core: fix the check if CONFIG_CGROUP_BPF is on
Since the commit torvalds/linux@fdb5c4531c the syscall BPF_PROG_ATTACH return EBADF when CONFIG_CGROUP_BPF is turned off and as result the bpf_firewall_supported() returns the incorrect value. This commmit replaces the syscall BPF_PROG_ATTACH with BPF_PROG_DETACH which is still work as expected. Resolves openbmc/linux#159 See also systemd/systemd#7054 Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
This commit is contained in:
parent
eda7ed3363
commit
047de7e1b1
|
@ -660,7 +660,7 @@ int bpf_firewall_supported(void) {
|
|||
* b) whether the unified hierarchy is being used
|
||||
* c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require
|
||||
* d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require
|
||||
* e) the BPF implementation in the kernel supports the BPF_PROG_ATTACH call, which we require
|
||||
* e) the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require
|
||||
*/
|
||||
|
||||
if (supported >= 0)
|
||||
|
@ -713,7 +713,7 @@ int bpf_firewall_supported(void) {
|
|||
* is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF
|
||||
* program if we can't do a thing with it later?
|
||||
*
|
||||
* We detect this case by issuing the BPF_PROG_ATTACH bpf() call with invalid file descriptors: if
|
||||
* We detect this case by issuing the BPF_PROG_DETACH bpf() call with invalid file descriptors: if
|
||||
* CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the
|
||||
* parameters are validated however, and that'll fail with EBADF then. */
|
||||
|
||||
|
@ -723,22 +723,22 @@ int bpf_firewall_supported(void) {
|
|||
.attach_bpf_fd = -1,
|
||||
};
|
||||
|
||||
if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) {
|
||||
if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) {
|
||||
if (errno != EBADF) {
|
||||
log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m");
|
||||
log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
|
||||
return supported = BPF_FIREWALL_UNSUPPORTED;
|
||||
}
|
||||
|
||||
/* YAY! */
|
||||
} else {
|
||||
log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported.");
|
||||
log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported.");
|
||||
return supported = BPF_FIREWALL_UNSUPPORTED;
|
||||
}
|
||||
|
||||
/* So now we know that the BPF program is generally available, let's see if BPF_F_ALLOW_MULTI is also supported
|
||||
* (which was added in kernel 4.15). We use a similar logic as before, but this time we use
|
||||
* BPF_F_ALLOW_MULTI. Since the flags are checked early in the system call we'll get EINVAL if it's not
|
||||
* supported, and EBADF as before if it is available. */
|
||||
* (which was added in kernel 4.15). We use a similar logic as before, but this time we use the BPF_PROG_ATTACH
|
||||
* bpf() call and the BPF_F_ALLOW_MULTI flags value. Since the flags are checked early in the system call we'll
|
||||
* get EINVAL if it's not supported, and EBADF as before if it is available. */
|
||||
|
||||
attr = (union bpf_attr) {
|
||||
.attach_type = BPF_CGROUP_INET_EGRESS,
|
||||
|
|
Loading…
Reference in a new issue