*argv, "effective")) { 196 if (query_flags & BPF_F_QUERY_EFFECTIVE) { 197 p_err("duplicated argument: %s", *argv); 198 return -1; 199 } 200 query_flags |= BPF_F_QUERY_EFFECTIVE; 201 NEXT_ARG(); 202 } else { 203 p_err("expected no more arguments, 'effective', got: '%s'?", 204 *argv); 205 return -1; 206 } 207 } 208 209 cgroup_fd = open(path, O_RDONLY); 210 if (cgroup_fd < 0) { 211 p_err("can't open cgroup %s", path); 212 goto exit; 213 } 214 215 has_attached_progs = cgroup_has_attached_progs(cgroup_fd); 216 if (has_attached_progs < 0) { 217 p_err("can't query bpf programs attached to %s: %s", 218 path, strerror(errno)); 219 goto exit_cgroup; 220 } else if (!has_attached_progs) { 221 ret = 0; 222 goto exit_cgroup; 223 } 224 225 if (json_output) 226 jsonw_start_array(json_wtr); 227 else 228 printf("%-8s %-15s %-15s %-15s\n", "ID", "AttachType", 229 "AttachFlags", "Name"); 230 231 for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) { 232 /* 233 * Not all attach types may be supported, so it's expected, 234 * that some requests will fail. 235 * If we were able to get the show for at least one 236 * attach type, let's return 0. 237 */ 238 if (show_attached_bpf_progs(cgroup_fd, type, 0) == 0) 239 ret = 0; 240 } 241 242 if (json_output) 243 jsonw_end_array(json_wtr); 244 245 exit_cgroup: 246 close(cgroup_fd); 247 exit: 248 return ret; 249 } 250 251 /* 252 * To distinguish nftw() errors and do_show_tree_fn() errors 253 * and avoid duplicating error messages, let's return -2 254 * from do_show_tree_fn() in case of error. 255 */ 256 #define NFTW_ERR -1 257 #define SHOW_TREE_FN_ERR -2 258 static int do_show_tree_fn(const char *fpath, const struct stat *sb, 259 int typeflag, struct FTW *ftw) 260 { 261 enum bpf_attach_type type; 262 int has_attached_progs; 263 int cgroup_fd; 264 265 if (typeflag != FTW_D) 266 return 0; 267 268 cgroup_fd = open(fpath, O_RDONLY); 269 if (cgroup_fd < 0) { 270 p_err("can't open cgroup %s: %s", fpath, strerror(errno)); 271 return SHOW_TREE_FN_ERR; 272 } 273 274 has_attached_progs = cgroup_has_attached_progs(cgroup_fd); 275 if (has_attached_progs < 0) { 276 p_err("can't query bpf programs attached to %s: %s", 277 fpath, strerror(errno)); 278 close(cgroup_fd); 279 return SHOW_TREE_FN_ERR; 280 } else if (!has_attached_progs) { 281 close(cgroup_fd); 282 return 0; 283 } 284 285 if (json_output) { 286 jsonw_start_object(json_wtr); 287 jsonw_string_field(json_wtr, "cgroup", fpath); 288 jsonw_name(json_wtr, "programs"); 289 jsonw_start_array(json_wtr); 290 } else { 291 printf("%s\n", fpath); 292 } 293 294 for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) 295 show_attached_bpf_progs(cgroup_fd, type, ftw->level); 296 297 if (errno == EINVAL) 298 /* Last attach type does not support query. 299 * Do not report an error for this, especially because batch 300 * mode would stop processing commands. 301 */ 302 errno = 0; 303 304 if (json_output) { 305 jsonw_end_array(json_wtr); 306 jsonw_end_object(json_wtr); 307 } 308 309 close(cgroup_fd); 310 311 return 0; 312 } 313 314 static char *find_cgroup_root(void) 315 { 316 struct mntent *mnt; 317 FILE *f; 318 319 f = fopen("/proc/mounts", "r"); 320 if (f == NULL) 321 return NULL; 322 323 while ((mnt = getmntent(f))) { 324 if (strcmp(mnt->mnt_type, "cgroup2") == 0) { 325 fclose(f); 326 return strdup(mnt->mnt_dir); 327 } 328 } 329 330 fclose(f); 331 return NULL; 332 } 333 334 static int do_show_tree(int argc, char **argv) 335 { 336 char *cgroup_root, *cgroup_alloced = NULL; 337 int ret; 338 339 query_flags = 0; 340 341 if (!argc) { 342 cgroup_alloced = find_cgroup_root(); 343 if (!cgroup_alloced) { 344 p_err("cgroup v2 isn't mounted"); 345 return -1; 346 } 347 cgroup_root = cgroup_alloced; 348 } else { 349 cgroup_root = GET_ARG(); 350 351 while (argc) { 352 if (is_prefix(*argv, "effective")) { 353 if (query_flags & BPF_F_QUERY_EFFECTIVE) { 354 p_err("duplicated argument: %s", *argv); 355 return -1; 356 } 357 query_flags |= BPF_F_QUERY_EFFECTIVE; 358 NEXT_ARG(); 359 } else { 360 p_err("expected no more arguments, 'effective', got: '%s'?", 361 *argv); 362 return -1; 363 } 364 } 365 } 366 367 if (json_output) 368 jsonw_start_array(json_wtr); 369 else 370 printf("%s\n" 371 "%-8s %-15s %-15s %-15s\n", 372 "CgroupPath", 373 "ID", "AttachType", "AttachFlags", "Name"); 374 375 switch (nftw(cgroup_root, do_show_tree_fn, 1024, FTW_MOUNT)) { 376 case NFTW_ERR: 377 p_err("can't iterate over %s: %s", cgroup_root, 378 strerror(errno)); 379 ret = -1; 380 break; 381 case SHOW_TREE_FN_ERR: 382 ret = -1; 383 break; 384 default: 385 ret = 0; 386 } 387 388 if (json_output) 389 jsonw_end_array(json_wtr); 390 391 free(cgroup_alloced); 392 393 return ret; 394 } 395 396 static int do_attach(int argc, char **argv) 397 { 398 enum bpf_attach_type attach_type; 399 int cgroup_fd, prog_fd; 400 int attach_flags = 0; 401 int ret = -1; 402 int i; 403 404 if (argc < 4) { 405 p_err("too few parameters for cgroup attach"); 406 goto exit; 407 } 408 409 cgroup_fd = open(argv[0], O_RDONLY); 410 if (cgroup_fd < 0) { 411 p_err("can't open cgroup %s", argv[0]); 412 goto exit; 413 } 414 415 attach_type = parse_attach_type(argv[1]); 416 if (attach_type == __MAX_BPF_ATTACH_TYPE) { 417 p_err("invalid attach type"); 418 goto exit_cgroup; 419 } 420 421 argc -= 2; 422 argv = &argv[2]; 423 prog_fd = prog_parse_fd(&argc, &argv); 424 if (prog_fd < 0) 425 goto exit_cgroup; 426 427 for (i = 0; i < argc; i++) { 428 if (is_prefix(argv[i], "multi")) { 429 attach_flags |= BPF_F_ALLOW_MULTI; 430 } else if (is_prefix(argv[i], "override")) { 431 attach_flags |= BPF_F_ALLOW_OVERRIDE; 432 } else { 433 p_err("unknown option: %s", argv[i]); 434 goto exit_cgroup; 435 } 436 } 437 438 if (bpf_prog_attach(prog_fd, cgroup_fd, attach_type, attach_flags)) { 439 p_err("failed to attach program"); 440 goto exit_prog; 441 } 442 443 if (json_output) 444 jsonw_null(json_wtr); 445 446 ret = 0; 447 448 exit_prog: 449 close(prog_fd); 450 exit_cgroup: 451 close(cgroup_fd); 452 exit: 453 return ret; 454 } 455 456 static int do_detach(int argc, char **argv) 457 { 458 enum bpf_attach_type attach_type; 459 int prog_fd, cgroup_fd; 460 int ret = -1; 461 462 if (argc < 4) { 463 p_err("too few parameters for cgroup detach"); 464 goto exit; 465 } 466 467 cgroup_fd = open(argv[0], O_RDONLY); 468 if (cgroup_fd < 0) { 469 p_err("can't open cgroup %s", argv[0]); 470 goto exit; 471 } 472 473 attach_type = parse_attach_type(argv[1]); 474 if (attach_type == __MAX_BPF_ATTACH_TYPE) { 475 p_err("invalid attach type"); 476 goto exit_cgroup; 477 } 478 479 argc -= 2; 480 argv = &argv[2]; 481 prog_fd = prog_parse_fd(&argc, &argv); 482 if (prog_fd < 0) 483 goto exit_cgroup; 484 485 if (bpf_prog_detach2(prog_fd, cgroup_fd, attach_type)) { 486 p_err("failed to detach program"); 487 goto exit_prog; 488 } 489 490 if (json_output) 491 jsonw_null(json_wtr); 492 493 ret = 0; 494 495 exit_prog: 496 close(prog_fd); 497 exit_cgroup: 498 close(cgroup_fd); 499 exit: 500 return ret; 501 } 502 503 static int do_help(int argc, char **argv) 504 { 505 if (json_output) { 506 jsonw_null(json_wtr); 507 return 0; 508 } 509 510 fprintf(stderr, 511 "Usage: %s %s { show | list } CGROUP [**effective**]\n" 512 " %s %s tree [CGROUP_ROOT] [**effective**]\n" 513 " %s %s attach CGROUP ATTACH_TYPE PROG [ATTACH_FLAGS]\n" 514 " %s %s detach CGROUP ATTACH_TYPE PROG\n" 515 " %s %s help\n" 516 "\n" 517 HELP_SPEC_ATTACH_TYPES "\n" 518 " " HELP_SPEC_ATTACH_FLAGS "\n" 519 " " HELP_SPEC_PROGRAM "\n" 520 " " HELP_SPEC_OPTIONS "\n" 521 "", 522 bin_name, argv[-2], 523 bin_name, argv[-2], bin_name, argv[-2], 524 bin_name, argv[-2], bin_name, argv[-2]); 525 526 return 0; 527 } 528 529 static const struct cmd cmds[] = { 530 { "show", do_show }, 531 { "list", do_show }, 532 { "tree", do_show_tree }, 533 { "attach", do_attach }, 534 { "detach", do_detach }, 535 { "help", do_help }, 536 { 0 } 537 }; 538 539 int do_cgroup(int argc, char **argv) 540 { 541 return cmd_select(cmds, argc, argv, do_help); 542 } 543