emit a warning in networkd if managed sysctls are changed

Monitor the sysctl set by networkd for writes, if a sysctl is
overwritten with a different value than the one we set, emit a warning.
Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL
which reports the sysctl writes only in net/.

The eBPF program only reports sysctl writes from a different cgroup than networkd.
To do this, it uses the `bpf_current_task_under_cgroup_proto()` helper,
which will be available allowed in BPF_CGROUP_SYSCTL from kernel 6.12[1].

Loading a BPF_CGROUP_SYSCTL program requires the CAP_SYS_ADMIN capability,
so drop it just after the program load, whether it loads successfully or not.

Writes are logged but permitted, in future the functionality can be
extended to also deny writes to managed sysctls.

[1] https://lore.kernel.org/bpf/20240819162805.78235-3-technoboy85@gmail.com/

1 files changed, 9 insertions, 0 deletions

diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 200c98eabe..0a12b7c3f7 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -794,3 +794,12 @@ the TPM.
 
 Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
 protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
+
+-- 9cf56b8baf9546cf9478783a8de42113
+Subject: A foreign process changed a sysctl we manage
+Defined-By: systemd
+Support: %SUPPORT_URL%
+
+A sysctl handle under /proc/sys/net, which is managed by systemd-networkd, has been changed by another process.
+The event is raised only if the written value differs from the current one.
+The program name, the written value, the previous value, and the value initially set by networkd have been logged.