From 9f2e6892a2e70ea3ee84d232f5f4ef3bf217ce4f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 21 Sep 2017 20:38:07 +0200 Subject: [PATCH] bpf: set BPF_F_ALLOW_OVERRIDE when attaching a cgroup program if Delegate=yes is set Let's permit installing BPF programs in cgroup subtrees if Delegeate=yes. Let's not document this precise behaviour for now though, as most likely the logic here should become recursive, but that's only going to happen if the kernel starts supporting that. Until then, support this in a non-recursive fashion. --- src/basic/bpf-program.c | 3 ++- src/basic/bpf-program.h | 2 +- src/core/bpf-firewall.c | 12 ++++++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/basic/bpf-program.c b/src/basic/bpf-program.c index 9326176743..ce6f9e4409 100644 --- a/src/basic/bpf-program.c +++ b/src/basic/bpf-program.c @@ -91,7 +91,7 @@ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) { return 0; } -int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path) { +int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags) { _cleanup_close_ int fd = -1; union bpf_attr attr; @@ -107,6 +107,7 @@ int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path) { .attach_type = type, .target_fd = fd, .attach_bpf_fd = p->kernel_fd, + .attach_flags = flags, }; if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) diff --git a/src/basic/bpf-program.h b/src/basic/bpf-program.h index 0dd150b60a..35a41ffc44 100644 --- a/src/basic/bpf-program.h +++ b/src/basic/bpf-program.h @@ -45,7 +45,7 @@ BPFProgram *bpf_program_unref(BPFProgram *p); int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); -int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path); +int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags); int bpf_program_cgroup_detach(int type, const char *path); int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags); diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 732c36fc1a..909c1c8253 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -539,10 +539,18 @@ int bpf_firewall_compile(Unit *u) { int bpf_firewall_install(Unit *u) { _cleanup_free_ char *path = NULL; + CGroupContext *cc; int r; assert(u); + if (!u->cgroup_path) + return -EINVAL; + + cc = unit_get_cgroup_context(u); + if (!cc) + return -EINVAL; + r = bpf_firewall_supported(); if (r < 0) return r; @@ -560,7 +568,7 @@ int bpf_firewall_install(Unit *u) { if (r < 0) return log_error_errno(r, "Kernel upload of egress BPF program failed: %m"); - r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path); + r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, cc->delegate ? BPF_F_ALLOW_OVERRIDE : 0); if (r < 0) return log_error_errno(r, "Attaching egress BPF program to cgroup %s failed: %m", path); } else { @@ -575,7 +583,7 @@ int bpf_firewall_install(Unit *u) { if (r < 0) return log_error_errno(r, "Kernel upload of ingress BPF program failed: %m"); - r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path); + r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, cc->delegate ? BPF_F_ALLOW_OVERRIDE : 0); if (r < 0) return log_error_errno(r, "Attaching ingress BPF program to cgroup %s failed: %m", path); } else {