]>
Commit | Line | Data |
---|---|---|
948def4a | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
91ce91c7 JK |
2 | |
3 | #if BPF_FRAMEWORK | |
4 | #include <bpf/bpf.h> | |
5 | #endif | |
6 | ||
7 | #include "fd-util.h" | |
cd09a5f3 | 8 | #include "bpf-socket-bind.h" |
91ce91c7 JK |
9 | |
10 | #if BPF_FRAMEWORK | |
11 | /* libbpf, clang, llvm and bpftool compile time dependencies are satisfied */ | |
c5fd89ad | 12 | #include "bpf-dlopen.h" |
91ce91c7 | 13 | #include "bpf-link.h" |
bb0b01ed | 14 | #include "bpf-util.h" |
91ce91c7 | 15 | #include "bpf/socket_bind/socket-bind-api.bpf.h" |
bb0b01ed | 16 | #include "bpf/socket_bind/socket-bind-skel.h" |
91ce91c7 JK |
17 | |
18 | static struct socket_bind_bpf *socket_bind_bpf_free(struct socket_bind_bpf *obj) { | |
19 | /* socket_bind_bpf__destroy handles object == NULL case */ | |
20 | (void) socket_bind_bpf__destroy(obj); | |
21 | ||
22 | return NULL; | |
23 | } | |
24 | ||
25 | DEFINE_TRIVIAL_CLEANUP_FUNC(struct socket_bind_bpf *, socket_bind_bpf_free); | |
26 | ||
27 | static int update_rules_map( | |
0b051424 LP |
28 | int map_fd, |
29 | CGroupSocketBindItem *head) { | |
30 | ||
91ce91c7 JK |
31 | uint32_t i = 0; |
32 | ||
33 | assert(map_fd >= 0); | |
34 | ||
35 | LIST_FOREACH(socket_bind_items, item, head) { | |
91ce91c7 JK |
36 | struct socket_bind_rule val = { |
37 | .address_family = (uint32_t) item->address_family, | |
560d7624 | 38 | .protocol = item->ip_protocol, |
91ce91c7 JK |
39 | .nr_ports = item->nr_ports, |
40 | .port_min = item->port_min, | |
41 | }; | |
42 | ||
0b051424 LP |
43 | uint32_t key = i++; |
44 | ||
c5fd89ad | 45 | if (sym_bpf_map_update_elem(map_fd, &key, &val, BPF_ANY) != 0) |
91ce91c7 JK |
46 | return -errno; |
47 | } | |
48 | ||
49 | return 0; | |
50 | } | |
51 | ||
52 | static int prepare_socket_bind_bpf( | |
0b051424 LP |
53 | Unit *u, |
54 | CGroupSocketBindItem *allow, | |
55 | CGroupSocketBindItem *deny, | |
56 | struct socket_bind_bpf **ret_obj) { | |
57 | ||
58 | _cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL; | |
59 | size_t allow_count = 0, deny_count = 0; | |
91ce91c7 | 60 | int allow_map_fd, deny_map_fd, r; |
91ce91c7 JK |
61 | |
62 | assert(ret_obj); | |
63 | ||
0b051424 | 64 | LIST_FOREACH(socket_bind_items, item, allow) |
91ce91c7 JK |
65 | allow_count++; |
66 | ||
67 | LIST_FOREACH(socket_bind_items, item, deny) | |
68 | deny_count++; | |
69 | ||
70 | if (allow_count > SOCKET_BIND_MAX_RULES) | |
1a9e33ae | 71 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL), |
c0f86d66 | 72 | "bpf-socket-bind: Maximum number of socket bind rules=%i is exceeded", SOCKET_BIND_MAX_RULES); |
91ce91c7 JK |
73 | |
74 | if (deny_count > SOCKET_BIND_MAX_RULES) | |
1a9e33ae | 75 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL), |
c0f86d66 | 76 | "bpf-socket-bind: Maximum number of socket bind rules=%i is exceeded", SOCKET_BIND_MAX_RULES); |
91ce91c7 JK |
77 | |
78 | obj = socket_bind_bpf__open(); | |
79 | if (!obj) | |
b1acbc08 | 80 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "bpf-socket-bind: Failed to open BPF object: %m"); |
91ce91c7 | 81 | |
6b8085db | 82 | if (sym_bpf_map__set_max_entries(obj->maps.sd_bind_allow, MAX(allow_count, 1u)) != 0) |
1a9e33ae | 83 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno, |
b1acbc08 | 84 | "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_allow)); |
91ce91c7 | 85 | |
6b8085db | 86 | if (sym_bpf_map__set_max_entries(obj->maps.sd_bind_deny, MAX(deny_count, 1u)) != 0) |
1a9e33ae | 87 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno, |
b1acbc08 | 88 | "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_deny)); |
91ce91c7 JK |
89 | |
90 | if (socket_bind_bpf__load(obj) != 0) | |
1a9e33ae | 91 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, |
b1acbc08 | 92 | "bpf-socket-bind: Failed to load BPF object: %m"); |
91ce91c7 | 93 | |
c5fd89ad | 94 | allow_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_allow); |
91ce91c7 JK |
95 | assert(allow_map_fd >= 0); |
96 | ||
97 | r = update_rules_map(allow_map_fd, allow); | |
98 | if (r < 0) | |
1a9e33ae | 99 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r, |
b1acbc08 | 100 | "bpf-socket-bind: Failed to put socket bind allow rules into BPF map '%s'", |
1a9e33ae | 101 | sym_bpf_map__name(obj->maps.sd_bind_allow)); |
91ce91c7 | 102 | |
c5fd89ad | 103 | deny_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_deny); |
91ce91c7 JK |
104 | assert(deny_map_fd >= 0); |
105 | ||
106 | r = update_rules_map(deny_map_fd, deny); | |
107 | if (r < 0) | |
1a9e33ae | 108 | return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r, |
b1acbc08 | 109 | "bpf-socket-bind: Failed to put socket bind deny rules into BPF map '%s'", |
1a9e33ae | 110 | sym_bpf_map__name(obj->maps.sd_bind_deny)); |
91ce91c7 JK |
111 | |
112 | *ret_obj = TAKE_PTR(obj); | |
113 | return 0; | |
114 | } | |
115 | ||
cd09a5f3 | 116 | int bpf_socket_bind_supported(void) { |
91ce91c7 | 117 | _cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL; |
0b051424 | 118 | int r; |
91ce91c7 | 119 | |
bb0b01ed | 120 | if (!cgroup_bpf_supported()) |
0b051424 | 121 | return false; |
c5fd89ad | 122 | |
87e462f7 | 123 | if (!compat_libbpf_probe_bpf_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*opts=*/NULL)) { |
b1acbc08 | 124 | log_debug("bpf-socket-bind: BPF program type cgroup_sock_addr is not supported"); |
0b051424 | 125 | return false; |
91ce91c7 JK |
126 | } |
127 | ||
128 | r = prepare_socket_bind_bpf(/*unit=*/NULL, /*allow_rules=*/NULL, /*deny_rules=*/NULL, &obj); | |
129 | if (r < 0) { | |
b1acbc08 | 130 | log_debug_errno(r, "bpf-socket-bind: socket bind filtering is not supported: %m"); |
0b051424 | 131 | return false; |
91ce91c7 JK |
132 | } |
133 | ||
d63a3d35 | 134 | return bpf_can_link_program(obj->progs.sd_bind4); |
91ce91c7 JK |
135 | } |
136 | ||
cd09a5f3 | 137 | int bpf_socket_bind_add_initial_link_fd(Unit *u, int fd) { |
3d027d4d JK |
138 | int r; |
139 | ||
140 | assert(u); | |
141 | ||
142 | if (!u->initial_socket_bind_link_fds) { | |
143 | u->initial_socket_bind_link_fds = fdset_new(); | |
144 | if (!u->initial_socket_bind_link_fds) | |
145 | return log_oom(); | |
146 | } | |
147 | ||
148 | r = fdset_put(u->initial_socket_bind_link_fds, fd); | |
149 | if (r < 0) | |
b1acbc08 | 150 | return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to put BPF fd %d to initial fdset", fd); |
3d027d4d JK |
151 | |
152 | return 0; | |
153 | } | |
154 | ||
155 | static int socket_bind_install_impl(Unit *u) { | |
91ce91c7 JK |
156 | _cleanup_(bpf_link_freep) struct bpf_link *ipv4 = NULL, *ipv6 = NULL; |
157 | _cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL; | |
158 | _cleanup_free_ char *cgroup_path = NULL; | |
254d1313 | 159 | _cleanup_close_ int cgroup_fd = -EBADF; |
91ce91c7 JK |
160 | CGroupContext *cc; |
161 | int r; | |
162 | ||
0b051424 LP |
163 | assert(u); |
164 | ||
91ce91c7 JK |
165 | cc = unit_get_cgroup_context(u); |
166 | if (!cc) | |
167 | return 0; | |
168 | ||
169 | r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path); | |
170 | if (r < 0) | |
b1acbc08 | 171 | return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to get cgroup path: %m"); |
91ce91c7 JK |
172 | |
173 | if (!cc->socket_bind_allow && !cc->socket_bind_deny) | |
174 | return 0; | |
175 | ||
176 | r = prepare_socket_bind_bpf(u, cc->socket_bind_allow, cc->socket_bind_deny, &obj); | |
177 | if (r < 0) | |
b1acbc08 | 178 | return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to load BPF object: %m"); |
91ce91c7 JK |
179 | |
180 | cgroup_fd = open(cgroup_path, O_RDONLY | O_CLOEXEC, 0); | |
181 | if (cgroup_fd < 0) | |
b1acbc08 | 182 | return log_unit_error_errno(u, errno, "bpf-socket-bind: Failed to open cgroup %s for reading: %m", cgroup_path); |
91ce91c7 | 183 | |
c5fd89ad LB |
184 | ipv4 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind4, cgroup_fd); |
185 | r = sym_libbpf_get_error(ipv4); | |
91ce91c7 | 186 | if (r != 0) |
b1acbc08 | 187 | return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m", |
0b051424 | 188 | sym_bpf_program__name(obj->progs.sd_bind4)); |
91ce91c7 | 189 | |
c5fd89ad LB |
190 | ipv6 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind6, cgroup_fd); |
191 | r = sym_libbpf_get_error(ipv6); | |
91ce91c7 | 192 | if (r != 0) |
b1acbc08 | 193 | return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m", |
0b051424 | 194 | sym_bpf_program__name(obj->progs.sd_bind6)); |
91ce91c7 JK |
195 | |
196 | u->ipv4_socket_bind_link = TAKE_PTR(ipv4); | |
197 | u->ipv6_socket_bind_link = TAKE_PTR(ipv6); | |
198 | ||
199 | return 0; | |
200 | } | |
3d027d4d | 201 | |
cd09a5f3 | 202 | int bpf_socket_bind_install(Unit *u) { |
0b051424 LP |
203 | int r; |
204 | ||
205 | assert(u); | |
206 | ||
207 | r = socket_bind_install_impl(u); | |
3d027d4d JK |
208 | if (r == -ENOMEM) |
209 | return r; | |
210 | ||
211 | fdset_close(u->initial_socket_bind_link_fds); | |
3d027d4d JK |
212 | return r; |
213 | } | |
214 | ||
cd09a5f3 | 215 | int bpf_serialize_socket_bind(Unit *u, FILE *f, FDSet *fds) { |
3d027d4d JK |
216 | int r; |
217 | ||
218 | assert(u); | |
219 | ||
d63a3d35 | 220 | r = bpf_serialize_link(f, fds, "ipv4-socket-bind-bpf-link", u->ipv4_socket_bind_link); |
3d027d4d JK |
221 | if (r < 0) |
222 | return r; | |
223 | ||
d63a3d35 | 224 | return bpf_serialize_link(f, fds, "ipv6-socket-bind-bpf-link", u->ipv6_socket_bind_link); |
3d027d4d JK |
225 | } |
226 | ||
91ce91c7 | 227 | #else /* ! BPF_FRAMEWORK */ |
cd09a5f3 | 228 | int bpf_socket_bind_supported(void) { |
0b051424 | 229 | return false; |
91ce91c7 JK |
230 | } |
231 | ||
cd09a5f3 | 232 | int bpf_socket_bind_add_initial_link_fd(Unit *u, int fd) { |
3d027d4d JK |
233 | return 0; |
234 | } | |
235 | ||
cd09a5f3 | 236 | int bpf_socket_bind_install(Unit *u) { |
b1acbc08 ZJS |
237 | return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), |
238 | "bpf-socket-bind: Failed to install; BPF framework is not supported"); | |
91ce91c7 JK |
239 | } |
240 | ||
cd09a5f3 | 241 | int bpf_serialize_socket_bind(Unit *u, FILE *f, FDSet *fds) { |
3d027d4d JK |
242 | return 0; |
243 | } | |
91ce91c7 | 244 | #endif |