From: Petr Malat Date: Mon, 19 Jul 2021 10:28:45 +0000 (+0200) Subject: bpf: bpf_devices_cgroup_supported() should check if bpf() is available X-Git-Tag: lxc-5.0.0~134^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7bf85dd20e986133324ef9d7232a2e70742d9d72;p=thirdparty%2Flxc.git bpf: bpf_devices_cgroup_supported() should check if bpf() is available bpf_devices_cgroup_supported() tries to load a simple BPF program to test if BPF works. This is problematic because the function used to load the program - bpf_program_load_kernel() - emits an error to the log if BPF is not enabled in the kernel although device controller is not requested in the configuration. Users could interpret that as a problem. Make bpf_devices_cgroup_supported() check if the BPF syscall is available before calling bpf_program_load_kernel(). We can do it by passing a NULL pointer instead of the syscall argument as the kernel returns either ENOSYS, when the syscall is not implemented or EFAULT, when it is implemented. Signed-off-by: Petr Malat --- diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c index 678e27ed6..e4a526fd0 100644 --- a/src/lxc/cgroups/cgroup2_devices.c +++ b/src/lxc/cgroups/cgroup2_devices.c @@ -538,6 +538,10 @@ bool bpf_devices_cgroup_supported(void) return log_trace(false, "The bpf device cgroup requires real root"); + ret = bpf(BPF_PROG_LOAD, NULL, sizeof(union bpf_attr)); + if (ret < 0 && errno == ENOSYS) + return log_trace(false, "The bpf syscall is not available"); + prog = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE); if (!prog) return log_trace(false, "Failed to allocate new bpf device cgroup program");