From 0b82cd2502bd9df61cc7cd283409226035e3b77c Mon Sep 17 00:00:00 2001 From: Pavel Hrdina Date: Mon, 12 Nov 2018 10:52:05 +0100 Subject: [PATCH 1/2] bpf-devices: fix cgroup v2 devices detection If cgroup v2 bpf devices is supported we need to return 1, not -1. Signed-off-by: Pavel Hrdina --- src/core/bpf-devices.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 1a2153122a..ffa6b59a8a 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -243,5 +243,5 @@ int bpf_devices_supported(void) { return supported = 0; } - return supported; + return supported = 1; } From 2af3eed1aa4a4bcbb1f8eed3736c82dd9d731295 Mon Sep 17 00:00:00 2001 From: Pavel Hrdina Date: Mon, 12 Nov 2018 10:53:47 +0100 Subject: [PATCH 2/2] bpf-devices: fix order of removing and adding BPF programs The current code has multiple issues and it should never be done like that. If someone updates list of allowed devices we should attach new program before we remove the old one for two reasons: 1. It takes some time to attach new program so there is a period of time when all devices are allowed. 2. BPF programs have limit for number of instructions (4096) and if user adds a lot of devices we might hit the instruction limit and the new program will not be accepted which will result in allow all devices because the old program was already removed. In order to attach the new program before we remove the old one we need to use BPF_F_ALLOW_MULTI flag every time. Signed-off-by: Pavel Hrdina --- src/core/bpf-devices.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index ffa6b59a8a..d8915244a7 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -142,7 +142,6 @@ int cgroup_apply_device_bpf(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy }; _cleanup_free_ char *path = NULL; - uint32_t flags; int r; if (!prog) { @@ -177,15 +176,14 @@ int cgroup_apply_device_bpf(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy if (r < 0) return log_error_errno(r, "Failed to determine cgroup path: %m"); - flags = (u->type == UNIT_SLICE || unit_cgroup_delegate(u)) ? BPF_F_ALLOW_MULTI : 0; + + r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, path, BPF_F_ALLOW_MULTI); + if (r < 0) + return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", path); /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed); - r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, path, flags); - if (r < 0) - return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", path); - /* Remember that this BPF program is installed now. */ u->bpf_device_control_installed = bpf_program_ref(prog);