bpf: bpf_devices_cgroup_supported() should check if bpf() is available

bpf_devices_cgroup_supported() tries to load a simple BPF program to
test if BPF works. This is problematic because the function used to load
the program - bpf_program_load_kernel() - emits an error to the log if
BPF is not enabled in the kernel although device controller is not
requested in the configuration. Users could interpret that as a problem.

Make bpf_devices_cgroup_supported() check if the BPF syscall is available
before calling bpf_program_load_kernel(). We can do it by passing a NULL
pointer instead of the syscall argument as the kernel returns either
ENOSYS, when the syscall is not implemented or EFAULT, when it is
implemented.

Signed-off-by: Petr Malat <oss@malat.biz>

diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c
index 678e27ed6726e1718f5b606aa3125da193ef9ea9..e4a526fd0500b3dbd4fd96c2cf0cf31b4d3fe7b7 100644 (file)
--- a/src/lxc/cgroups/cgroup2_devices.c
+++ b/src/lxc/cgroups/cgroup2_devices.c
@@ -538,6 +538,10 @@ bool bpf_devices_cgroup_supported(void)
                return log_trace(false,
                                 "The bpf device cgroup requires real root");
 
+       ret = bpf(BPF_PROG_LOAD, NULL, sizeof(union bpf_attr));
+       if (ret < 0 && errno == ENOSYS)
+               return log_trace(false, "The bpf syscall is not available");
+
        prog = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE);
        if (!prog)
                return log_trace(false, "Failed to allocate new bpf device cgroup program");