core: rename restrict-ifaces.[ch] → bpf-restrict-ifaces.[ch]

Let's also clean-up naming of the "restrict-ifaces" BPF code. Let's name
the userspace glue analogous to the actual bpf code in src/core/bpf.

diff --git a/src/core/restrict-ifaces.c b/src/core/bpf-restrict-ifaces.c
similarity index 91%
rename from src/core/restrict-ifaces.c
rename to src/core/bpf-restrict-ifaces.c
index 4dd8656718961e35054113c41cca9b35ee53ef7b..9cfe49a31802c392c2cb519298061127839cd9a0 100644 (file)
--- a/src/core/restrict-ifaces.c
+++ b/src/core/bpf-restrict-ifaces.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "fd-util.h"
-#include "restrict-ifaces.h"
+#include "bpf-restrict-ifaces.h"
 #include "netlink-util.h"
 
 #if BPF_FRAMEWORK
@@ -72,7 +72,7 @@ static int prepare_restrict_ifaces_bpf(
         return 0;
 }
 
-int restrict_network_interfaces_supported(void) {
+int bpf_restrict_ifaces_supported(void) {
         _cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL;
         static int supported = -1;
         int r;
@@ -97,7 +97,7 @@ int restrict_network_interfaces_supported(void) {
         return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
 }
 
-static int restrict_network_interfaces_install_impl(Unit *u) {
+static int restrict_ifaces_install_impl(Unit *u) {
         _cleanup_(bpf_link_freep) struct bpf_link *egress_link = NULL, *ingress_link = NULL;
         _cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL;
         _cleanup_free_ char *cgroup_path = NULL;
@@ -143,13 +143,15 @@ static int restrict_network_interfaces_install_impl(Unit *u) {
         return 0;
 }
 
-int restrict_network_interfaces_install(Unit *u) {
-        int r = restrict_network_interfaces_install_impl(u);
+int bpf_restrict_ifaces_install(Unit *u) {
+        int r;
+
+        r = restrict_ifaces_install_impl(u);
         fdset_close(u->initial_restric_ifaces_link_fds);
         return r;
 }
 
-int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
+int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) {
         int r;
 
         assert(u);
@@ -161,7 +163,7 @@ int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
         return bpf_serialize_link(f, fds, "restrict-ifaces-bpf-fd", u->restrict_ifaces_egress_bpf_link);
 }
 
-int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
+int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) {
         int r;
 
         assert(u);
@@ -181,20 +183,20 @@ int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
 }
 
 #else /* ! BPF_FRAMEWORK */
-int restrict_network_interfaces_supported(void) {
+int bpf_restrict_ifaces_supported(void) {
         return 0;
 }
 
-int restrict_network_interfaces_install(Unit *u) {
+int bpf_restrict_ifaces_install(Unit *u) {
         return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
                         "restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m");
 }
 
-int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
+int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) {
         return 0;
 }
 
-int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
+int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) {
         return 0;
 }
 #endif

diff --git a/src/core/restrict-ifaces.h b/src/core/bpf-restrict-ifaces.h
similarity index 52%
rename from src/core/restrict-ifaces.h
rename to src/core/bpf-restrict-ifaces.h
index 6e7a824364163ae11d5ab5fcfae2107728f6e2b0..28f74279f519a3409b11e0f247b307b656cda82d 100644 (file)
--- a/src/core/restrict-ifaces.h
+++ b/src/core/bpf-restrict-ifaces.h
@@ -6,11 +6,11 @@
 
 typedef struct Unit Unit;
 
-int restrict_network_interfaces_supported(void);
-int restrict_network_interfaces_install(Unit *u);
+int bpf_restrict_ifaces_supported(void);
+int bpf_restrict_ifaces_install(Unit *u);
 
-int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds);
+int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds);
 
 /* Add BPF link fd created before daemon-reload or daemon-reexec.
  * FDs will be closed at the end of restrict_network_interfaces_install. */
-int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd);
+int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd);

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 7f360de496c7dfb35cd90a72a718d2718182c989..bc820b7d14457dbada31507d4042bca403724448 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -10,6 +10,7 @@
 #include "bpf-devices.h"
 #include "bpf-firewall.h"
 #include "bpf-foreign.h"
+#include "bpf-restrict-ifaces.h"
 #include "bpf-socket-bind.h"
 #include "btrfs-util.h"
 #include "bus-error.h"
@@ -32,7 +33,6 @@
 #include "percent-util.h"
 #include "process-util.h"
 #include "procfs-util.h"
-#include "restrict-ifaces.h"
 #include "set.h"
 #include "special.h"
 #include "stdio-util.h"
@@ -1849,7 +1849,7 @@ static void cgroup_apply_socket_bind(Unit *u) {
 static void cgroup_apply_restrict_network_interfaces(Unit *u) {
         assert(u);
 
-        (void) restrict_network_interfaces_install(u);
+        (void) bpf_restrict_ifaces_install(u);
 }
 
 static int cgroup_apply_devices(Unit *u) {
@@ -3987,7 +3987,7 @@ static int cg_bpf_mask_supported(CGroupMask *ret) {
                 mask |= CGROUP_MASK_BPF_SOCKET_BIND;
 
         /* BPF-based cgroup_skb/{egress|ingress} hooks */
-        r = restrict_network_interfaces_supported();
+        r = bpf_restrict_ifaces_supported();
         if (r < 0)
                 return r;
         if (r > 0)

diff --git a/src/core/meson.build b/src/core/meson.build
index a32f0739ce97f332e3d08c0aacbff72c9e545fc7..bda4a3450ebe550250fb977100f83f5f0f83a3c8 100644 (file)
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -8,6 +8,7 @@ libcore_sources = files(
         'bpf-firewall.c',
         'bpf-foreign.c',
         'bpf-restrict-fs.c',
+        'bpf-restrict-ifaces.c',
         'bpf-socket-bind.c',
         'cgroup.c',
         'core-varlink.c',
@@ -51,7 +52,6 @@ libcore_sources = files(
         'mount.c',
         'namespace.c',
         'path.c',
-        'restrict-ifaces.c',
         'scope.c',
         'selinux-access.c',
         'selinux-setup.c',

diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c
index 40cdb615be4d960a58144dd99efa3127550766ee..7f07bc8e312595a16be165c16035eafc2416ab5d 100644 (file)
--- a/src/core/unit-serialize.c
+++ b/src/core/unit-serialize.c
@@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
+#include "bpf-restrict-ifaces.h"
 #include "bpf-socket-bind.h"
 #include "bus-util.h"
 #include "dbus.h"
@@ -7,7 +8,6 @@
 #include "fileio.h"
 #include "format-util.h"
 #include "parse-util.h"
-#include "restrict-ifaces.h"
 #include "serialize.h"
 #include "string-table.h"
 #include "unit-serialize.h"
@@ -199,7 +199,7 @@ int unit_serialize_state(Unit *u, FILE *f, FDSet *fds, bool switching_root) {
         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
 
-        (void) serialize_restrict_network_interfaces(u, f, fds);
+        (void) bpf_restrict_ifaces_serialize(u, f, fds);
 
         if (uid_is_valid(u->ref_uid))
                 (void) serialize_item_format(f, "ref-uid", UID_FMT, u->ref_uid);
@@ -445,7 +445,7 @@ int unit_deserialize_state(Unit *u, FILE *f, FDSet *fds) {
 
                         fd = deserialize_fd(fds, v);
                         if (fd >= 0)
-                                (void) restrict_network_interfaces_add_initial_link_fd(u, fd);
+                                (void) bpf_restrict_ifaces_add_initial_link_fd(u, fd);
 
                         continue;