core: define a helper function for basic bpf checks

(cherry picked from commit bb0b01ed20)
2025-01-05 09:17:44 +03:00 · 2022-06-01 23:56:25 +02:00 · 2022-06-01 23:56:25 +02:00 · 1b4511849b
commit 1b4511849b
parent eceaa72f87
6 changed files with 57 additions and 40 deletions
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-lsm.c
@ -26,6 +26,7 @@
 /* libbpf, clang and llc compile time dependencies are satisfied */
 #include "bpf-dlopen.h"
 #include "bpf-link.h"
+#include "bpf-util.h"
 #include "bpf/restrict_fs/restrict-fs-skel.h"

 #define CGROUP_HASH_SIZE_MAX 2048
@ -135,23 +136,8 @@ bool lsm_bpf_supported(bool initialize) {
        if (!initialize)
                return false;

-        r = dlopen_bpf();
-        if (r < 0) {
-                log_info_errno(r, "Failed to open libbpf, LSM BPF is not supported: %m");
+        if (!cgroup_bpf_supported())
                return (supported = false);
-        }
-
-        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
-        if (r < 0) {
-                log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
-                return (supported = false);
-        }
-
-        if (r == 0) {
-                log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                               "Not running with unified cgroup hierarchy, LSM BPF is not supported");
-                return (supported = false);
-        }

        r = mac_bpf_use();
        if (r < 0) {
--- a/src/core/bpf-socket-bind.c
+++ b/src/core/bpf-socket-bind.c
@ -11,8 +11,9 @@
 /* libbpf, clang, llvm and bpftool compile time dependencies are satisfied */
 #include "bpf-dlopen.h"
 #include "bpf-link.h"
-#include "bpf/socket_bind/socket-bind-skel.h"
+#include "bpf-util.h"
 #include "bpf/socket_bind/socket-bind-api.bpf.h"
+#include "bpf/socket_bind/socket-bind-skel.h"

 static struct socket_bind_bpf *socket_bind_bpf_free(struct socket_bind_bpf *obj) {
        /* socket_bind_bpf__destroy handles object == NULL case */
@ -116,15 +117,7 @@ int bpf_socket_bind_supported(void) {
        _cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL;
        int r;

-        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
-        if (r < 0)
-                return log_debug_errno(r, "Can't determine whether the unified hierarchy is used: %m");
-        if (r == 0) {
-                log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
-                return false;
-        }
-
-        if (dlopen_bpf() < 0)
+        if (!cgroup_bpf_supported())
                return false;

        if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*ifindex=*/0)) {
--- a/src/core/bpf-util.c
+++ b/src/core/bpf-util.c
@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "bpf-dlopen.h"
+#include "bpf-util.h"
+#include "cgroup-util.h"
+#include "log.h"
+
+bool cgroup_bpf_supported(void) {
+        static int supported = -1;
+        int r;
+
+        if (supported >= 0)
+                return supported;
+
+        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
+        if (r < 0) {
+                log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+                return (supported = false);
+        }
+
+        if (r == 0) {
+                log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+                               "Not running with unified cgroup hierarchy, disabling cgroup BPF features.");
+                return (supported = false);
+        }
+
+        r = dlopen_bpf();
+        if (r < 0) {
+                log_info_errno(r, "Failed to open libbpf, cgroup BPF features disabled: %m");
+                return (supported = false);
+        }
+
+        return (supported = true);
+}
--- a/src/core/bpf-util.h
+++ b/src/core/bpf-util.h
@ -0,0 +1,5 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <stdbool.h>
+
+bool cgroup_bpf_supported(void);
--- a/src/core/meson.build
+++ b/src/core/meson.build
@ -135,6 +135,13 @@ libcore_sources = '''
        unit.h
 '''.split()

+if conf.get('BPF_FRAMEWORK') == 1
+        libcore_sources += files(
+                'bpf-util.c',
+                'bpf-util.h',
+        )
+endif
+
 subdir('bpf')

 subdir('bpf/socket_bind')
--- a/src/core/restrict-ifaces.c
+++ b/src/core/restrict-ifaces.c
@ -9,7 +9,7 @@

 #include "bpf-dlopen.h"
 #include "bpf-link.h"
-
+#include "bpf-util.h"
 #include "bpf/restrict_ifaces/restrict-ifaces-skel.h"

 static struct restrict_ifaces_bpf *restrict_ifaces_bpf_free(struct restrict_ifaces_bpf *obj) {
@ -78,29 +78,21 @@ int restrict_network_interfaces_supported(void) {
        if (supported >= 0)
                return supported;

-        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
-        if (r < 0)
-                return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
-        if (r == 0) {
-                log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
-                return supported = 0;
-        }
-
-        if (dlopen_bpf() < 0)
-                return false;
+        if (!cgroup_bpf_supported())
+                return (supported = false);

        if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SKB, /*ifindex=*/0)) {
                log_debug("BPF program type cgroup_skb is not supported");
-                return supported = 0;
+                return (supported = false);
        }

        r = prepare_restrict_ifaces_bpf(NULL, true, NULL, &obj);
        if (r < 0) {
                log_debug_errno(r, "Failed to load BPF object: %m");
-                return supported = 0;
+                return (supported = false);
        }

-        return supported = bpf_can_link_program(obj->progs.sd_restrictif_i);
+        return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
 }

 static int restrict_network_interfaces_install_impl(Unit *u) {