picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

bpf-program: optionally take fd of program to detach

Browse source 
This is useful for BPF_F_ALLOW_MULTI programs, where the kernel requires
us to specify the fd.
This commit is contained in:
Lennart Poettering 2018-02-16 14:58:12 +01:00
parent 2ae7ee58fa
commit 9b3c189786
3 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/basic/bpf-program.c
View file

@ -117,12 +117,16 @@ int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_
return 0;
}
int bpf_program_cgroup_detach(int type, const char *path) {
int bpf_program_cgroup_detach(BPFProgram *p, int type, const char *path) {
_cleanup_close_ int fd = -1;
union bpf_attr attr;
assert(type >= 0);
assert(path);
/* Note that 'p' may be NULL, in which case any program is detached. However, note that if BPF_F_ALLOW_MULTI is
* used 'p' is not optional. */
fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
if (fd < 0)
return -errno;
@ -130,6 +134,7 @@ int bpf_program_cgroup_detach(int type, const char *path) {
attr = (union bpf_attr) {
.attach_type = type,
.target_fd = fd,
.attach_bpf_fd = p ? p->kernel_fd : -1,
};
if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0)

2
src/basic/bpf-program.h
View file

@ -47,7 +47,7 @@ int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, siz
int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags);
int bpf_program_cgroup_detach(int type, const char *path);
int bpf_program_cgroup_detach(BPFProgram *p, int type, const char *path);
int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);
int bpf_map_update_element(int fd, const void *key, void *value);

4
src/core/bpf-firewall.c
View file

@ -573,7 +573,7 @@ int bpf_firewall_install(Unit *u) {
if (r < 0)
return log_error_errno(r, "Attaching egress BPF program to cgroup %s failed: %m", path);
} else {
r = bpf_program_cgroup_detach(BPF_CGROUP_INET_EGRESS, path);
r = bpf_program_cgroup_detach(NULL, BPF_CGROUP_INET_EGRESS, path);
if (r < 0)
return log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_ERR, r,
"Detaching egress BPF program from cgroup failed: %m");
@ -588,7 +588,7 @@ int bpf_firewall_install(Unit *u) {
if (r < 0)
return log_error_errno(r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
} else {
r = bpf_program_cgroup_detach(BPF_CGROUP_INET_INGRESS, path);
r = bpf_program_cgroup_detach(NULL, BPF_CGROUP_INET_INGRESS, path);
if (r < 0)
return log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_ERR, r,
"Detaching ingress BPF program from cgroup failed: %m");