Systemd/src/shared/bpf-program.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <linux/bpf.h>
#include <stdint.h>
#include <sys/syscall.h>

#include "list.h"
#include "macro.h"

typedef struct BPFProgram BPFProgram;

struct BPFProgram {
        unsigned n_ref;

        int kernel_fd;
        uint32_t prog_type;

        size_t n_instructions;
        size_t allocated;
        struct bpf_insn *instructions;

        char *attached_path;
        int attached_type;
        uint32_t attached_flags;
};

int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
BPFProgram *bpf_program_unref(BPFProgram *p);
BPFProgram *bpf_program_ref(BPFProgram *p);

int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
int bpf_program_load_from_bpf_fs(BPFProgram *p, const char *path);

int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags);
int bpf_program_cgroup_detach(BPFProgram *p);

int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);
int bpf_map_update_element(int fd, const void *key, void *value);
int bpf_map_lookup_element(int fd, const void *key, void *value);

DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref);
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 05:23:58 +01:00			`/* SPDX-License-Identifier: LGPL-2.1-or-later */`
Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00			`#pragma once`

			`#include <linux/bpf.h>`
			`#include <stdint.h>`
			`#include <sys/syscall.h>`

			`#include "list.h"`
			`#include "macro.h"`

			`typedef struct BPFProgram BPFProgram;`

			`struct BPFProgram {`
bpf: rework how we keep track and attach cgroup bpf programs So, the kernel's management of cgroup/BPF programs is a bit misdesigned: if you attach a BPF program to a cgroup and close the fd for it it will stay pinned to the cgroup with no chance of ever removing it again (or otherwise getting ahold of it again), because the fd is used for selecting which BPF program to detach. The only way to get rid of the program again is to destroy the cgroup itself. This is particularly bad for root the cgroup (and in fact any other cgroup that we cannot realistically remove during runtime, such as /system.slice, /init.scope or /system.slice/dbus.service) as getting rid of the program only works by rebooting the system. To counter this let's closely keep track to which cgroup a BPF program is attached and let's implicitly detach the BPF program when we are about to close the BPF fd. This hence changes the bpf_program_cgroup_attach() function to track where we attached the program and changes bpf_program_cgroup_detach() to use this information. Moreover bpf_program_unref() will now implicitly call bpf_program_cgroup_detach(). In order to simplify things, bpf_program_cgroup_attach() will now implicitly invoke bpf_program_load_kernel() when necessary, simplifying the caller's side. Finally, this adds proper reference counting to BPF programs. This is useful for working with two BPF programs in parallel: the BPF program we are preparing for installation and the BPF program we so far installed, shortening the window when we detach the old one and reattach the new one. 2018-02-20 19:28:24 +01:00			`unsigned n_ref;`

Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00			`int kernel_fd;`
			`uint32_t prog_type;`

			`size_t n_instructions;`
			`size_t allocated;`
			`struct bpf_insn *instructions;`
bpf: rework how we keep track and attach cgroup bpf programs So, the kernel's management of cgroup/BPF programs is a bit misdesigned: if you attach a BPF program to a cgroup and close the fd for it it will stay pinned to the cgroup with no chance of ever removing it again (or otherwise getting ahold of it again), because the fd is used for selecting which BPF program to detach. The only way to get rid of the program again is to destroy the cgroup itself. This is particularly bad for root the cgroup (and in fact any other cgroup that we cannot realistically remove during runtime, such as /system.slice, /init.scope or /system.slice/dbus.service) as getting rid of the program only works by rebooting the system. To counter this let's closely keep track to which cgroup a BPF program is attached and let's implicitly detach the BPF program when we are about to close the BPF fd. This hence changes the bpf_program_cgroup_attach() function to track where we attached the program and changes bpf_program_cgroup_detach() to use this information. Moreover bpf_program_unref() will now implicitly call bpf_program_cgroup_detach(). In order to simplify things, bpf_program_cgroup_attach() will now implicitly invoke bpf_program_load_kernel() when necessary, simplifying the caller's side. Finally, this adds proper reference counting to BPF programs. This is useful for working with two BPF programs in parallel: the BPF program we are preparing for installation and the BPF program we so far installed, shortening the window when we detach the old one and reattach the new one. 2018-02-20 19:28:24 +01:00
			`char *attached_path;`
			`int attached_type;`
			`uint32_t attached_flags;`
Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00			`};`

			`int bpf_program_new(uint32_t prog_type, BPFProgram **ret);`
			`BPFProgram bpf_program_unref(BPFProgram p);`
bpf: rework how we keep track and attach cgroup bpf programs So, the kernel's management of cgroup/BPF programs is a bit misdesigned: if you attach a BPF program to a cgroup and close the fd for it it will stay pinned to the cgroup with no chance of ever removing it again (or otherwise getting ahold of it again), because the fd is used for selecting which BPF program to detach. The only way to get rid of the program again is to destroy the cgroup itself. This is particularly bad for root the cgroup (and in fact any other cgroup that we cannot realistically remove during runtime, such as /system.slice, /init.scope or /system.slice/dbus.service) as getting rid of the program only works by rebooting the system. To counter this let's closely keep track to which cgroup a BPF program is attached and let's implicitly detach the BPF program when we are about to close the BPF fd. This hence changes the bpf_program_cgroup_attach() function to track where we attached the program and changes bpf_program_cgroup_detach() to use this information. Moreover bpf_program_unref() will now implicitly call bpf_program_cgroup_detach(). In order to simplify things, bpf_program_cgroup_attach() will now implicitly invoke bpf_program_load_kernel() when necessary, simplifying the caller's side. Finally, this adds proper reference counting to BPF programs. This is useful for working with two BPF programs in parallel: the BPF program we are preparing for installation and the BPF program we so far installed, shortening the window when we detach the old one and reattach the new one. 2018-02-20 19:28:24 +01:00			`BPFProgram bpf_program_ref(BPFProgram p);`
Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00
			`int bpf_program_add_instructions(BPFProgram p, const struct bpf_insn insn, size_t count);`
			`int bpf_program_load_kernel(BPFProgram p, char log_buf, size_t log_size);`
bpf-firewall: custom BPF programs through IP(Ingress\|Egress)FilterPath= Takes a single /sys/fs/bpf/pinned_prog string as argument, but may be specified multiple times. An empty assignment resets all previous filters. Closes https://github.com/systemd/systemd/issues/10227 2019-04-23 12:14:20 +02:00			`int bpf_program_load_from_bpf_fs(BPFProgram p, const char path);`
Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00
bpf: set BPF_F_ALLOW_OVERRIDE when attaching a cgroup program if Delegate=yes is set Let's permit installing BPF programs in cgroup subtrees if Delegeate=yes. Let's not document this precise behaviour for now though, as most likely the logic here should become recursive, but that's only going to happen if the kernel starts supporting that. Until then, support this in a non-recursive fashion. 2017-09-21 20:38:07 +02:00			`int bpf_program_cgroup_attach(BPFProgram p, int type, const char path, uint32_t flags);`
bpf: rework how we keep track and attach cgroup bpf programs So, the kernel's management of cgroup/BPF programs is a bit misdesigned: if you attach a BPF program to a cgroup and close the fd for it it will stay pinned to the cgroup with no chance of ever removing it again (or otherwise getting ahold of it again), because the fd is used for selecting which BPF program to detach. The only way to get rid of the program again is to destroy the cgroup itself. This is particularly bad for root the cgroup (and in fact any other cgroup that we cannot realistically remove during runtime, such as /system.slice, /init.scope or /system.slice/dbus.service) as getting rid of the program only works by rebooting the system. To counter this let's closely keep track to which cgroup a BPF program is attached and let's implicitly detach the BPF program when we are about to close the BPF fd. This hence changes the bpf_program_cgroup_attach() function to track where we attached the program and changes bpf_program_cgroup_detach() to use this information. Moreover bpf_program_unref() will now implicitly call bpf_program_cgroup_detach(). In order to simplify things, bpf_program_cgroup_attach() will now implicitly invoke bpf_program_load_kernel() when necessary, simplifying the caller's side. Finally, this adds proper reference counting to BPF programs. This is useful for working with two BPF programs in parallel: the BPF program we are preparing for installation and the BPF program we so far installed, shortening the window when we detach the old one and reattach the new one. 2018-02-20 19:28:24 +01:00			`int bpf_program_cgroup_detach(BPFProgram *p);`
Add abstraction model for BPF programs This object takes a number of bpf_insn members and wraps them together with the in-kernel reference id. Will be needed by the firewall code. 2016-10-18 17:57:10 +02:00
			`int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);`
			`int bpf_map_update_element(int fd, const void key, void value);`
			`int bpf_map_lookup_element(int fd, const void key, void value);`

			`DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref);`