Use Aya in the userspace

This change replaces libbpf-rs with Aya as a loader of eBPF programs in
the userspace part in lockc.

eBPF programs still remain written in C and are going to be rewritten in
Rust in separate changes.

Signed-off-by: Michal Rostecki <[email protected]>

Author: vadorovsky

lockc/Cargo.toml

@@ -12,38 +12,32 @@ license = "Apache-2.0 AND GPL-2.0-or-later"
 [badges]
 maintenance = { status = "actively-developed" }
 
-[lib]
-name = "lockc"
-
 [dependencies]
 anyhow = "1.0"
+# TODO(vadorovsky): Switch to main branch as soon as the followinng PRs
+# are merged:
+# * https://github.com/aya-rs/aya/pull/177
+# * https://github.com/aya-rs/aya/pull/179
+aya = { git = "https://github.com/dave-tucker/aya", branch = "lockc", features=["async_tokio"] }
 bindgen = "0.59"
 byteorder = "1.4"
-chrono = { version = "0.4", default-features = false, features = ["clock"] }
 config = { version = "0.11", default-features = false, features = ["toml"] }
-ctrlc = "3.2"
 fanotify-rs = { git = "https://github.com/vadorovsky/fanotify-rs", branch = "fix-pid-type" }
 futures = "0.3"
-goblin = "0.4"
 kube = "0.66"
 k8s-openapi = { version = "0.13", default-features = false, features = ["v1_21"] }
 lazy_static = "1.4"
 libc = { version = "0.2", features = [ "extra_traits" ] }
-libbpf-rs = "0.14"
-lockc-uprobes = { path = "../lockc-uprobes" }
 log = "0.4"
 nix = "0.23"
-plain = "0.2"
 procfs = "0.12"
 regex = { version = "1.5", default-features = false, features = ["perf"] }
 scopeguard = "1.1"
 serde = "1.0"
 serde_json = "1.0"
 simplelog = "0.11"
-sysctl = "0.4"
 thiserror = "1.0"
 tokio = { version = "1.7", features = ["macros", "process", "rt-multi-thread"] }
-which = "4.2"
 
 [build-dependencies]
 anyhow = "1.0"

lockc/build.rs

@@ -63,8 +63,9 @@ fn extract_libbpf_headers<P: AsRef<Path>>(include_path: P) -> Result<()> {
 }
 
 /// Build eBPF programs with clang and libbpf headers.
-fn build_ebpf<P: AsRef<Path>>(out_path: P, include_path: P) -> Result<()> {
-    extract_libbpf_headers(include_path.as_ref().clone())?;
+fn build_ebpf<P: Clone + AsRef<Path>>(out_path: P, include_path: P) -> Result<()> {
+    // extract_libbpf_headers(include_path.as_ref().clone())?;
+    extract_libbpf_headers(include_path.clone())?;
 
     let bpf_dir = Path::new("src").join("bpf");
     let src = bpf_dir.join("lockc.bpf.c");
@@ -90,7 +91,7 @@ fn build_ebpf<P: AsRef<Path>>(out_path: P, include_path: P) -> Result<()> {
         .arg(format!("-D__TARGET_ARCH_{}", arch))
         .arg(src.as_os_str())
         .arg("-o")
-        .arg(out.clone());
+        .arg(out);
 
     let output = cmd.output().context("Failed to execute clang")?;
     if !output.status.success() {

lockc/src/bin/lockcd.rs

@@ -5,52 +5,12 @@
 #![allow(non_snake_case)]
 include!(concat!(env!("OUT_DIR"), "/bindings.rs"));
 
-use byteorder::{NativeEndian, WriteBytesExt};
-
 #[derive(thiserror::Error, Debug)]
 pub enum NewBpfstructError {
     #[error("FFI nul error")]
     NulError(#[from] std::ffi::NulError),
 }
 
-#[derive(thiserror::Error, Debug)]
-pub enum MapOperationError {
-    #[error("could not convert the key to a byte array")]
-    ByteWriteError(#[from] std::io::Error),
-
-    #[error("libbpf error")]
-    LibbpfError(#[from] libbpf_rs::Error),
-}
-
-/// Deletes an entry from the given map under the given key.
-pub fn map_delete(map: &mut libbpf_rs::Map, key: u32) -> Result<(), MapOperationError> {
-    let mut key_b = vec![];
-    key_b.write_u32::<NativeEndian>(key)?;
-
-    map.delete(&key_b)?;
-
-    Ok(())
-}
-
-pub trait BpfStruct {
-    /// Updates the given map with an entry under the given key and a value
-    /// with a binary representation of the struct.
-    fn map_update(&self, map: &mut libbpf_rs::Map, key: u32) -> Result<(), MapOperationError> {
-        let mut key_b = vec![];
-        key_b.write_u32::<NativeEndian>(key)?;
-
-        let val_b = unsafe { plain::as_bytes(self) };
-
-        map.update(&key_b, val_b, libbpf_rs::MapFlags::empty())?;
-
-        Ok(())
-    }
-}
-
-impl BpfStruct for container {}
-impl BpfStruct for process {}
-impl BpfStruct for accessed_path {}
-
 impl accessed_path {
     /// Creates a new accessed_path instance and converts the given Rust string
     /// into C fixed-size char array.
@@ -63,6 +23,10 @@ impl accessed_path {
     }
 }
 
+unsafe impl aya::Pod for accessed_path {}
+unsafe impl aya::Pod for container {}
+unsafe impl aya::Pod for process {}
+
 #[cfg(test)]
 mod tests {
     use super::*;

lockc/src/bpfstructs.rs

@@ -0,0 +1,24 @@
+use tokio::sync::oneshot;
+
+use crate::{bpfstructs::container_policy_level, maps::MapOperationError};
+
+/// Set of commands that the fanotify thread can send to the eBPF thread
+/// to request eBPF map operations.
+#[derive(Debug)]
+pub enum EbpfCommand {
+    AddContainer {
+        container_id: String,
+        pid: i32,
+        policy_level: container_policy_level,
+        responder_tx: oneshot::Sender<Result<(), MapOperationError>>,
+    },
+    DeleteContainer {
+        container_id: String,
+        responder_tx: oneshot::Sender<Result<(), MapOperationError>>,
+    },
+    AddProcess {
+        container_id: String,
+        pid: i32,
+        responder_tx: oneshot::Sender<Result<(), MapOperationError>>,
+    },
+}