From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 16 Feb 2018 13:58:12 +0000 (+0100)
Subject: bpf-program: optionally take fd of program to detach
X-Git-Tag: v238~68^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b3c189786a637fbd3b402a1c09626cb831c0fd3;p=thirdparty%2Fsystemd.git

bpf-program: optionally take fd of program to detach

This is useful for BPF_F_ALLOW_MULTI programs, where the kernel requires
us to specify the fd.
---

diff --git a/src/basic/bpf-program.c b/src/basic/bpf-program.c
index 3690f812ae8..4745950e644 100644
--- a/src/basic/bpf-program.c
+++ b/src/basic/bpf-program.c
@@ -117,12 +117,16 @@ int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_
         return 0;
 }
 
-int bpf_program_cgroup_detach(int type, const char *path) {
+int bpf_program_cgroup_detach(BPFProgram *p, int type, const char *path) {
         _cleanup_close_ int fd = -1;
         union bpf_attr attr;
 
+        assert(type >= 0);
         assert(path);
 
+        /* Note that 'p' may be NULL, in which case any program is detached. However, note that if BPF_F_ALLOW_MULTI is
+         * used 'p' is not optional. */
+
         fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
         if (fd < 0)
                 return -errno;
@@ -130,6 +134,7 @@ int bpf_program_cgroup_detach(int type, const char *path) {
         attr = (union bpf_attr) {
                 .attach_type = type,
                 .target_fd = fd,
+                .attach_bpf_fd = p ? p->kernel_fd : -1,
         };
 
         if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0)
diff --git a/src/basic/bpf-program.h b/src/basic/bpf-program.h
index 146350d18e0..996c1c1ad15 100644
--- a/src/basic/bpf-program.h
+++ b/src/basic/bpf-program.h
@@ -47,7 +47,7 @@ int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, siz
 int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
 
 int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags);
-int bpf_program_cgroup_detach(int type, const char *path);
+int bpf_program_cgroup_detach(BPFProgram *p, int type, const char *path);
 
 int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);
 int bpf_map_update_element(int fd, const void *key, void *value);
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index e717be2ce7c..bbc876ba39f 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -573,7 +573,7 @@ int bpf_firewall_install(Unit *u) {
                 if (r < 0)
                         return log_error_errno(r, "Attaching egress BPF program to cgroup %s failed: %m", path);
         } else {
-                r = bpf_program_cgroup_detach(BPF_CGROUP_INET_EGRESS, path);
+                r = bpf_program_cgroup_detach(NULL, BPF_CGROUP_INET_EGRESS, path);
                 if (r < 0)
                         return log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_ERR, r,
                                               "Detaching egress BPF program from cgroup failed: %m");
@@ -588,7 +588,7 @@ int bpf_firewall_install(Unit *u) {
                 if (r < 0)
                         return log_error_errno(r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
         } else {
-                r = bpf_program_cgroup_detach(BPF_CGROUP_INET_INGRESS, path);
+                r = bpf_program_cgroup_detach(NULL, BPF_CGROUP_INET_INGRESS, path);
                 if (r < 0)
                         return log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_ERR, r,
                                               "Detaching ingress BPF program from cgroup failed: %m");