diff options
| author | alexlzhu <alexlzhu@fb.com> | 2021-08-19 01:01:05 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-10-12 12:48:23 +0200 |
| commit | 76dc17254f7c78eae2dec2b9b1cfb60657a7b6e7 (patch) | |
| tree | eaf61330174b3b5b5647cd11ec6951f5d1609220 /src | |
| parent | network: dhcp6-pd: also assign addresses in IA_PD prefixes on uplink interface (diff) | |
| download | systemd-76dc17254f7c78eae2dec2b9b1cfb60657a7b6e7.tar.xz systemd-76dc17254f7c78eae2dec2b9b1cfb60657a7b6e7.zip | |
core: remove refcount for bpf program
Currently ref count of bpf-program is kept in user space. However, the
kernel already implements its own ref count. Thus the ref count we keep for
bpf-program is redundant.
This PR removes ref count for bpf program as part of a task to simplify
bpf-program and remove redundancies, which will make the switch to
code-compiled BPF programs easier.
Part of #19270
Diffstat (limited to '')
| -rw-r--r-- | src/core/bpf-devices.c | 25 | ||||
| -rw-r--r-- | src/core/bpf-devices.h | 2 | ||||
| -rw-r--r-- | src/core/bpf-firewall.c | 43 | ||||
| -rw-r--r-- | src/core/bpf-foreign.c | 4 | ||||
| -rw-r--r-- | src/core/cgroup.c | 6 | ||||
| -rw-r--r-- | src/core/unit.c | 2 | ||||
| -rw-r--r-- | src/shared/bpf-program.c | 54 | ||||
| -rw-r--r-- | src/shared/bpf-program.h | 7 | ||||
| -rw-r--r-- | src/test/test-bpf-devices.c | 22 | ||||
| -rw-r--r-- | src/test/test-bpf-firewall.c | 4 | ||||
| -rw-r--r-- | src/test/test-bpf-foreign-programs.c | 2 |
11 files changed, 79 insertions, 92 deletions
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 4daa7f76b0..4d86e8665f 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -184,7 +184,7 @@ int bpf_devices_cgroup_init( offsetof(struct bpf_cgroup_dev_ctx, minor)), }; - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; int r; assert(ret); @@ -208,7 +208,7 @@ int bpf_devices_cgroup_init( } int bpf_devices_apply_policy( - BPFProgram *prog, + BPFProgram **prog, CGroupDevicePolicy policy, bool allow_list, const char *cgroup_path, @@ -219,7 +219,8 @@ int bpf_devices_apply_policy( /* This will assign *prog_installed if everything goes well. */ - if (!prog) + assert(prog); + if (!*prog) goto finish; const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !allow_list; @@ -237,20 +238,20 @@ int bpf_devices_apply_policy( }; if (!deny_everything) { - r = bpf_program_add_instructions(prog, post_insn, ELEMENTSOF(post_insn)); + r = bpf_program_add_instructions(*prog, post_insn, ELEMENTSOF(post_insn)); if (r < 0) return log_error_errno(r, "Extending device control BPF program failed: %m"); /* Fixup PASS_JUMP_OFF jump offsets. */ - for (size_t off = 0; off < prog->n_instructions; off++) { - struct bpf_insn *ins = &prog->instructions[off]; + for (size_t off = 0; off < (*prog)->n_instructions; off++) { + struct bpf_insn *ins = &((*prog)->instructions[off]); if (ins->code == (BPF_JMP | BPF_JA) && ins->off == PASS_JUMP_OFF) - ins->off = prog->n_instructions - off - 1; + ins->off = (*prog)->n_instructions - off - 1; } } - r = bpf_program_add_instructions(prog, exit_insn, ELEMENTSOF(exit_insn)); + r = bpf_program_add_instructions(*prog, exit_insn, ELEMENTSOF(exit_insn)); if (r < 0) return log_error_errno(r, "Extending device control BPF program failed: %m"); @@ -258,7 +259,7 @@ int bpf_devices_apply_policy( if (r < 0) return log_error_errno(r, "Failed to determine cgroup path: %m"); - r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI); + r = bpf_program_cgroup_attach(*prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI); if (r < 0) return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", empty_to_root(cgroup_path)); @@ -266,8 +267,8 @@ int bpf_devices_apply_policy( finish: /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ if (prog_installed) { - bpf_program_unref(*prog_installed); - *prog_installed = bpf_program_ref(prog); + bpf_program_free(*prog_installed); + *prog_installed = TAKE_PTR(*prog); } return 0; } @@ -278,7 +279,7 @@ int bpf_devices_supported(void) { BPF_EXIT_INSN() }; - _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL; + _cleanup_(bpf_program_freep) BPFProgram *program = NULL; static int supported = -1; int r; diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h index 19b4d392cc..51063640a8 100644 --- a/src/core/bpf-devices.h +++ b/src/core/bpf-devices.h @@ -9,7 +9,7 @@ typedef struct BPFProgram BPFProgram; int bpf_devices_cgroup_init(BPFProgram **ret, CGroupDevicePolicy policy, bool allow_list); int bpf_devices_apply_policy( - BPFProgram *prog, + BPFProgram **prog, CGroupDevicePolicy policy, bool allow_list, const char *cgroup_path, diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index d23b43bcb2..7067a0dfcc 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -192,7 +192,7 @@ static int bpf_firewall_compile_bpf( BPF_MOV64_IMM(BPF_REG_0, 0), }; - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; + _cleanup_(bpf_program_freep) BPFProgram *p = NULL; int accounting_map_fd, r; bool access_enabled; @@ -555,8 +555,8 @@ int bpf_firewall_compile(Unit *u) { * but we reuse the accounting maps. That way the firewall in effect always maps to the actual * configuration, but we don't flush out the accounting unnecessarily */ - u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress); - u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress); + u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress); + u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress); u->ipv4_allow_map_fd = safe_close(u->ipv4_allow_map_fd); u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd); @@ -601,7 +601,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set set_clear(*set); STRV_FOREACH(bpf_fs_path, filter_paths) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; int r; r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog); @@ -657,25 +657,18 @@ static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, S assert(u); set_clear(*set_installed); + set_ensure_allocated(set_installed, &bpf_program_hash_ops); - SET_FOREACH(prog, *set) { + SET_FOREACH_MOVE(prog, *set_installed, *set) { r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI); if (r < 0) return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path); - - /* Remember that these BPF programs are installed now. */ - r = set_ensure_put(set_installed, &bpf_program_hash_ops, prog); - if (r < 0) - return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m"); - - bpf_program_ref(prog); } - return 0; } int bpf_firewall_install(Unit *u) { - _cleanup_(bpf_program_unrefp) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL; + _cleanup_(bpf_program_freep) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL; _cleanup_free_ char *path = NULL; CGroupContext *cc; int r, supported; @@ -719,8 +712,8 @@ int bpf_firewall_install(Unit *u) { /* If we don't have BPF_F_ALLOW_MULTI then unref the old BPF programs (which will implicitly * detach them) right before attaching the new program, to minimize the time window when we * don't account for IP traffic. */ - u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed); - u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); + u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed); + u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed); } if (u->ip_bpf_egress) { @@ -729,7 +722,7 @@ int bpf_firewall_install(Unit *u) { return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path); /* Remember that this BPF program is installed now. */ - u->ip_bpf_egress_installed = bpf_program_ref(u->ip_bpf_egress); + u->ip_bpf_egress_installed = TAKE_PTR(u->ip_bpf_egress); } if (u->ip_bpf_ingress) { @@ -737,12 +730,12 @@ int bpf_firewall_install(Unit *u) { if (r < 0) return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path); - u->ip_bpf_ingress_installed = bpf_program_ref(u->ip_bpf_ingress); + u->ip_bpf_ingress_installed = TAKE_PTR(u->ip_bpf_ingress); } /* And now, definitely get rid of the old programs, and detach them */ - ip_bpf_egress_uninstall = bpf_program_unref(ip_bpf_egress_uninstall); - ip_bpf_ingress_uninstall = bpf_program_unref(ip_bpf_ingress_uninstall); + ip_bpf_egress_uninstall = bpf_program_free(ip_bpf_egress_uninstall); + ip_bpf_ingress_uninstall = bpf_program_free(ip_bpf_ingress_uninstall); r = attach_custom_bpf_progs(u, path, BPF_CGROUP_INET_EGRESS, &u->ip_bpf_custom_egress, &u->ip_bpf_custom_egress_installed); if (r < 0) @@ -806,7 +799,7 @@ int bpf_firewall_supported(void) { BPF_EXIT_INSN() }; - _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL; + _cleanup_(bpf_program_freep) BPFProgram *program = NULL; static int supported = -1; union bpf_attr attr; int r; @@ -936,10 +929,10 @@ void bpf_firewall_close(Unit *u) { u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd); u->ipv6_deny_map_fd = safe_close(u->ipv6_deny_map_fd); - u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress); - u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); - u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress); - u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed); + u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress); + u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed); + u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress); + u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed); u->ip_bpf_custom_ingress = set_free(u->ip_bpf_custom_ingress); u->ip_bpf_custom_egress = set_free(u->ip_bpf_custom_egress); diff --git a/src/core/bpf-foreign.c b/src/core/bpf-foreign.c index 27e5517519..6b93b9785f 100644 --- a/src/core/bpf-foreign.c +++ b/src/core/bpf-foreign.c @@ -49,7 +49,7 @@ static void bpf_foreign_key_hash_func(const BPFForeignKey *p, struct siphash *h) DEFINE_PRIVATE_HASH_OPS_FULL(bpf_foreign_by_key_hash_ops, BPFForeignKey, bpf_foreign_key_hash_func, bpf_foreign_key_compare_func, free, - BPFProgram, bpf_program_unref); + BPFProgram, bpf_program_free); static int attach_programs(Unit *u, const char *path, Hashmap* foreign_by_key, uint32_t attach_flags) { const BPFForeignKey *key; @@ -76,7 +76,7 @@ static int bpf_foreign_prepare( Unit *u, enum bpf_attach_type attach_type, const char *bpffs_path) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; _cleanup_free_ BPFForeignKey *key = NULL; uint32_t prog_id; int r; diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 2b15310191..13e69e27b3 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1170,7 +1170,7 @@ static void cgroup_apply_restrict_network_interfaces(Unit *u) { } static int cgroup_apply_devices(Unit *u) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; const char *path; CGroupContext *c; CGroupDeviceAllow *a; @@ -1244,7 +1244,7 @@ static int cgroup_apply_devices(Unit *u) { policy = CGROUP_DEVICE_POLICY_STRICT; } - r = bpf_devices_apply_policy(prog, policy, any, path, &u->bpf_device_control_installed); + r = bpf_devices_apply_policy(&prog, policy, any, path, &u->bpf_device_control_installed); if (r < 0) { static bool warned = false; @@ -2767,7 +2767,7 @@ void unit_prune_cgroup(Unit *u) { u->cgroup_realized_mask = 0; u->cgroup_enabled_mask = 0; - u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed); + u->bpf_device_control_installed = bpf_program_free(u->bpf_device_control_installed); } int unit_search_main_pid(Unit *u, pid_t *ret) { diff --git a/src/core/unit.c b/src/core/unit.c index 05341a64f5..d8b4179239 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -770,7 +770,7 @@ Unit* unit_free(Unit *u) { hashmap_free(u->bpf_foreign_by_key); - bpf_program_unref(u->bpf_device_control_installed); + bpf_program_free(u->bpf_device_control_installed); #if BPF_FRAMEWORK bpf_link_free(u->restrict_ifaces_ingress_bpf_link); diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c index 4575bb4e2f..a73e1e995b 100644 --- a/src/shared/bpf-program.c +++ b/src/shared/bpf-program.c @@ -38,7 +38,27 @@ static const char *const bpf_cgroup_attach_type_table[__MAX_BPF_ATTACH_TYPE] = { DEFINE_STRING_TABLE_LOOKUP(bpf_cgroup_attach_type, int); -DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_unref); +DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_free); + +BPFProgram *bpf_program_free(BPFProgram *p) { + if (!p) + return NULL; + /* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last + * fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated + * programs that attached one of their BPF programs to a cgroup will leave this program pinned for good with + * zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in + * question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during + * operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To + * counter this, we track closely to which cgroup a program was attached to and will detach it on our own + * whenever we close the BPF fd. */ + (void) bpf_program_cgroup_detach(p); + + safe_close(p->kernel_fd); + free(p->instructions); + free(p->attached_path); + + return mfree(p); +} /* struct bpf_prog_info info must be initialized since its value is both input and output * for BPF_OBJ_GET_INFO_BY_FD syscall. */ @@ -61,14 +81,13 @@ static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, u } int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; + _cleanup_(bpf_program_freep) BPFProgram *p = NULL; p = new(BPFProgram, 1); if (!p) return -ENOMEM; *p = (BPFProgram) { - .n_ref = 1, .prog_type = prog_type, .kernel_fd = -1, }; @@ -79,7 +98,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { } int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) { - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; + _cleanup_(bpf_program_freep) BPFProgram *p = NULL; struct bpf_prog_info info = {}; int r; @@ -92,7 +111,6 @@ int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) { *p = (BPFProgram) { .prog_type = BPF_PROG_TYPE_UNSPEC, - .n_ref = 1, .kernel_fd = -1, }; @@ -110,27 +128,6 @@ int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) { return 0; } -static BPFProgram *bpf_program_free(BPFProgram *p) { - assert(p); - - /* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last - * fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated - * programs that attached one of their BPF programs to a cgroup will leave this programs pinned for good with - * zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in - * question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during - * operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To - * counter this, we track closely to which cgroup a program was attached to and will detach it on our own - * whenever we close the BPF fd. */ - (void) bpf_program_cgroup_detach(p); - - safe_close(p->kernel_fd); - free(p->instructions); - free(p->attached_path); - - return mfree(p); -} - -DEFINE_TRIVIAL_REF_UNREF_FUNC(BPFProgram, bpf_program, bpf_program_free); int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *instructions, size_t count) { @@ -424,7 +421,7 @@ int bpf_program_serialize_attachment_set(FILE *f, FDSet *fds, const char *key, S int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **bpfp) { _cleanup_free_ char *sfd = NULL, *sat = NULL, *unescaped = NULL; - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; + _cleanup_(bpf_program_freep) BPFProgram *p = NULL; _cleanup_close_ int fd = -1; ssize_t l; int ifd, at, r; @@ -470,7 +467,6 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b return -ENOMEM; *p = (BPFProgram) { - .n_ref = 1, .kernel_fd = TAKE_FD(fd), .prog_type = BPF_PROG_TYPE_UNSPEC, .attached_path = TAKE_PTR(unescaped), @@ -478,7 +474,7 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b }; if (*bpfp) - bpf_program_unref(*bpfp); + bpf_program_free(*bpfp); *bpfp = TAKE_PTR(p); return 0; diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h index 908af1a1b2..e54900fa2f 100644 --- a/src/shared/bpf-program.h +++ b/src/shared/bpf-program.h @@ -17,8 +17,6 @@ typedef struct BPFProgram BPFProgram; * we attach it, but it might happen that we operate with programs that aren't loaded or aren't attached, or * where we don't have the code. */ struct BPFProgram { - unsigned n_ref; - /* The loaded BPF program, if loaded */ int kernel_fd; uint32_t prog_type; @@ -36,8 +34,7 @@ struct BPFProgram { int bpf_program_new(uint32_t prog_type, BPFProgram **ret); int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret); -BPFProgram *bpf_program_ref(BPFProgram *p); -BPFProgram *bpf_program_unref(BPFProgram *p); +BPFProgram *bpf_program_free(BPFProgram *p); int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); @@ -63,4 +60,4 @@ int bpf_map_lookup_element(int fd, const void *key, void *value); int bpf_cgroup_attach_type_from_string(const char *str) _pure_; const char *bpf_cgroup_attach_type_to_string(int attach_type) _const_; -DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref); +DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_free); diff --git a/src/test/test-bpf-devices.c b/src/test/test-bpf-devices.c index 2c5eb7313b..bbaa7b3605 100644 --- a/src/test/test-bpf-devices.c +++ b/src/test/test-bpf-devices.c @@ -15,7 +15,7 @@ #include "tests.h" static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_prog) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; unsigned wrong = 0; int r; @@ -27,7 +27,7 @@ static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_p r = bpf_devices_allow_list_static(prog, cgroup_path); assert_se(r >= 0); - r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog); + r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog); assert_se(r >= 0); const char *s; @@ -53,7 +53,7 @@ static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_p } static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_prog) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; unsigned wrong = 0; int r; @@ -71,7 +71,7 @@ static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_p r = bpf_devices_allow_list_device(prog, cgroup_path, "/dev/zero", "w"); assert_se(r >= 0); - r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); + r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); assert_se(r >= 0); { @@ -130,7 +130,7 @@ static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_p } static void test_policy_allow_list_major(const char *pattern, const char *cgroup_path, BPFProgram **installed_prog) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; unsigned wrong = 0; int r; @@ -142,7 +142,7 @@ static void test_policy_allow_list_major(const char *pattern, const char *cgroup r = bpf_devices_allow_list_major(prog, cgroup_path, pattern, 'c', "rw"); assert_se(r >= 0); - r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); + r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); assert_se(r >= 0); /* /dev/null, /dev/full have major==1, /dev/tty has major==5 */ @@ -189,7 +189,7 @@ static void test_policy_allow_list_major(const char *pattern, const char *cgroup } static void test_policy_allow_list_major_star(char type, const char *cgroup_path, BPFProgram **installed_prog) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; unsigned wrong = 0; int r; @@ -201,7 +201,7 @@ static void test_policy_allow_list_major_star(char type, const char *cgroup_path r = bpf_devices_allow_list_major(prog, cgroup_path, "*", type, "rw"); assert_se(r >= 0); - r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); + r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog); assert_se(r >= 0); { @@ -220,7 +220,7 @@ static void test_policy_allow_list_major_star(char type, const char *cgroup_path } static void test_policy_empty(bool add_mismatched, const char *cgroup_path, BPFProgram **installed_prog) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; unsigned wrong = 0; int r; @@ -234,7 +234,7 @@ static void test_policy_empty(bool add_mismatched, const char *cgroup_path, BPFP assert_se(r < 0); } - r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog); + r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog); assert_se(r >= 0); { @@ -282,7 +282,7 @@ int main(int argc, char *argv[]) { r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup, NULL, &controller_path); assert_se(r >= 0); - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; test_policy_closed(cgroup, &prog); test_policy_strict(cgroup, &prog); diff --git a/src/test/test-bpf-firewall.c b/src/test/test-bpf-firewall.c index 732350fae4..2e19db600e 100644 --- a/src/test/test-bpf-firewall.c +++ b/src/test/test-bpf-firewall.c @@ -24,7 +24,7 @@ int main(int argc, char *argv[]) { _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL; CGroupContext *cc = NULL; - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; + _cleanup_(bpf_program_freep) BPFProgram *p = NULL; _cleanup_(manager_freep) Manager *m = NULL; Unit *u; char log_buf[65535]; @@ -93,7 +93,7 @@ int main(int argc, char *argv[]) { } } - p = bpf_program_unref(p); + p = bpf_program_free(p); /* The simple tests succeeded. Now let's try full unit-based use-case. */ diff --git a/src/test/test-bpf-foreign-programs.c b/src/test/test-bpf-foreign-programs.c index 86e05e23ab..1765dc7a9b 100644 --- a/src/test/test-bpf-foreign-programs.c +++ b/src/test/test-bpf-foreign-programs.c @@ -155,7 +155,7 @@ static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size assert_se(paths_ret); for (size_t i = 0; i < test_suite_size; i++) { - _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; + _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; _cleanup_free_ char *str = NULL; r = bpf_foreign_test_to_string(test_suite[i].attach_type, test_suite[i].bpffs_path, &str); |