1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00

bpf: name unnamed bpf programs

bpf-firewall and bpf-devices do not have names. This complicates
debugging with bpftool(8).

Assign names starting with 'sd_' prefix:
* firewall program names are 'sd_fw_ingress' for ingress attach
point and 'sd_fw_egress' for egress.
* 'sd_devices' for devices prog

'sd_' prefix is already used in source-compiled programs, e.g.
sd_restrictif_i, sd_restrictif_e, sd_bind6.

The name must not be longer than 15 characters or BPF_OBJ_NAME_LEN - 1.

Assign names only to programs loaded to kernel by systemd since
programs pinned to bpffs are already loaded.
This commit is contained in:
Julia Kartseva 2022-01-21 18:50:26 -08:00 committed by Yu Watanabe
parent df4ec48f45
commit 8fe9dbb926
6 changed files with 25 additions and 9 deletions

View File

@ -192,7 +192,7 @@ int bpf_devices_cgroup_init(
if (policy == CGROUP_DEVICE_POLICY_AUTO && !allow_list)
return 0;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &prog);
if (r < 0)
return log_error_errno(r, "Loading device control BPF program failed: %m");
@ -306,7 +306,7 @@ int bpf_devices_supported(void) {
return supported = 0;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &program);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, NULL, &program);
if (r < 0) {
log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m");
return supported = 0;

View File

@ -193,6 +193,7 @@ static int bpf_firewall_compile_bpf(
};
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
const char *prog_name = is_ingress ? "sd_fw_ingress" : "sd_fw_egress";
int accounting_map_fd, r;
bool access_enabled;
@ -216,7 +217,7 @@ static int bpf_firewall_compile_bpf(
return 0;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, prog_name, &p);
if (r < 0)
return r;
@ -604,7 +605,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set
_cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
int r;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog);
if (r < 0)
return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m");
@ -825,7 +826,7 @@ int bpf_firewall_supported(void) {
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &program);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program);
if (r < 0) {
bpf_firewall_unsupported_reason =
log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");

View File

@ -55,6 +55,7 @@ BPFProgram *bpf_program_free(BPFProgram *p) {
(void) bpf_program_cgroup_detach(p);
safe_close(p->kernel_fd);
free(p->prog_name);
free(p->instructions);
free(p->attached_path);
@ -78,8 +79,18 @@ static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, u
return RET_NERRNO(bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr)));
}
int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret) {
_cleanup_(bpf_program_freep) BPFProgram *p = NULL;
_cleanup_free_ char *name = NULL;
if (prog_name) {
if (strlen(prog_name) >= BPF_OBJ_NAME_LEN)
return -ENAMETOOLONG;
name = strdup(prog_name);
if (!name)
return -ENOMEM;
}
p = new(BPFProgram, 1);
if (!p)
@ -88,6 +99,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
*p = (BPFProgram) {
.prog_type = prog_type,
.kernel_fd = -1,
.prog_name = TAKE_PTR(name),
};
*ret = TAKE_PTR(p);
@ -165,6 +177,8 @@ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) {
attr.log_buf = PTR_TO_UINT64(log_buf);
attr.log_level = !!log_buf;
attr.log_size = log_size;
if (p->prog_name)
strncpy(attr.prog_name, p->prog_name, BPF_OBJ_NAME_LEN - 1);
p->kernel_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
if (p->kernel_fd < 0)

View File

@ -20,6 +20,7 @@ struct BPFProgram {
/* The loaded BPF program, if loaded */
int kernel_fd;
uint32_t prog_type;
char *prog_name;
/* The code of it BPF program, if known */
size_t n_instructions;
@ -32,7 +33,7 @@ struct BPFProgram {
uint32_t attached_flags;
};
int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret);
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret);
BPFProgram *bpf_program_free(BPFProgram *p);

View File

@ -55,7 +55,7 @@ int main(int argc, char *argv[]) {
assert_se(set_unit_path(unit_dir) >= 0);
assert_se(runtime_dir = setup_fake_runtime_dir());
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, "sd_trivial", &p);
assert_se(r == 0);
r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));

View File

@ -162,7 +162,7 @@ static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size
if (r < 0)
return log_error_errno(r, "Failed to convert program to string");
r = bpf_program_new(test_suite[i].prog_type, &prog);
r = bpf_program_new(test_suite[i].prog_type, "sd_trivial", &prog);
if (r < 0)
return log_error_errno(r, "Failed to create program '%s'", str);