diff options
| author | Julia Kartseva <hex@fb.com> | 2022-01-22 03:50:26 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-01-22 08:48:42 +0100 |
| commit | 8fe9dbb9266988235a0590f76a4e77428540f900 (patch) | |
| tree | f276616e4d75f7144ba78f4c0a55ecebc4026ba1 /src | |
| parent | Fix journald audit logging with fields > N_IOVEC_AUDIT_FIELDS. (diff) | |
| download | systemd-8fe9dbb9266988235a0590f76a4e77428540f900.tar.xz systemd-8fe9dbb9266988235a0590f76a4e77428540f900.zip | |
bpf: name unnamed bpf programs
bpf-firewall and bpf-devices do not have names. This complicates
debugging with bpftool(8).
Assign names starting with 'sd_' prefix:
* firewall program names are 'sd_fw_ingress' for ingress attach
point and 'sd_fw_egress' for egress.
* 'sd_devices' for devices prog
'sd_' prefix is already used in source-compiled programs, e.g.
sd_restrictif_i, sd_restrictif_e, sd_bind6.
The name must not be longer than 15 characters or BPF_OBJ_NAME_LEN - 1.
Assign names only to programs loaded to kernel by systemd since
programs pinned to bpffs are already loaded.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/bpf-devices.c | 4 | ||||
| -rw-r--r-- | src/core/bpf-firewall.c | 7 | ||||
| -rw-r--r-- | src/shared/bpf-program.c | 16 | ||||
| -rw-r--r-- | src/shared/bpf-program.h | 3 | ||||
| -rw-r--r-- | src/test/test-bpf-firewall.c | 2 | ||||
| -rw-r--r-- | src/test/test-bpf-foreign-programs.c | 2 |
6 files changed, 25 insertions, 9 deletions
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 4d86e8665f..e3100b862b 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -192,7 +192,7 @@ int bpf_devices_cgroup_init( if (policy == CGROUP_DEVICE_POLICY_AUTO && !allow_list) return 0; - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &prog); if (r < 0) return log_error_errno(r, "Loading device control BPF program failed: %m"); @@ -306,7 +306,7 @@ int bpf_devices_supported(void) { return supported = 0; } - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &program); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, NULL, &program); if (r < 0) { log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m"); return supported = 0; diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 3c1c02e444..8158fafc8e 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -193,6 +193,7 @@ static int bpf_firewall_compile_bpf( }; _cleanup_(bpf_program_freep) BPFProgram *p = NULL; + const char *prog_name = is_ingress ? "sd_fw_ingress" : "sd_fw_egress"; int accounting_map_fd, r; bool access_enabled; @@ -216,7 +217,7 @@ static int bpf_firewall_compile_bpf( return 0; } - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, prog_name, &p); if (r < 0) return r; @@ -604,7 +605,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; int r; - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog); if (r < 0) return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m"); @@ -825,7 +826,7 @@ int bpf_firewall_supported(void) { return supported = BPF_FIREWALL_UNSUPPORTED; } - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &program); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program); if (r < 0) { bpf_firewall_unsupported_reason = log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m"); diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c index b8ca32a1f0..31fa4448b0 100644 --- a/src/shared/bpf-program.c +++ b/src/shared/bpf-program.c @@ -55,6 +55,7 @@ BPFProgram *bpf_program_free(BPFProgram *p) { (void) bpf_program_cgroup_detach(p); safe_close(p->kernel_fd); + free(p->prog_name); free(p->instructions); free(p->attached_path); @@ -78,8 +79,18 @@ static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, u return RET_NERRNO(bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr))); } -int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { +int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret) { _cleanup_(bpf_program_freep) BPFProgram *p = NULL; + _cleanup_free_ char *name = NULL; + + if (prog_name) { + if (strlen(prog_name) >= BPF_OBJ_NAME_LEN) + return -ENAMETOOLONG; + + name = strdup(prog_name); + if (!name) + return -ENOMEM; + } p = new(BPFProgram, 1); if (!p) @@ -88,6 +99,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { *p = (BPFProgram) { .prog_type = prog_type, .kernel_fd = -1, + .prog_name = TAKE_PTR(name), }; *ret = TAKE_PTR(p); @@ -165,6 +177,8 @@ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) { attr.log_buf = PTR_TO_UINT64(log_buf); attr.log_level = !!log_buf; attr.log_size = log_size; + if (p->prog_name) + strncpy(attr.prog_name, p->prog_name, BPF_OBJ_NAME_LEN - 1); p->kernel_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr)); if (p->kernel_fd < 0) diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h index e54900fa2f..b640fb9d9f 100644 --- a/src/shared/bpf-program.h +++ b/src/shared/bpf-program.h @@ -20,6 +20,7 @@ struct BPFProgram { /* The loaded BPF program, if loaded */ int kernel_fd; uint32_t prog_type; + char *prog_name; /* The code of it BPF program, if known */ size_t n_instructions; @@ -32,7 +33,7 @@ struct BPFProgram { uint32_t attached_flags; }; -int bpf_program_new(uint32_t prog_type, BPFProgram **ret); +int bpf_program_new(uint32_t prog_type, const char *prog_name, BPFProgram **ret); int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret); BPFProgram *bpf_program_free(BPFProgram *p); diff --git a/src/test/test-bpf-firewall.c b/src/test/test-bpf-firewall.c index 2e19db600e..cbcb525f52 100644 --- a/src/test/test-bpf-firewall.c +++ b/src/test/test-bpf-firewall.c @@ -55,7 +55,7 @@ int main(int argc, char *argv[]) { assert_se(set_unit_path(unit_dir) >= 0); assert_se(runtime_dir = setup_fake_runtime_dir()); - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, "sd_trivial", &p); assert_se(r == 0); r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn)); diff --git a/src/test/test-bpf-foreign-programs.c b/src/test/test-bpf-foreign-programs.c index 8c3f76e9ec..d73f487ff6 100644 --- a/src/test/test-bpf-foreign-programs.c +++ b/src/test/test-bpf-foreign-programs.c @@ -162,7 +162,7 @@ static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size if (r < 0) return log_error_errno(r, "Failed to convert program to string"); - r = bpf_program_new(test_suite[i].prog_type, &prog); + r = bpf_program_new(test_suite[i].prog_type, "sd_trivial", &prog); if (r < 0) return log_error_errno(r, "Failed to create program '%s'", str); |