1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00

core: define a helper function for basic bpf checks

(cherry picked from commit bb0b01ed20)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2022-06-01 23:56:25 +02:00
parent eceaa72f87
commit 1b4511849b
6 changed files with 57 additions and 40 deletions

View File

@ -26,6 +26,7 @@
/* libbpf, clang and llc compile time dependencies are satisfied */ /* libbpf, clang and llc compile time dependencies are satisfied */
#include "bpf-dlopen.h" #include "bpf-dlopen.h"
#include "bpf-link.h" #include "bpf-link.h"
#include "bpf-util.h"
#include "bpf/restrict_fs/restrict-fs-skel.h" #include "bpf/restrict_fs/restrict-fs-skel.h"
#define CGROUP_HASH_SIZE_MAX 2048 #define CGROUP_HASH_SIZE_MAX 2048
@ -135,23 +136,8 @@ bool lsm_bpf_supported(bool initialize) {
if (!initialize) if (!initialize)
return false; return false;
r = dlopen_bpf(); if (!cgroup_bpf_supported())
if (r < 0) {
log_info_errno(r, "Failed to open libbpf, LSM BPF is not supported: %m");
return (supported = false); return (supported = false);
}
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
if (r < 0) {
log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"Not running with unified cgroup hierarchy, LSM BPF is not supported");
return (supported = false);
}
r = mac_bpf_use(); r = mac_bpf_use();
if (r < 0) { if (r < 0) {

View File

@ -11,8 +11,9 @@
/* libbpf, clang, llvm and bpftool compile time dependencies are satisfied */ /* libbpf, clang, llvm and bpftool compile time dependencies are satisfied */
#include "bpf-dlopen.h" #include "bpf-dlopen.h"
#include "bpf-link.h" #include "bpf-link.h"
#include "bpf/socket_bind/socket-bind-skel.h" #include "bpf-util.h"
#include "bpf/socket_bind/socket-bind-api.bpf.h" #include "bpf/socket_bind/socket-bind-api.bpf.h"
#include "bpf/socket_bind/socket-bind-skel.h"
static struct socket_bind_bpf *socket_bind_bpf_free(struct socket_bind_bpf *obj) { static struct socket_bind_bpf *socket_bind_bpf_free(struct socket_bind_bpf *obj) {
/* socket_bind_bpf__destroy handles object == NULL case */ /* socket_bind_bpf__destroy handles object == NULL case */
@ -116,15 +117,7 @@ int bpf_socket_bind_supported(void) {
_cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL; _cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL;
int r; int r;
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER); if (!cgroup_bpf_supported())
if (r < 0)
return log_debug_errno(r, "Can't determine whether the unified hierarchy is used: %m");
if (r == 0) {
log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
return false;
}
if (dlopen_bpf() < 0)
return false; return false;
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*ifindex=*/0)) { if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*ifindex=*/0)) {

34
src/core/bpf-util.c Normal file
View File

@ -0,0 +1,34 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "bpf-dlopen.h"
#include "bpf-util.h"
#include "cgroup-util.h"
#include "log.h"
bool cgroup_bpf_supported(void) {
static int supported = -1;
int r;
if (supported >= 0)
return supported;
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
if (r < 0) {
log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"Not running with unified cgroup hierarchy, disabling cgroup BPF features.");
return (supported = false);
}
r = dlopen_bpf();
if (r < 0) {
log_info_errno(r, "Failed to open libbpf, cgroup BPF features disabled: %m");
return (supported = false);
}
return (supported = true);
}

5
src/core/bpf-util.h Normal file
View File

@ -0,0 +1,5 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <stdbool.h>
bool cgroup_bpf_supported(void);

View File

@ -135,6 +135,13 @@ libcore_sources = '''
unit.h unit.h
'''.split() '''.split()
if conf.get('BPF_FRAMEWORK') == 1
libcore_sources += files(
'bpf-util.c',
'bpf-util.h',
)
endif
subdir('bpf') subdir('bpf')
subdir('bpf/socket_bind') subdir('bpf/socket_bind')

View File

@ -9,7 +9,7 @@
#include "bpf-dlopen.h" #include "bpf-dlopen.h"
#include "bpf-link.h" #include "bpf-link.h"
#include "bpf-util.h"
#include "bpf/restrict_ifaces/restrict-ifaces-skel.h" #include "bpf/restrict_ifaces/restrict-ifaces-skel.h"
static struct restrict_ifaces_bpf *restrict_ifaces_bpf_free(struct restrict_ifaces_bpf *obj) { static struct restrict_ifaces_bpf *restrict_ifaces_bpf_free(struct restrict_ifaces_bpf *obj) {
@ -78,29 +78,21 @@ int restrict_network_interfaces_supported(void) {
if (supported >= 0) if (supported >= 0)
return supported; return supported;
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER); if (!cgroup_bpf_supported())
if (r < 0) return (supported = false);
return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
if (r == 0) {
log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
return supported = 0;
}
if (dlopen_bpf() < 0)
return false;
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SKB, /*ifindex=*/0)) { if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SKB, /*ifindex=*/0)) {
log_debug("BPF program type cgroup_skb is not supported"); log_debug("BPF program type cgroup_skb is not supported");
return supported = 0; return (supported = false);
} }
r = prepare_restrict_ifaces_bpf(NULL, true, NULL, &obj); r = prepare_restrict_ifaces_bpf(NULL, true, NULL, &obj);
if (r < 0) { if (r < 0) {
log_debug_errno(r, "Failed to load BPF object: %m"); log_debug_errno(r, "Failed to load BPF object: %m");
return supported = 0; return (supported = false);
} }
return supported = bpf_can_link_program(obj->progs.sd_restrictif_i); return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
} }
static int restrict_network_interfaces_install_impl(Unit *u) { static int restrict_network_interfaces_install_impl(Unit *u) {