On Mon, Mar 30, 2020 at 5:57 PM David Ahern <dsahern@xxxxxxxxx> wrote: > > On 3/30/20 6:32 PM, Alexei Starovoitov wrote: > >> > >> This is not a large feature, and there is no reason for CREATE/UPDATE - > >> a mere 4 patch set - to go in without something as essential as the > >> QUERY for observability. > > > > As I said 'bpftool cgroup' covers it. Observability is not reduced in any way. > > You want a feature where a process can prevent another from installing a > program on a cgroup. How do I learn which process is holding the > bpf_link reference and preventing me from installing a program? Unless I > have missed some recent change that is not currently covered by bpftool > cgroup, and there is no way reading kernel code will tell me. > > ### > To quote Lorenz from an earlier response: > > "However, this behaviour concerns me. It's like Windows not > letting you delete a file while an application has it opened, which just > leads to randomly killing programs until you find the right one. It's > frustrating and counter productive. > > You're taking power away from the operator. In your deployment scenario > this might make sense, but I think it's a really bad model in general. > If I am privileged I need to be able to exercise that privilege." > ### > > That is my point. You are restricting what root can do and people will > not want to resort to killing random processes trying to find the one > holding a reference. This is an essential missing piece and should go in > at the same time as this set. No need to kill random processes, you can kill only those that hold bpf_link FD. You can find them using drgn tool with script like [0]. It will give you quite a lot of information already, but it should also find pinned bpf_links, I haven't added it yet. Found total 11 bpf_links. ------------------------------------------------- type: tracing prog: 'test1' id:223 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: tracing prog: 'test2' id:224 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: tracing prog: 'test3' id:225 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: tracing prog: 'test4' id:226 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: tracing prog: 'test5' id:227 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: tracing prog: 'test6' id:228 type:BPF_PROG_TYPE_TRACING pids: 449027 ------------------------------------------------- type: raw_tp prog: '' id:237 type:BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE tp: bpf_test_finish pids: 449462 ------------------------------------------------- type: cgroup prog: 'egress' id:242 type:BPF_PROG_TYPE_CGROUP_SKB attach: BPF_CGROUP_INET_EGRESS cgroup: /cgroup-test-work-dir/cg1 pids: 449881 ------------------------------------------------- type: cgroup prog: 'egress' id:242 type:BPF_PROG_TYPE_CGROUP_SKB attach: BPF_CGROUP_INET_EGRESS cgroup: /cgroup-test-work-dir/cg1/cg2 pids: 449881 ------------------------------------------------- type: cgroup prog: 'egress' id:242 type:BPF_PROG_TYPE_CGROUP_SKB attach: BPF_CGROUP_INET_EGRESS cgroup: /cgroup-test-work-dir/cg1/cg2/cg3 pids: 449881 ------------------------------------------------- type: cgroup prog: 'egress' id:242 type:BPF_PROG_TYPE_CGROUP_SKB attach: BPF_CGROUP_INET_EGRESS cgroup: /cgroup-test-work-dir/cg1/cg2/cg3/cg4 pids: 449881 ------------------------------------------------- [0] https://gist.github.com/anakryiko/562dff8e39c619a5ee247bb55aa057c7
