dockerpidebpfcgroups

Compatibility of bpf_get_ns_current_pid_tgid helper function across different eBPF program types


I'm currently working on a use case where I'm running an eBPF program inside a Docker container. I want to filter requests based on the process ID (PID), but I've encountered an issue with the pids obtained from my hooks(refer). Specifically, I've put a hook on cgroup/connect4, but when I try to load the program, I receive the error message unknown func bpf_get_ns_current_pid_tgid#120.

However, when I use the bpf_get_ns_current_pid_tgid function within a kprobe method, it works fine. I suspect that bpf_get_ns_current_pid_tgid might not be supported in every eBPF program type.

Could anyone provide information on which eBPF program types support the bpf_get_ns_current_pid_tgid helper function? I would greatly appreciate any insights or references to documentation that can help clarify this compatibility issue.

Thank you in advance for your assistance!


Solution

  • You are correct, not all helper functions are available in all contexts. The bpf_get_ns_current_pid_tgid function is only available in the following program types:

    However, if its the PID of the calling process you can use the bpf_get_current_pid_tgid helper which is available in the following program types:


    For other helper functions you can run the bpftool feature command to figure this out of any helper function on your local system.

    Alternatively you can find the struct bpf_verifier_ops for the program type you are interested in. Then look at the *_func_proto function indicated by the .get_func_proto field. sock_addr_func_proto in this case, which reveals what helper calls are allowed. The advantage of going to the sources is that they also show additional requirements such as kconfig settings, attachment types and runtime mode restrictions not detailed in the bpftool output


    EDIT (Nov 22, 2024):

    As of kernel v6.10, all program types can make use of both the bpf_get_current_pid_tgid and bpf_get_ns_current_pid_tgid. See the commit and patch set