offsetof(struct bpf_cgroup_dev_ctx, minor)),
};
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
int r;
assert(ret);
}
int bpf_devices_apply_policy(
- BPFProgram *prog,
+ BPFProgram **prog,
CGroupDevicePolicy policy,
bool allow_list,
const char *cgroup_path,
/* This will assign *prog_installed if everything goes well. */
- if (!prog)
+ assert(prog);
+ if (!*prog)
goto finish;
const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !allow_list;
};
if (!deny_everything) {
- r = bpf_program_add_instructions(prog, post_insn, ELEMENTSOF(post_insn));
+ r = bpf_program_add_instructions(*prog, post_insn, ELEMENTSOF(post_insn));
if (r < 0)
return log_error_errno(r, "Extending device control BPF program failed: %m");
/* Fixup PASS_JUMP_OFF jump offsets. */
- for (size_t off = 0; off < prog->n_instructions; off++) {
- struct bpf_insn *ins = &prog->instructions[off];
+ for (size_t off = 0; off < (*prog)->n_instructions; off++) {
+ struct bpf_insn *ins = &((*prog)->instructions[off]);
if (ins->code == (BPF_JMP | BPF_JA) && ins->off == PASS_JUMP_OFF)
- ins->off = prog->n_instructions - off - 1;
+ ins->off = (*prog)->n_instructions - off - 1;
}
}
- r = bpf_program_add_instructions(prog, exit_insn, ELEMENTSOF(exit_insn));
+ r = bpf_program_add_instructions(*prog, exit_insn, ELEMENTSOF(exit_insn));
if (r < 0)
return log_error_errno(r, "Extending device control BPF program failed: %m");
if (r < 0)
return log_error_errno(r, "Failed to determine cgroup path: %m");
- r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI);
+ r = bpf_program_cgroup_attach(*prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI);
if (r < 0)
return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m",
empty_to_root(cgroup_path));
finish:
/* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */
if (prog_installed) {
- bpf_program_unref(*prog_installed);
- *prog_installed = bpf_program_ref(prog);
+ bpf_program_free(*prog_installed);
+ *prog_installed = TAKE_PTR(*prog);
}
return 0;
}
BPF_EXIT_INSN()
};
- _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *program = NULL;
static int supported = -1;
int r;
int bpf_devices_cgroup_init(BPFProgram **ret, CGroupDevicePolicy policy, bool allow_list);
int bpf_devices_apply_policy(
- BPFProgram *prog,
+ BPFProgram **prog,
CGroupDevicePolicy policy,
bool allow_list,
const char *cgroup_path,
BPF_MOV64_IMM(BPF_REG_0, 0),
};
- _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *p = NULL;
int accounting_map_fd, r;
bool access_enabled;
* but we reuse the accounting maps. That way the firewall in effect always maps to the actual
* configuration, but we don't flush out the accounting unnecessarily */
- u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress);
- u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress);
+ u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress);
+ u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress);
u->ipv4_allow_map_fd = safe_close(u->ipv4_allow_map_fd);
u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd);
set_clear(*set);
STRV_FOREACH(bpf_fs_path, filter_paths) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
int r;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog);
assert(u);
set_clear(*set_installed);
+ set_ensure_allocated(set_installed, &bpf_program_hash_ops);
- SET_FOREACH(prog, *set) {
+ SET_FOREACH_MOVE(prog, *set_installed, *set) {
r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI);
if (r < 0)
return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path);
-
- /* Remember that these BPF programs are installed now. */
- r = set_ensure_put(set_installed, &bpf_program_hash_ops, prog);
- if (r < 0)
- return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
-
- bpf_program_ref(prog);
}
-
return 0;
}
int bpf_firewall_install(Unit *u) {
- _cleanup_(bpf_program_unrefp) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *ip_bpf_ingress_uninstall = NULL, *ip_bpf_egress_uninstall = NULL;
_cleanup_free_ char *path = NULL;
CGroupContext *cc;
int r, supported;
/* If we don't have BPF_F_ALLOW_MULTI then unref the old BPF programs (which will implicitly
* detach them) right before attaching the new program, to minimize the time window when we
* don't account for IP traffic. */
- u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed);
- u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
+ u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed);
+ u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed);
}
if (u->ip_bpf_egress) {
return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
/* Remember that this BPF program is installed now. */
- u->ip_bpf_egress_installed = bpf_program_ref(u->ip_bpf_egress);
+ u->ip_bpf_egress_installed = TAKE_PTR(u->ip_bpf_egress);
}
if (u->ip_bpf_ingress) {
if (r < 0)
return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
- u->ip_bpf_ingress_installed = bpf_program_ref(u->ip_bpf_ingress);
+ u->ip_bpf_ingress_installed = TAKE_PTR(u->ip_bpf_ingress);
}
/* And now, definitely get rid of the old programs, and detach them */
- ip_bpf_egress_uninstall = bpf_program_unref(ip_bpf_egress_uninstall);
- ip_bpf_ingress_uninstall = bpf_program_unref(ip_bpf_ingress_uninstall);
+ ip_bpf_egress_uninstall = bpf_program_free(ip_bpf_egress_uninstall);
+ ip_bpf_ingress_uninstall = bpf_program_free(ip_bpf_ingress_uninstall);
r = attach_custom_bpf_progs(u, path, BPF_CGROUP_INET_EGRESS, &u->ip_bpf_custom_egress, &u->ip_bpf_custom_egress_installed);
if (r < 0)
BPF_EXIT_INSN()
};
- _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *program = NULL;
static int supported = -1;
union bpf_attr attr;
int r;
u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd);
u->ipv6_deny_map_fd = safe_close(u->ipv6_deny_map_fd);
- u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress);
- u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
- u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress);
- u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed);
+ u->ip_bpf_ingress = bpf_program_free(u->ip_bpf_ingress);
+ u->ip_bpf_ingress_installed = bpf_program_free(u->ip_bpf_ingress_installed);
+ u->ip_bpf_egress = bpf_program_free(u->ip_bpf_egress);
+ u->ip_bpf_egress_installed = bpf_program_free(u->ip_bpf_egress_installed);
u->ip_bpf_custom_ingress = set_free(u->ip_bpf_custom_ingress);
u->ip_bpf_custom_egress = set_free(u->ip_bpf_custom_egress);
DEFINE_PRIVATE_HASH_OPS_FULL(bpf_foreign_by_key_hash_ops,
BPFForeignKey, bpf_foreign_key_hash_func, bpf_foreign_key_compare_func, free,
- BPFProgram, bpf_program_unref);
+ BPFProgram, bpf_program_free);
static int attach_programs(Unit *u, const char *path, Hashmap* foreign_by_key, uint32_t attach_flags) {
const BPFForeignKey *key;
Unit *u,
enum bpf_attach_type attach_type,
const char *bpffs_path) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
_cleanup_free_ BPFForeignKey *key = NULL;
uint32_t prog_id;
int r;
}
static int cgroup_apply_devices(Unit *u) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
const char *path;
CGroupContext *c;
CGroupDeviceAllow *a;
policy = CGROUP_DEVICE_POLICY_STRICT;
}
- r = bpf_devices_apply_policy(prog, policy, any, path, &u->bpf_device_control_installed);
+ r = bpf_devices_apply_policy(&prog, policy, any, path, &u->bpf_device_control_installed);
if (r < 0) {
static bool warned = false;
u->cgroup_realized_mask = 0;
u->cgroup_enabled_mask = 0;
- u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed);
+ u->bpf_device_control_installed = bpf_program_free(u->bpf_device_control_installed);
}
int unit_search_main_pid(Unit *u, pid_t *ret) {
hashmap_free(u->bpf_foreign_by_key);
- bpf_program_unref(u->bpf_device_control_installed);
+ bpf_program_free(u->bpf_device_control_installed);
#if BPF_FRAMEWORK
bpf_link_free(u->restrict_ifaces_ingress_bpf_link);
DEFINE_STRING_TABLE_LOOKUP(bpf_cgroup_attach_type, int);
-DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_unref);
+DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(bpf_program_hash_ops, void, trivial_hash_func, trivial_compare_func, bpf_program_free);
+
+BPFProgram *bpf_program_free(BPFProgram *p) {
+ if (!p)
+ return NULL;
+ /* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last
+ * fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated
+ * programs that attached one of their BPF programs to a cgroup will leave this program pinned for good with
+ * zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in
+ * question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during
+ * operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To
+ * counter this, we track closely to which cgroup a program was attached to and will detach it on our own
+ * whenever we close the BPF fd. */
+ (void) bpf_program_cgroup_detach(p);
+
+ safe_close(p->kernel_fd);
+ free(p->instructions);
+ free(p->attached_path);
+
+ return mfree(p);
+}
/* struct bpf_prog_info info must be initialized since its value is both input and output
* for BPF_OBJ_GET_INFO_BY_FD syscall. */
}
int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
- _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *p = NULL;
p = new(BPFProgram, 1);
if (!p)
return -ENOMEM;
*p = (BPFProgram) {
- .n_ref = 1,
.prog_type = prog_type,
.kernel_fd = -1,
};
}
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) {
- _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *p = NULL;
struct bpf_prog_info info = {};
int r;
*p = (BPFProgram) {
.prog_type = BPF_PROG_TYPE_UNSPEC,
- .n_ref = 1,
.kernel_fd = -1,
};
return 0;
}
-static BPFProgram *bpf_program_free(BPFProgram *p) {
- assert(p);
-
- /* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last
- * fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated
- * programs that attached one of their BPF programs to a cgroup will leave this programs pinned for good with
- * zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in
- * question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during
- * operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To
- * counter this, we track closely to which cgroup a program was attached to and will detach it on our own
- * whenever we close the BPF fd. */
- (void) bpf_program_cgroup_detach(p);
-
- safe_close(p->kernel_fd);
- free(p->instructions);
- free(p->attached_path);
-
- return mfree(p);
-}
-
-DEFINE_TRIVIAL_REF_UNREF_FUNC(BPFProgram, bpf_program, bpf_program_free);
int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *instructions, size_t count) {
int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **bpfp) {
_cleanup_free_ char *sfd = NULL, *sat = NULL, *unescaped = NULL;
- _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *p = NULL;
_cleanup_close_ int fd = -1;
ssize_t l;
int ifd, at, r;
return -ENOMEM;
*p = (BPFProgram) {
- .n_ref = 1,
.kernel_fd = TAKE_FD(fd),
.prog_type = BPF_PROG_TYPE_UNSPEC,
.attached_path = TAKE_PTR(unescaped),
};
if (*bpfp)
- bpf_program_unref(*bpfp);
+ bpf_program_free(*bpfp);
*bpfp = TAKE_PTR(p);
return 0;
* we attach it, but it might happen that we operate with programs that aren't loaded or aren't attached, or
* where we don't have the code. */
struct BPFProgram {
- unsigned n_ref;
-
/* The loaded BPF program, if loaded */
int kernel_fd;
uint32_t prog_type;
int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret);
-BPFProgram *bpf_program_ref(BPFProgram *p);
-BPFProgram *bpf_program_unref(BPFProgram *p);
+BPFProgram *bpf_program_free(BPFProgram *p);
int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
int bpf_cgroup_attach_type_from_string(const char *str) _pure_;
const char *bpf_cgroup_attach_type_to_string(int attach_type) _const_;
-DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref);
+DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_free);
#include "tests.h"
static void test_policy_closed(const char *cgroup_path, BPFProgram **installed_prog) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
unsigned wrong = 0;
int r;
r = bpf_devices_allow_list_static(prog, cgroup_path);
assert_se(r >= 0);
- r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog);
+ r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_CLOSED, true, cgroup_path, installed_prog);
assert_se(r >= 0);
const char *s;
}
static void test_policy_strict(const char *cgroup_path, BPFProgram **installed_prog) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
unsigned wrong = 0;
int r;
r = bpf_devices_allow_list_device(prog, cgroup_path, "/dev/zero", "w");
assert_se(r >= 0);
- r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
+ r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
assert_se(r >= 0);
{
}
static void test_policy_allow_list_major(const char *pattern, const char *cgroup_path, BPFProgram **installed_prog) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
unsigned wrong = 0;
int r;
r = bpf_devices_allow_list_major(prog, cgroup_path, pattern, 'c', "rw");
assert_se(r >= 0);
- r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
+ r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
assert_se(r >= 0);
/* /dev/null, /dev/full have major==1, /dev/tty has major==5 */
}
static void test_policy_allow_list_major_star(char type, const char *cgroup_path, BPFProgram **installed_prog) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
unsigned wrong = 0;
int r;
r = bpf_devices_allow_list_major(prog, cgroup_path, "*", type, "rw");
assert_se(r >= 0);
- r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
+ r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, true, cgroup_path, installed_prog);
assert_se(r >= 0);
{
}
static void test_policy_empty(bool add_mismatched, const char *cgroup_path, BPFProgram **installed_prog) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
unsigned wrong = 0;
int r;
assert_se(r < 0);
}
- r = bpf_devices_apply_policy(prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog);
+ r = bpf_devices_apply_policy(&prog, CGROUP_DEVICE_POLICY_STRICT, false, cgroup_path, installed_prog);
assert_se(r >= 0);
{
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup, NULL, &controller_path);
assert_se(r >= 0);
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
test_policy_closed(cgroup, &prog);
test_policy_strict(cgroup, &prog);
_cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
CGroupContext *cc = NULL;
- _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *p = NULL;
_cleanup_(manager_freep) Manager *m = NULL;
Unit *u;
char log_buf[65535];
}
}
- p = bpf_program_unref(p);
+ p = bpf_program_free(p);
/* The simple tests succeeded. Now let's try full unit-based use-case. */
assert_se(paths_ret);
for (size_t i = 0; i < test_suite_size; i++) {
- _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_freep) BPFProgram *prog = NULL;
_cleanup_free_ char *str = NULL;
r = bpf_foreign_test_to_string(test_suite[i].attach_type, test_suite[i].bpffs_path, &str);
projects / thirdparty / systemd.git / commitdiff
