mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 06:25:37 +03:00
core: remove refcount for bpf program
Currently ref count of bpf-program is kept in user space. However, the kernel already implements its own ref count. Thus the ref count we keep for bpf-program is redundant. This PR removes ref count for bpf program as part of a task to simplify bpf-program and remove redundancies, which will make the switch to code-compiled BPF programs easier. Part of #19270
This commit is contained in:
parent
d92681a65e
commit
76dc17254f
@ -184,7 +184,7 @@ int bpf_devices_cgroup_init(
|
||||
offsetof(struct bpf_cgroup_dev_ctx, minor)),
|
||||
};
|
||||
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
int r;
|
||||
|
||||
assert(ret);
|
||||
@ -208,7 +208,7 @@ int bpf_devices_cgroup_init(
|
||||
}
|
||||
|
||||
int bpf_devices_apply_policy(
|
||||
BPFProgram *prog,
|
||||
BPFProgram **prog,
|
||||
CGroupDevicePolicy policy,
|
||||
bool allow_list,
|
||||
const char *cgroup_path,
|
||||
@ -219,7 +219,8 @@ int bpf_devices_apply_policy(
|
||||
|
||||
/* This will assign *prog_installed if everything goes well. */
|
||||
|
||||
if (!prog)
|
||||
assert(prog);
|
||||
if (!*prog)
|
||||
goto finish;
|
||||
|
||||
const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !allow_list;
|
||||
@ -237,20 +238,20 @@ int bpf_devices_apply_policy(
|
||||
};
|
||||
|
||||
if (!deny_everything) {
|
||||
r = bpf_program_add_instructions(prog, post_insn, ELEMENTSOF(post_insn));
|
||||
r = bpf_program_add_instructions(*prog, post_insn, ELEMENTSOF(post_insn));
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Extending device control BPF program failed: %m");
|
||||
|
||||
/* Fixup PASS_JUMP_OFF jump offsets. */
|
||||
for (size_t off = 0; off < prog->n_instructions; off++) {
|
||||
struct bpf_insn *ins = &prog->instructions[off];
|
||||
for (size_t off = 0; off < (*prog)->n_instructions; off++) {
|
||||
struct bpf_insn *ins = &((*prog)->instructions[off]);
|
||||
|
||||
if (ins->code == (BPF_JMP | BPF_JA) && ins->off == PASS_JUMP_OFF)
|
||||
ins->off = prog->n_instructions - off - 1;
|
||||
ins->off = (*prog)->n_instructions - off - 1;
|
||||
}
|
||||
}
|
||||
|
||||
r = bpf_program_add_instructions(prog, exit_insn, ELEMENTSOF(exit_insn));
|
||||
r = bpf_program_add_instructions(*prog, exit_insn, ELEMENTSOF(exit_insn));
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Extending device control BPF program failed: %m");
|
||||
|
||||
@ -258,7 +259,7 @@ int bpf_devices_apply_policy(
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to determine cgroup path: %m");
|
||||
|
||||
r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI);
|
||||
r = bpf_program_cgroup_attach(*prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m",
|
||||
empty_to_root(cgroup_path));
|
||||
@ -266,8 +267,8 @@ int bpf_devices_apply_policy(
|
||||
finish:
|
||||
/* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */
|
||||
if (prog_installed) {
|
||||
bpf_program_unref(*prog_installed);
|
||||
*prog_installed = bpf_program_ref(prog);
|
||||
bpf_program_free(*prog_installed);
|
||||
*prog_installed = TAKE_PTR(*prog);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@ -278,7 +279,7 @@ int bpf_devices_supported(void) {
|
||||
BPF_EXIT_INSN()
|
||||
};
|
||||
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *program = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *program = NULL;
|
||||
static int supported = -1;
|
||||
int r;
|
||||
|
||||
|
@ -9,7 +9,7 @@ typedef struct BPFProgram BPFProgram;
|
||||
|
||||
int bpf_devices_cgroup_init(BPFProgram **ret, CGroupDevicePolicy policy, bool allow_list);
|
||||
int bpf_devices_apply_policy(
|
||||
BPFProgram *prog,
|
||||
BPFProgram **prog,
|
||||
CGroupDevicePolicy policy,
|
||||
bool allow_list,
|
||||
const char *cgroup_path,
|
||||
|
@ -192,7 +192,7 @@ static int bpf_firewall_compile_bpf(
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
};
|
||||
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
int accounting_map_fd, r;
|
||||
bool access_enabled;
|
||||
|
||||
@ -555,8 +555,8 @@ int bpf_firewall_compile(Unit *u) {
|
||||
* but we reuse the accounting maps. That way the firewall in effect always maps to the actual
|
||||
* configuration, but we don't flush out the accounting unnecessarily */
|
||||
|
||||
u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress);
|
||||
u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress);
|
||||
u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress);
|
||||
u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress);
|
||||
|
||||
u->ipv4_allow_map_fd = safe_close(u->ipv4_allow_map_fd);
|
||||
u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd);
|
||||
@ -601,7 +601,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set
|
||||
set_clear(*set);
|
||||
|
||||
STRV_FOREACH(bpf_fs_path, filter_paths) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
int r;
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog);
|
||||
@ -657,25 +657,18 @@ static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, S
|
||||
assert(u);
|
||||
|
||||
set_clear(*set_installed);
|
||||
set_ensure_allocated(set_installed, &bpf_program_hash_ops);
|
||||
|
||||
SET_FOREACH(prog, *set) {
|
||||
SET_FOREACH_MOVE(prog, *set_installed, *set) {
|
||||
r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path);
|
||||
|
||||
/* Remember that these BPF programs are installed now. */
|
||||
r = set_ensure_put(set_installed, &bpf_program_hash_ops, prog);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
|
||||
|
||||
bpf_program_ref(prog);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int bpf_firewall_install(Unit *u) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL;
|
||||
_cleanup_free_ char *path = NULL;
|
||||
CGroupContext *cc;
|
||||
int r, supported;
|
||||
@ -719,8 +712,8 @@ int bpf_firewall_install(Unit *u) {
|
||||
/* If we don't have BPF_F_ALLOW_MULTI then unref the old BPF programs (which will implicitly
|
||||
* detach them) right before attaching the new program, to minimize the time window when we
|
||||
* don't account for IP traffic. */
|
||||
u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed);
|
||||
u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
|
||||
u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed);
|
||||
u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed);
|
||||
}
|
||||
|
||||
if (u->ip_bpf_egress) {
|
||||
@ -729,7 +722,7 @@ int bpf_firewall_install(Unit *u) {
|
||||
return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
|
||||
|
||||
/* Remember that this BPF program is installed now. */
|
||||
u->ip_bpf_egress_installed = bpf_program_ref(u->ip_bpf_egress);
|
||||
u->ip_bpf_egress_installed = TAKE_PTR(u->ip_bpf_egress);
|
||||
}
|
||||
|
||||
if (u->ip_bpf_ingress) {
|
||||
@ -737,12 +730,12 @@ int bpf_firewall_install(Unit *u) {
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
|
||||
|
||||
u->ip_bpf_ingress_installed = bpf_program_ref(u->ip_bpf_ingress);
|
||||
u->ip_bpf_ingress_installed = TAKE_PTR(u->ip_bpf_ingress);
|
||||
}
|
||||
|
||||
/* And now, definitely get rid of the old programs, and detach them */
|
||||
ip_bpf_egress_uninstall = bpf_program_unref(ip_bpf_egress_uninstall);
|
||||
ip_bpf_ingress_uninstall = bpf_program_unref(ip_bpf_ingress_uninstall);
|
||||
ip_bpf_egress_uninstall = bpf_program_free(ip_bpf_egress_uninstall);
|
||||
ip_bpf_ingress_uninstall = bpf_program_free(ip_bpf_ingress_uninstall);
|
||||
|
||||
r = attach_custom_bpf_progs(u, path, BPF_CGROUP_INET_EGRESS, &u->ip_bpf_custom_egress, &u->ip_bpf_custom_egress_installed);
|
||||
if (r < 0)
|
||||
@ -806,7 +799,7 @@ int bpf_firewall_supported(void) {
|
||||
BPF_EXIT_INSN()
|
||||
};
|
||||
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *program = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *program = NULL;
|
||||
static int supported = -1;
|
||||
union bpf_attr attr;
|
||||
int r;
|
||||
@ -936,10 +929,10 @@ void bpf_firewall_close(Unit *u) {
|
||||
u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd);
|
||||
u->ipv6_deny_map_fd = safe_close(u->ipv6_deny_map_fd);
|
||||
|
||||
u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress);
|
||||
u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
|
||||
u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress);
|
||||
u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed);
|
||||
u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress);
|
||||
u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed);
|
||||
u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress);
|
||||
u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed);
|
||||
|
||||
u->ip_bpf_custom_ingress = set_free(u->ip_bpf_custom_ingress);
|
||||
u->ip_bpf_custom_egress = set_free(u->ip_bpf_custom_egress);
|
||||
|
@ -49,7 +49,7 @@ static void bpf_foreign_key_hash_func(const BPFForeignKey *p, struct siphash *h)
|
||||
|
||||
DEFINE_PRIVATE_HASH_OPS_FULL(bpf_foreign_by_key_hash_ops,
|
||||
BPFForeignKey, bpf_foreign_key_hash_func, bpf_foreign_key_compare_func, free,
|
||||
BPFProgram, bpf_program_unref);
|
||||
BPFProgram, bpf_program_free);
|
||||
|
||||
static int attach_programs(Unit *u, const char *path, Hashmap* foreign_by_key, uint32_t attach_flags) {
|
||||
const BPFForeignKey *key;
|
||||
@ -76,7 +76,7 @@ static int bpf_foreign_prepare(
|
||||
Unit *u,
|
||||
enum bpf_attach_type attach_type,
|
||||
const char *bpffs_path) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
_cleanup_free_ BPFForeignKey *key = NULL;
|
||||
uint32_t prog_id;
|
||||
int r;
|
||||
|
@ -1170,7 +1170,7 @@ static void cgroup_apply_restrict_network_interfaces(Unit *u) {
|
||||
}
|
||||
|
||||
static int cgroup_apply_devices(Unit *u) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
const char *path;
|
||||
CGroupContext *c;
|
||||
CGroupDeviceAllow *a;
|
||||
@ -1244,7 +1244,7 @@ static int cgroup_apply_devices(Unit *u) {
|
||||
policy = CGROUP_DEVICE_POLICY_STRICT;
|
||||
}
|
||||
|
||||
r = bpf_devices_apply_policy(prog, policy, any, path, &u->bpf_device_control_installed);
|
||||
r = bpf_devices_apply_policy(&prog, policy, any, path, &u->bpf_device_control_installed);
|
||||
if (r < 0) {
|
||||
static bool warned = false;
|
||||
|
||||
@ -2767,7 +2767,7 @@ void unit_prune_cgroup(Unit *u) {
|
||||
u->cgroup_realized_mask = 0;
|
||||
u->cgroup_enabled_mask = 0;
|
||||
|
||||
u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed);
|
||||
u->bpf_device_control_installed = bpf_program_free(u->bpf_device_control_installed);
|
||||
}
|
||||
|
||||
int unit_search_main_pid(Unit *u, pid_t *ret) {
|
||||
|
@ -770,7 +770,7 @@ Unit* unit_free(Unit *u) {
|
||||
|
||||
hashmap_free(u->bpf_foreign_by_key);
|
||||
|
||||
bpf_program_unref(u->bpf_device_control_installed);
|
||||
bpf_program_free(u->bpf_device_control_installed);
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
bpf_link_free(u->restrict_ifaces_ingress_bpf_link);
|
||||
|
@ -38,7 +38,27 @@ static const char *const bpf_cgroup_attach_type_table[__MAX_BPF_ATTACH_TYPE] = {
|
||||
|
||||
DEFINE_STRING_TABLE_LOOKUP(bpf_cgroup_attach_type, int);
|
||||
|
||||
DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_unref);
|
||||
DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_free);
|
||||
|
||||
BPFProgram *bpf_program_free(BPFProgram *p) {
|
||||
if (!p)
|
||||
return NULL;
|
||||
/* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last
|
||||
* fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated
|
||||
* programs that attached one of their BPF programs to a cgroup will leave this program pinned for good with
|
||||
* zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in
|
||||
* question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during
|
||||
* operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To
|
||||
* counter this, we track closely to which cgroup a program was attached to and will detach it on our own
|
||||
* whenever we close the BPF fd. */
|
||||
(void) bpf_program_cgroup_detach(p);
|
||||
|
||||
safe_close(p->kernel_fd);
|
||||
free(p->instructions);
|
||||
free(p->attached_path);
|
||||
|
||||
return mfree(p);
|
||||
}
|
||||
|
||||
/* struct bpf_prog_info info must be initialized since its value is both input and output
|
||||
* for BPF_OBJ_GET_INFO_BY_FD syscall. */
|
||||
@ -61,14 +81,13 @@ static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, u
|
||||
}
|
||||
|
||||
int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
|
||||
p = new(BPFProgram, 1);
|
||||
if (!p)
|
||||
return -ENOMEM;
|
||||
|
||||
*p = (BPFProgram) {
|
||||
.n_ref = 1,
|
||||
.prog_type = prog_type,
|
||||
.kernel_fd = -1,
|
||||
};
|
||||
@ -79,7 +98,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
|
||||
}
|
||||
|
||||
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
struct bpf_prog_info info = {};
|
||||
int r;
|
||||
|
||||
@ -92,7 +111,6 @@ int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) {
|
||||
|
||||
*p = (BPFProgram) {
|
||||
.prog_type = BPF_PROG_TYPE_UNSPEC,
|
||||
.n_ref = 1,
|
||||
.kernel_fd = -1,
|
||||
};
|
||||
|
||||
@ -110,27 +128,6 @@ int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static BPFProgram *bpf_program_free(BPFProgram *p) {
|
||||
assert(p);
|
||||
|
||||
/* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last
|
||||
* fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated
|
||||
* programs that attached one of their BPF programs to a cgroup will leave this programs pinned for good with
|
||||
* zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in
|
||||
* question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during
|
||||
* operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To
|
||||
* counter this, we track closely to which cgroup a program was attached to and will detach it on our own
|
||||
* whenever we close the BPF fd. */
|
||||
(void) bpf_program_cgroup_detach(p);
|
||||
|
||||
safe_close(p->kernel_fd);
|
||||
free(p->instructions);
|
||||
free(p->attached_path);
|
||||
|
||||
return mfree(p);
|
||||
}
|
||||
|
||||
DEFINE_TRIVIAL_REF_UNREF_FUNC(BPFProgram, bpf_program, bpf_program_free);
|
||||
|
||||
int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *instructions, size_t count) {
|
||||
|
||||
@ -424,7 +421,7 @@ int bpf_program_serialize_attachment_set(FILE *f, FDSet *fds, const char *key, S
|
||||
|
||||
int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **bpfp) {
|
||||
_cleanup_free_ char *sfd = NULL, *sat = NULL, *unescaped = NULL;
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
_cleanup_close_ int fd = -1;
|
||||
ssize_t l;
|
||||
int ifd, at, r;
|
||||
@ -470,7 +467,6 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b
|
||||
return -ENOMEM;
|
||||
|
||||
*p = (BPFProgram) {
|
||||
.n_ref = 1,
|
||||
.kernel_fd = TAKE_FD(fd),
|
||||
.prog_type = BPF_PROG_TYPE_UNSPEC,
|
||||
.attached_path = TAKE_PTR(unescaped),
|
||||
@ -478,7 +474,7 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b
|
||||
};
|
||||
|
||||
if (*bpfp)
|
||||
bpf_program_unref(*bpfp);
|
||||
bpf_program_free(*bpfp);
|
||||
|
||||
*bpfp = TAKE_PTR(p);
|
||||
return 0;
|
||||
|
@ -17,8 +17,6 @@ typedef struct BPFProgram BPFProgram;
|
||||
* we attach it, but it might happen that we operate with programs that aren't loaded or aren't attached, or
|
||||
* where we don't have the code. */
|
||||
struct BPFProgram {
|
||||
unsigned n_ref;
|
||||
|
||||
/* The loaded BPF program, if loaded */
|
||||
int kernel_fd;
|
||||
uint32_t prog_type;
|
||||
@ -36,8 +34,7 @@ struct BPFProgram {
|
||||
|
||||
int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
|
||||
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret);
|
||||
BPFProgram *bpf_program_ref(BPFProgram *p);
|
||||
BPFProgram *bpf_program_unref(BPFProgram *p);
|
||||
BPFProgram *bpf_program_free(BPFProgram *p);
|
||||
|
||||
int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
|
||||
int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
|
||||
@ -63,4 +60,4 @@ int bpf_map_lookup_element(int fd, const void *key, void *value);
|
||||
int bpf_cgroup_attach_type_from_string(const char *str) _pure_;
|
||||
const char *bpf_cgroup_attach_type_to_string(int attach_type) _const_;
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_free);
|
||||
|
@ -15,7 +15,7 @@
|
||||
#include "tests.h"
|
||||
|
||||
static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_prog) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
unsigned wrong = 0;
|
||||
int r;
|
||||
|
||||
@ -27,7 +27,7 @@ static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_p
|
||||
r = bpf_devices_allow_list_static(prog, cgroup_path);
|
||||
assert_se(r >= 0);
|
||||
|
||||
r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog);
|
||||
r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog);
|
||||
assert_se(r >= 0);
|
||||
|
||||
const char *s;
|
||||
@ -53,7 +53,7 @@ static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_p
|
||||
}
|
||||
|
||||
static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_prog) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
unsigned wrong = 0;
|
||||
int r;
|
||||
|
||||
@ -71,7 +71,7 @@ static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_p
|
||||
r = bpf_devices_allow_list_device(prog, cgroup_path, "/dev/zero", "w");
|
||||
assert_se(r >= 0);
|
||||
|
||||
r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
assert_se(r >= 0);
|
||||
|
||||
{
|
||||
@ -130,7 +130,7 @@ static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_p
|
||||
}
|
||||
|
||||
static void test_policy_allow_list_major(const char *pattern, const char *cgroup_path, BPFProgram **installed_prog) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
unsigned wrong = 0;
|
||||
int r;
|
||||
|
||||
@ -142,7 +142,7 @@ static void test_policy_allow_list_major(const char *pattern, const char *cgroup
|
||||
r = bpf_devices_allow_list_major(prog, cgroup_path, pattern, 'c', "rw");
|
||||
assert_se(r >= 0);
|
||||
|
||||
r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
assert_se(r >= 0);
|
||||
|
||||
/* /dev/null, /dev/full have major==1, /dev/tty has major==5 */
|
||||
@ -189,7 +189,7 @@ static void test_policy_allow_list_major(const char *pattern, const char *cgroup
|
||||
}
|
||||
|
||||
static void test_policy_allow_list_major_star(char type, const char *cgroup_path, BPFProgram **installed_prog) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
unsigned wrong = 0;
|
||||
int r;
|
||||
|
||||
@ -201,7 +201,7 @@ static void test_policy_allow_list_major_star(char type, const char *cgroup_path
|
||||
r = bpf_devices_allow_list_major(prog, cgroup_path, "*", type, "rw");
|
||||
assert_se(r >= 0);
|
||||
|
||||
r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
|
||||
assert_se(r >= 0);
|
||||
|
||||
{
|
||||
@ -220,7 +220,7 @@ static void test_policy_allow_list_major_star(char type, const char *cgroup_path
|
||||
}
|
||||
|
||||
static void test_policy_empty(bool add_mismatched, const char *cgroup_path, BPFProgram **installed_prog) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
unsigned wrong = 0;
|
||||
int r;
|
||||
|
||||
@ -234,7 +234,7 @@ static void test_policy_empty(bool add_mismatched, const char *cgroup_path, BPFP
|
||||
assert_se(r < 0);
|
||||
}
|
||||
|
||||
r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog);
|
||||
r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog);
|
||||
assert_se(r >= 0);
|
||||
|
||||
{
|
||||
@ -282,7 +282,7 @@ int main(int argc, char *argv[]) {
|
||||
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup, NULL, &controller_path);
|
||||
assert_se(r >= 0);
|
||||
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
|
||||
test_policy_closed(cgroup, &prog);
|
||||
test_policy_strict(cgroup, &prog);
|
||||
|
@ -24,7 +24,7 @@ int main(int argc, char *argv[]) {
|
||||
|
||||
_cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
|
||||
CGroupContext *cc = NULL;
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
_cleanup_(manager_freep) Manager *m = NULL;
|
||||
Unit *u;
|
||||
char log_buf[65535];
|
||||
@ -93,7 +93,7 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
}
|
||||
|
||||
p = bpf_program_unref(p);
|
||||
p = bpf_program_free(p);
|
||||
|
||||
/* The simple tests succeeded. Now let's try full unit-based use-case. */
|
||||
|
||||
|
@ -155,7 +155,7 @@ static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size
|
||||
assert_se(paths_ret);
|
||||
|
||||
for (size_t i = 0; i < test_suite_size; i++) {
|
||||
_cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
_cleanup_free_ char *str = NULL;
|
||||
|
||||
r = bpf_foreign_test_to_string(test_suite[i].attach_type, test_suite[i].bpffs_path, &str);
|
||||
|
Loading…
Reference in New Issue
Block a user