shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-02 09:47:03 +03:00
Code

bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports

Browse Source 
Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.

Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.

[0] 4e42210d40

(cherry picked from commit a442ccb4ebdbc3a9ff9d4504eb9724092149fd42)
(cherry picked from commit 0af3810d4b1c8bb4f0683758f47e042e8cb76972)
(cherry picked from commit baff489b82bb33c1b13249993f940721fef7671e)
This commit is contained in:
Julia Kartseva 2021-02-03 22:15:27 -08:00 committed by Zbigniew Jędrzejewski-Szmek
parent 3aafd07d39
commit 8e6acd9a8a
1 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/core/bpf-firewall.c
View File

@ -703,8 +703,7 @@ int bpf_firewall_install(Unit *u) {
if (r < 0) if (r < 0)
return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m"); return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI && flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0;
(u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;
/* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
* minimize the time window when we don't account for IP traffic. */ * minimize the time window when we don't account for IP traffic. */
@ -712,8 +711,7 @@ int bpf_firewall_install(Unit *u) {
u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
if (u->ip_bpf_egress) { if (u->ip_bpf_egress) {
r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));
if (r < 0) if (r < 0)
return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path); return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
@ -722,8 +720,7 @@ int bpf_firewall_install(Unit *u) {
} }
if (u->ip_bpf_ingress) { if (u->ip_bpf_ingress) {
r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));
if (r < 0) if (r < 0)
return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path); return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);