From: Lennart Poettering Date: Thu, 25 Jan 2024 13:02:24 +0000 (+0100) Subject: core: rename restrict-ifaces.[ch] → bpf-restrict-ifaces.[ch] X-Git-Tag: v256-rc1~1037^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62e22490205428fa557230bf72dc46516a07ee03;p=thirdparty%2Fsystemd.git core: rename restrict-ifaces.[ch] → bpf-restrict-ifaces.[ch] Let's also clean-up naming of the "restrict-ifaces" BPF code. Let's name the userspace glue analogous to the actual bpf code in src/core/bpf. --- diff --git a/src/core/restrict-ifaces.c b/src/core/bpf-restrict-ifaces.c similarity index 91% rename from src/core/restrict-ifaces.c rename to src/core/bpf-restrict-ifaces.c index 4dd86567189..9cfe49a3180 100644 --- a/src/core/restrict-ifaces.c +++ b/src/core/bpf-restrict-ifaces.c @@ -1,7 +1,7 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #include "fd-util.h" -#include "restrict-ifaces.h" +#include "bpf-restrict-ifaces.h" #include "netlink-util.h" #if BPF_FRAMEWORK @@ -72,7 +72,7 @@ static int prepare_restrict_ifaces_bpf( return 0; } -int restrict_network_interfaces_supported(void) { +int bpf_restrict_ifaces_supported(void) { _cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL; static int supported = -1; int r; @@ -97,7 +97,7 @@ int restrict_network_interfaces_supported(void) { return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i)); } -static int restrict_network_interfaces_install_impl(Unit *u) { +static int restrict_ifaces_install_impl(Unit *u) { _cleanup_(bpf_link_freep) struct bpf_link *egress_link = NULL, *ingress_link = NULL; _cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL; _cleanup_free_ char *cgroup_path = NULL; @@ -143,13 +143,15 @@ static int restrict_network_interfaces_install_impl(Unit *u) { return 0; } -int restrict_network_interfaces_install(Unit *u) { - int r = restrict_network_interfaces_install_impl(u); +int bpf_restrict_ifaces_install(Unit *u) { + int r; + + r = restrict_ifaces_install_impl(u); fdset_close(u->initial_restric_ifaces_link_fds); return r; } -int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) { +int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) { int r; assert(u); @@ -161,7 +163,7 @@ int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) { return bpf_serialize_link(f, fds, "restrict-ifaces-bpf-fd", u->restrict_ifaces_egress_bpf_link); } -int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) { +int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) { int r; assert(u); @@ -181,20 +183,20 @@ int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) { } #else /* ! BPF_FRAMEWORK */ -int restrict_network_interfaces_supported(void) { +int bpf_restrict_ifaces_supported(void) { return 0; } -int restrict_network_interfaces_install(Unit *u) { +int bpf_restrict_ifaces_install(Unit *u) { return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m"); } -int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) { +int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) { return 0; } -int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) { +int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) { return 0; } #endif diff --git a/src/core/restrict-ifaces.h b/src/core/bpf-restrict-ifaces.h similarity index 52% rename from src/core/restrict-ifaces.h rename to src/core/bpf-restrict-ifaces.h index 6e7a8243641..28f74279f51 100644 --- a/src/core/restrict-ifaces.h +++ b/src/core/bpf-restrict-ifaces.h @@ -6,11 +6,11 @@ typedef struct Unit Unit; -int restrict_network_interfaces_supported(void); -int restrict_network_interfaces_install(Unit *u); +int bpf_restrict_ifaces_supported(void); +int bpf_restrict_ifaces_install(Unit *u); -int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds); +int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds); /* Add BPF link fd created before daemon-reload or daemon-reexec. * FDs will be closed at the end of restrict_network_interfaces_install. */ -int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd); +int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 7f360de496c..bc820b7d144 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -10,6 +10,7 @@ #include "bpf-devices.h" #include "bpf-firewall.h" #include "bpf-foreign.h" +#include "bpf-restrict-ifaces.h" #include "bpf-socket-bind.h" #include "btrfs-util.h" #include "bus-error.h" @@ -32,7 +33,6 @@ #include "percent-util.h" #include "process-util.h" #include "procfs-util.h" -#include "restrict-ifaces.h" #include "set.h" #include "special.h" #include "stdio-util.h" @@ -1849,7 +1849,7 @@ static void cgroup_apply_socket_bind(Unit *u) { static void cgroup_apply_restrict_network_interfaces(Unit *u) { assert(u); - (void) restrict_network_interfaces_install(u); + (void) bpf_restrict_ifaces_install(u); } static int cgroup_apply_devices(Unit *u) { @@ -3987,7 +3987,7 @@ static int cg_bpf_mask_supported(CGroupMask *ret) { mask |= CGROUP_MASK_BPF_SOCKET_BIND; /* BPF-based cgroup_skb/{egress|ingress} hooks */ - r = restrict_network_interfaces_supported(); + r = bpf_restrict_ifaces_supported(); if (r < 0) return r; if (r > 0) diff --git a/src/core/meson.build b/src/core/meson.build index a32f0739ce9..bda4a3450eb 100644 --- a/src/core/meson.build +++ b/src/core/meson.build @@ -8,6 +8,7 @@ libcore_sources = files( 'bpf-firewall.c', 'bpf-foreign.c', 'bpf-restrict-fs.c', + 'bpf-restrict-ifaces.c', 'bpf-socket-bind.c', 'cgroup.c', 'core-varlink.c', @@ -51,7 +52,6 @@ libcore_sources = files( 'mount.c', 'namespace.c', 'path.c', - 'restrict-ifaces.c', 'scope.c', 'selinux-access.c', 'selinux-setup.c', diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c index 40cdb615be4..7f07bc8e312 100644 --- a/src/core/unit-serialize.c +++ b/src/core/unit-serialize.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ +#include "bpf-restrict-ifaces.h" #include "bpf-socket-bind.h" #include "bus-util.h" #include "dbus.h" @@ -7,7 +8,6 @@ #include "fileio.h" #include "format-util.h" #include "parse-util.h" -#include "restrict-ifaces.h" #include "serialize.h" #include "string-table.h" #include "unit-serialize.h" @@ -199,7 +199,7 @@ int unit_serialize_state(Unit *u, FILE *f, FDSet *fds, bool switching_root) { (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed); (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed); - (void) serialize_restrict_network_interfaces(u, f, fds); + (void) bpf_restrict_ifaces_serialize(u, f, fds); if (uid_is_valid(u->ref_uid)) (void) serialize_item_format(f, "ref-uid", UID_FMT, u->ref_uid); @@ -445,7 +445,7 @@ int unit_deserialize_state(Unit *u, FILE *f, FDSet *fds) { fd = deserialize_fd(fds, v); if (fd >= 0) - (void) restrict_network_interfaces_add_initial_link_fd(u, fd); + (void) bpf_restrict_ifaces_add_initial_link_fd(u, fd); continue;