mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 06:25:37 +03:00
bpf: name unnamed bpf programs
bpf-firewall and bpf-devices do not have names. This complicates debugging with bpftool(8). Assign names starting with 'sd_' prefix: * firewall program names are 'sd_fw_ingress' for ingress attach point and 'sd_fw_egress' for egress. * 'sd_devices' for devices prog 'sd_' prefix is already used in source-compiled programs, e.g. sd_restrictif_i, sd_restrictif_e, sd_bind6. The name must not be longer than 15 characters or BPF_OBJ_NAME_LEN - 1. Assign names only to programs loaded to kernel by systemd since programs pinned to bpffs are already loaded.
This commit is contained in:
parent
df4ec48f45
commit
8fe9dbb926
@ -192,7 +192,7 @@ int bpf_devices_cgroup_init(
|
||||
if (policy == CGROUP_DEVICE_POLICY_AUTO && !allow_list)
|
||||
return 0;
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &prog);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Loading device control BPF program failed: %m");
|
||||
|
||||
@ -306,7 +306,7 @@ int bpf_devices_supported(void) {
|
||||
return supported = 0;
|
||||
}
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &program);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, NULL, &program);
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m");
|
||||
return supported = 0;
|
||||
|
@ -193,6 +193,7 @@ static int bpf_firewall_compile_bpf(
|
||||
};
|
||||
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
const char *prog_name = is_ingress ? "sd_fw_ingress" : "sd_fw_egress";
|
||||
int accounting_map_fd, r;
|
||||
bool access_enabled;
|
||||
|
||||
@ -216,7 +217,7 @@ static int bpf_firewall_compile_bpf(
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, prog_name, &p);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -604,7 +605,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set
|
||||
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
|
||||
int r;
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m");
|
||||
|
||||
@ -825,7 +826,7 @@ int bpf_firewall_supported(void) {
|
||||
return supported = BPF_FIREWALL_UNSUPPORTED;
|
||||
}
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &program);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program);
|
||||
if (r < 0) {
|
||||
bpf_firewall_unsupported_reason =
|
||||
log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
|
||||
|
@ -55,6 +55,7 @@ BPFProgram *bpf_program_free(BPFProgram *p) {
|
||||
(void) bpf_program_cgroup_detach(p);
|
||||
|
||||
safe_close(p->kernel_fd);
|
||||
free(p->prog_name);
|
||||
free(p->instructions);
|
||||
free(p->attached_path);
|
||||
|
||||
@ -78,8 +79,18 @@ static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, u
|
||||
return RET_NERRNO(bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr)));
|
||||
}
|
||||
|
||||
int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
|
||||
int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret) {
|
||||
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
|
||||
_cleanup_free_ char *name = NULL;
|
||||
|
||||
if (prog_name) {
|
||||
if (strlen(prog_name) >= BPF_OBJ_NAME_LEN)
|
||||
return -ENAMETOOLONG;
|
||||
|
||||
name = strdup(prog_name);
|
||||
if (!name)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
p = new(BPFProgram, 1);
|
||||
if (!p)
|
||||
@ -88,6 +99,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
|
||||
*p = (BPFProgram) {
|
||||
.prog_type = prog_type,
|
||||
.kernel_fd = -1,
|
||||
.prog_name = TAKE_PTR(name),
|
||||
};
|
||||
|
||||
*ret = TAKE_PTR(p);
|
||||
@ -165,6 +177,8 @@ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) {
|
||||
attr.log_buf = PTR_TO_UINT64(log_buf);
|
||||
attr.log_level = !!log_buf;
|
||||
attr.log_size = log_size;
|
||||
if (p->prog_name)
|
||||
strncpy(attr.prog_name, p->prog_name, BPF_OBJ_NAME_LEN - 1);
|
||||
|
||||
p->kernel_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
|
||||
if (p->kernel_fd < 0)
|
||||
|
@ -20,6 +20,7 @@ struct BPFProgram {
|
||||
/* The loaded BPF program, if loaded */
|
||||
int kernel_fd;
|
||||
uint32_t prog_type;
|
||||
char *prog_name;
|
||||
|
||||
/* The code of it BPF program, if known */
|
||||
size_t n_instructions;
|
||||
@ -32,7 +33,7 @@ struct BPFProgram {
|
||||
uint32_t attached_flags;
|
||||
};
|
||||
|
||||
int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
|
||||
int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret);
|
||||
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret);
|
||||
BPFProgram *bpf_program_free(BPFProgram *p);
|
||||
|
||||
|
@ -55,7 +55,7 @@ int main(int argc, char *argv[]) {
|
||||
assert_se(set_unit_path(unit_dir) >= 0);
|
||||
assert_se(runtime_dir = setup_fake_runtime_dir());
|
||||
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
|
||||
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, "sd_trivial", &p);
|
||||
assert_se(r == 0);
|
||||
|
||||
r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
|
||||
|
@ -162,7 +162,7 @@ static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to convert program to string");
|
||||
|
||||
r = bpf_program_new(test_suite[i].prog_type, &prog);
|
||||
r = bpf_program_new(test_suite[i].prog_type, "sd_trivial", &prog);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create program '%s'", str);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user