core/cgroup: foreign bpf programs needs to pass bpf_program_supported()

As CONFIG_CGROUP_BPF may be disabled on the kernel or we are running on
sanitizers. See comments in bpf_program_supported().

Follow-up for 3fcb98cbff0a5be8bf7c5deda6c1f7e8a31699bd.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 2a74380a283d59693ea1362304271323949b8bf6..d58820df838c94f71254daddffd016c7e4e14f98 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -3273,8 +3273,9 @@ static int cg_bpf_mask_supported(CGroupMask *ret) {
         if (r > 0)
                 mask |= CGROUP_MASK_BPF_DEVICES;
 
-        /* BPF pinned prog (always supported by cgroup v2) */
-        mask |= CGROUP_MASK_BPF_FOREIGN;
+        /* BPF pinned prog */
+        if (bpf_program_supported() > 0)
+                mask |= CGROUP_MASK_BPF_FOREIGN;
 
         /* BPF-based bind{4|6} hooks */
         r = bpf_socket_bind_supported();

diff --git a/src/test/test-bpf-foreign-programs.c b/src/test/test-bpf-foreign-programs.c
index 658746afa06313d6a15342d209944f1209ef8dcc..3128b26b8eb54454bb4b263d9bfd74add3702f4e 100644 (file)
--- a/src/test/test-bpf-foreign-programs.c
+++ b/src/test/test-bpf-foreign-programs.c
@@ -279,8 +279,9 @@ int main(int argc, char *argv[]) {
         if (detect_container() > 0)
                 return log_tests_skipped("test-bpf fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666");
 
-        if (getuid() != 0)
-                return log_tests_skipped("not running as root");
+        r = bpf_program_supported();
+        if (r < 0)
+                return log_tests_skipped_errno(r, "not running as root");
 
         ASSERT_OK(getrlimit(RLIMIT_MEMLOCK, &rl));
         rl.rlim_cur = rl.rlim_max = MAX(rl.rlim_max, CAN_MEMLOCK_SIZE);