return supported;
if (supported == BPF_FIREWALL_UNSUPPORTED)
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF firewalling not supported on this manager, proceeding without.");
+ "bpf-firewall: BPF firewalling not supported, proceeding without.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE)
/* If BPF_F_ALLOW_MULTI is not supported we don't support any BPF magic on inner nodes (i.e. on slice
* units), since that would mean leaf nodes couldn't do any BPF anymore at all. Under the assumption
* consistent with old systemd behaviour from before v238, where BPF wasn't supported in inner nodes at
* all, either. */
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
+ "bpf-firewall: BPF_F_ALLOW_MULTI is not supported, not doing BPF firewall on slice units.");
/* If BPF_F_ALLOW_MULTI flag is supported program name is also supported (both were added to v4.15
* kernel). */
r = bpf_firewall_prepare_access_maps(u, ACCESS_ALLOWED, &u->ipv4_allow_map_fd, &u->ipv6_allow_map_fd, &ip_allow_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF allow maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF allow maps failed: %m");
r = bpf_firewall_prepare_access_maps(u, ACCESS_DENIED, &u->ipv4_deny_map_fd, &u->ipv6_deny_map_fd, &ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF deny maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF deny maps failed: %m");
}
r = bpf_firewall_prepare_accounting_maps(u, cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF accounting maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF accounting maps failed: %m");
r = bpf_firewall_compile_bpf(u, ingress_name, true, &u->ip_bpf_ingress, ip_allow_any, ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Compilation for ingress BPF program failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Compilation of ingress BPF program failed: %m");
r = bpf_firewall_compile_bpf(u, egress_name, false, &u->ip_bpf_egress, ip_allow_any, ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Compilation for egress BPF program failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Compilation of egress BPF program failed: %m");
return 0;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog);
if (r < 0)
- return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Allocation of SKB BPF program failed: %m");
r = bpf_program_load_from_bpf_fs(prog, *bpf_fs_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Loading of ingress BPF program %s failed: %m", *bpf_fs_path);
+ return log_unit_error_errno(u, r, "bpf-firewall: Loading of ingress BPF program %s failed: %m", *bpf_fs_path);
r = set_ensure_consume(set, &bpf_program_hash_ops, TAKE_PTR(prog));
if (r < 0)
- return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
+ return log_oom();
}
return 0;
return supported;
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI not supported on this manager, cannot attach custom BPF programs.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, cannot attach custom BPF programs.");
r = load_bpf_progs_from_fs_to_set(u, cc->ip_filters_ingress, &u->ip_bpf_custom_ingress);
if (r < 0)
SET_FOREACH_MOVE(prog, *set_installed, *set) {
r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r, "bpf-firewall: Attaching custom egress BPF program to cgroup %s failed: %m", path);
}
return 0;
}
if (supported < 0)
return supported;
if (supported == BPF_FIREWALL_UNSUPPORTED)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF firewalling not supported on this manager, proceeding without.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF firewalling not supported, proceeding without.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, not doing BPF firewall on slice units.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
(!set_isempty(u->ip_bpf_custom_ingress) || !set_isempty(u->ip_bpf_custom_egress)))
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI not supported on this manager, cannot attach custom BPF programs.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, cannot attach custom BPF programs.");
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Failed to determine cgroup path: %m");
flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0;
if (u->ip_bpf_egress) {
r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r,
+ "bpf-firewall: Attaching egress BPF program to cgroup %s failed: %m", path);
/* Remember that this BPF program is installed now. */
u->ip_bpf_egress_installed = TAKE_PTR(u->ip_bpf_egress);
if (u->ip_bpf_ingress) {
r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r,
+ "bpf-firewall: Attaching ingress BPF program to cgroup %s failed: %m", path);
u->ip_bpf_ingress_installed = TAKE_PTR(u->ip_bpf_ingress);
}
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
if (r < 0)
- return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+ return log_error_errno(r, "bpf-firewall: Can't determine whether the unified hierarchy is used: %m");
if (r == 0) {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
- "Not running with unified cgroups, BPF firewalling is not supported.");
+ "bpf-firewall: Not running with unified cgroup hierarchy, BPF firewalling is not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program);
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_add_instructions(program, trivial, ELEMENTSOF(trivial));
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_load_kernel(program, NULL, 0);
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) {
if (errno != EBADF) {
bpf_firewall_unsupported_reason =
- log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
+ log_debug_errno(errno, "bpf-firewall: Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
} else {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EBADE),
- "Wut? Kernel accepted our invalid BPF_PROG_DETACH call? "
+ "bpf-firewall: Wut? Kernel accepted our invalid BPF_PROG_DETACH call? "
"Something is weird, assuming BPF firewalling is broken and hence not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) {
if (errno == EBADF) {
- log_debug_errno(errno, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!");
+ log_debug_errno(errno, "bpf-firewall: Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!");
return supported = BPF_FIREWALL_SUPPORTED_WITH_MULTI;
}
if (errno == EINVAL)
- log_debug_errno(errno, "Got EINVAL error when using BPF_F_ALLOW_MULTI, which indicates it's not supported.");
+ log_debug_errno(errno, "bpf-firewall: Got EINVAL error when using BPF_F_ALLOW_MULTI, which indicates it's not supported.");
else
- log_debug_errno(errno, "Got unexpected error when using BPF_F_ALLOW_MULTI, assuming it's not supported: %m");
+ log_debug_errno(errno, "bpf-firewall: Got unexpected error when using BPF_F_ALLOW_MULTI, assuming it's not supported: %m");
return supported = BPF_FIREWALL_SUPPORTED;
} else {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EBADE),
- "Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? "
+ "bpf-firewall: Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? "
"Something is weird, assuming BPF firewalling is broken and hence not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
HASHMAP_FOREACH_KEY(prog, key, foreign_by_key) {
r = bpf_program_cgroup_attach(prog, key->attach_type, path, attach_flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching foreign BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r, "bpf-foreign: Attaching foreign BPF program to cgroup %s failed: %m", path);
}
return 0;
r = path_is_fs_type(bpffs_path, BPF_FS_MAGIC);
if (r < 0)
return log_unit_error_errno(u, r,
- "Failed to determine filesystem type of %s: %m", bpffs_path);
+ "bpf-foreign: Failed to determine filesystem type of %s: %m", bpffs_path);
if (r == 0)
return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL),
- "Path in BPF filesystem is expected.");
+ "bpf-foreign: Path in BPF filesystem is expected.");
r = bpf_program_new_from_bpffs_path(bpffs_path, &prog);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to create foreign BPFProgram: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to create foreign BPF program: %m");
r = bpf_program_get_id_by_fd(prog->kernel_fd, &prog_id);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get BPF program id by fd: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to get BPF program id from fd: %m");
r = bpf_foreign_key_new(prog_id, attach_type, &key);
if (r < 0)
return log_unit_error_errno(u, r,
- "Failed to create foreign BPF program key from path '%s': %m", bpffs_path);
+ "bpf-foreign: Failed to create foreign BPF program key from path '%s': %m", bpffs_path);
r = hashmap_ensure_put(&u->bpf_foreign_by_key, &bpf_foreign_by_key_hash_ops, key, prog);
if (r == -EEXIST) {
- log_unit_warning_errno(u, r, "Foreign BPF program already exists, ignoring: %m");
+ log_unit_warning_errno(u, r, "bpf-foreign: Foreign BPF program already exists, ignoring: %m");
return 0;
}
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put foreign BPFProgram into map: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to put foreign BPF program into map: %m");
TAKE_PTR(key);
TAKE_PTR(prog);
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to get cgroup path: %m");
LIST_FOREACH(programs, p, cc->bpf_foreign_programs) {
r = bpf_foreign_prepare(u, p->attach_type, p->bpffs_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to prepare foreign BPF hashmap: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to prepare foreign BPF hashmap: %m");
}
r = attach_programs(u, cgroup_path, u->bpf_foreign_by_key, BPF_F_ALLOW_MULTI);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to install foreign BPF programs: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to install foreign BPF programs: %m");
return 0;
}
obj = restrict_fs_bpf__open();
if (!obj)
- return log_error_errno(errno, "Failed to open BPF object: %m");
+ return log_error_errno(errno, "bpf-lsm: Failed to open BPF object: %m");
/* TODO Maybe choose a number based on runtime information? */
r = sym_bpf_map__resize(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to resize BPF map '%s': %m",
+ return log_error_errno(r, "bpf-lsm: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.cgroup_hash));
/* Dummy map to satisfy the verifier */
inner_map_fd = sym_bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint32_t), 128, 0);
if (inner_map_fd < 0)
- return log_error_errno(errno, "Failed to create BPF map: %m");
+ return log_error_errno(errno, "bpf-lsm: Failed to create BPF map: %m");
r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to set inner map fd: %m");
+ return log_error_errno(r, "bpf-lsm: Failed to set inner map fd: %m");
r = restrict_fs_bpf__load(obj);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to load BPF object: %m");
+ return log_error_errno(r, "bpf-lsm: Failed to load BPF object: %m");
*ret_obj = TAKE_PTR(obj);
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
if (r < 0) {
if (r != -ENOENT)
- log_notice_errno(r, "Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
+ log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
- log_notice_errno(r, "Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
+ log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
r = mac_bpf_use();
if (r < 0) {
- log_warning_errno(r, "Can't determine whether the BPF LSM module is used: %m");
+ log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF LSM hook not enabled in the kernel, LSM BPF not supported");
+ "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
return (supported = false);
}
if (!bpf_can_link_lsm_program(obj->progs.restrict_filesystems)) {
log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to link BPF program. Assuming BPF is not available");
+ "bpf-lsm: Failed to link program; assuming BPF LSM is not available");
return (supported = false);
}
link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems);
r = sym_libbpf_get_error(link);
if (r != 0)
- return log_error_errno(r, "Failed to link '%s' LSM BPF program: %m",
+ return log_error_errno(r, "bpf-lsm: Failed to link '%s' LSM BPF program: %m",
sym_bpf_program__name(obj->progs.restrict_filesystems));
- log_info("LSM BPF program attached");
+ log_info("bpf-lsm: LSM BPF program attached");
obj->links.restrict_filesystems = TAKE_PTR(link);
m->restrict_fs = TAKE_PTR(obj);
if (!u->manager->restrict_fs)
return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL),
- "Restrict filesystems BPF object is not set, BPF LSM setup has failed?");
+ "bpf-lsm: BPF LSM object is not installed, has setup failed?");
int inner_map_fd = sym_bpf_create_map(
BPF_MAP_TYPE_HASH,
128, /* Should be enough for all filesystem types */
0);
if (inner_map_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to create inner LSM map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to create inner BPF map: %m");
int outer_map_fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (outer_map_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
if (sym_bpf_map_update_elem(outer_map_fd, &u->cgroup_id, &inner_map_fd, BPF_ANY) != 0)
- return log_unit_error_errno(u, errno, "Error populating LSM BPF map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Error populating BPF map: %m");
uint32_t allow = allow_list;
/* Use key 0 to store whether this is an allow list or a deny list */
if (sym_bpf_map_update_elem(inner_map_fd, &zero, &allow, BPF_ANY) != 0)
- return log_unit_error_errno(u, errno, "Error initializing BPF map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Error initializing map: %m");
SET_FOREACH(fs, filesystems) {
r = fs_type_from_string(fs, &magic);
if (r < 0) {
- log_unit_warning(u, "Invalid filesystem name '%s', ignoring.", fs);
+ log_unit_warning(u, "bpf-lsm: Invalid filesystem name '%s', ignoring.", fs);
continue;
}
- log_unit_debug(u, "Restricting filesystem access to '%s'", fs);
+ log_unit_debug(u, "bpf-lsm: Restricting filesystem access to '%s'", fs);
for (int i = 0; i < FILESYSTEM_MAGIC_MAX; i++) {
if (magic[i] == 0)
break;
if (sym_bpf_map_update_elem(inner_map_fd, &magic[i], &dummy_value, BPF_ANY) != 0) {
- r = log_unit_error_errno(u, errno, "Failed to update BPF map: %m");
+ r = log_unit_error_errno(u, errno, "bpf-lsm: Failed to update BPF map: %m");
if (sym_bpf_map_delete_elem(outer_map_fd, &u->cgroup_id) != 0)
- log_unit_debug_errno(u, errno, "Failed to delete cgroup entry from LSM BPF map: %m");
+ log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from BPF map: %m");
return r;
}
int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (fd < 0)
- return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
if (sym_bpf_map_delete_elem(fd, &u->cgroup_id) != 0)
- return log_unit_debug_errno(u, errno, "Failed to delete cgroup entry from LSM BPF map: %m");
+ return log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from LSM BPF map: %m");
return 0;
}
}
int lsm_bpf_setup(Manager *m) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to set up LSM BPF: %m");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to set up LSM BPF: %m");
}
int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, const bool allow_list) {
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to restrict filesystems using LSM BPF: %m");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to restrict filesystems using LSM BPF: %m");
}
int lsm_bpf_cleanup(const Unit *u) {
set = filesystem_set_find(name);
if (!set) {
log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
- "Unknown filesystem group, ignoring: %s", name);
+ "bpf-lsm: Unknown filesystem group, ignoring: %s", name);
return 0;
}
if (allow_count > SOCKET_BIND_MAX_RULES)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL),
- "Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
+ "bpf-socket-bind: Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
if (deny_count > SOCKET_BIND_MAX_RULES)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL),
- "Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
+ "bpf-socket-bind: Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
obj = socket_bind_bpf__open();
if (!obj)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "Failed to open BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "bpf-socket-bind: Failed to open BPF object: %m");
if (sym_bpf_map__resize(obj->maps.sd_bind_allow, MAX(allow_count, 1u)) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_allow));
+ "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_allow));
if (sym_bpf_map__resize(obj->maps.sd_bind_deny, MAX(deny_count, 1u)) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_deny));
+ "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_deny));
if (socket_bind_bpf__load(obj) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno,
- "Failed to load BPF object: %m");
+ "bpf-socket-bind: Failed to load BPF object: %m");
allow_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_allow);
assert(allow_map_fd >= 0);
r = update_rules_map(allow_map_fd, allow);
if (r < 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to put socket bind allow rules into BPF map '%s'",
+ "bpf-socket-bind: Failed to put socket bind allow rules into BPF map '%s'",
sym_bpf_map__name(obj->maps.sd_bind_allow));
deny_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_deny);
r = update_rules_map(deny_map_fd, deny);
if (r < 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to put socket bind deny rules into BPF map '%s'",
+ "bpf-socket-bind: Failed to put socket bind deny rules into BPF map '%s'",
sym_bpf_map__name(obj->maps.sd_bind_deny));
*ret_obj = TAKE_PTR(obj);
return false;
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*ifindex=*/0)) {
- log_debug("BPF program type cgroup_sock_addr is not supported");
+ log_debug("bpf-socket-bind: BPF program type cgroup_sock_addr is not supported");
return false;
}
r = prepare_socket_bind_bpf(/*unit=*/NULL, /*allow_rules=*/NULL, /*deny_rules=*/NULL, &obj);
if (r < 0) {
- log_debug_errno(r, "BPF based socket_bind is not supported: %m");
+ log_debug_errno(r, "bpf-socket-bind: socket bind filtering is not supported: %m");
return false;
}
r = fdset_put(u->initial_socket_bind_link_fds, fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put socket-bind BPF link fd %d to initial fdset", fd);
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to put BPF fd %d to initial fdset", fd);
return 0;
}
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to get cgroup path: %m");
if (!cc->socket_bind_allow && !cc->socket_bind_deny)
return 0;
r = prepare_socket_bind_bpf(u, cc->socket_bind_allow, cc->socket_bind_deny, &obj);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to load BPF object: %m");
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to load BPF object: %m");
cgroup_fd = open(cgroup_path, O_RDONLY | O_CLOEXEC, 0);
if (cgroup_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to open cgroup=%s for reading: %m", cgroup_path);
+ return log_unit_error_errno(u, errno, "bpf-socket-bind: Failed to open cgroup %s for reading: %m", cgroup_path);
ipv4 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind4, cgroup_fd);
r = sym_libbpf_get_error(ipv4);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to link '%s' cgroup-bpf program: %m",
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m",
sym_bpf_program__name(obj->progs.sd_bind4));
ipv6 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind6, cgroup_fd);
r = sym_libbpf_get_error(ipv6);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to link '%s' cgroup-bpf program: %m",
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m",
sym_bpf_program__name(obj->progs.sd_bind6));
u->ipv4_socket_bind_link = TAKE_PTR(ipv4);
}
int bpf_socket_bind_install(Unit *u) {
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to install socket bind: BPF framework is not supported");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-socket-bind: Failed to install; BPF framework is not supported");
}
int bpf_serialize_socket_bind(Unit *u, FILE *f, FDSet *fds) {
obj = restrict_ifaces_bpf__open();
if (!obj)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "Failed to open BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "restrict-interfaces: Failed to open BPF object: %m");
r = sym_bpf_map__resize(obj->maps.sd_restrictif, MAX(set_size(restrict_network_interfaces), 1u));
if (r != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to resize BPF map '%s': %m",
+ "restrict-interfaces: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.sd_restrictif));
obj->rodata->is_allow_list = is_allow_list;
r = restrict_ifaces_bpf__load(obj);
if (r != 0)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, r, "Failed to load BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, r, "restrict-interfaces: Failed to load BPF object: %m");
map_fd = sym_bpf_map__fd(obj->maps.sd_restrictif);
ifindex = rtnl_resolve_interface(&rtnl, iface);
if (ifindex < 0) {
- log_unit_warning_errno(u, ifindex, "Couldn't find index of network interface '%s', ignoring: %m", iface);
+ log_unit_warning_errno(u, ifindex,
+ "restrict-interfaces: Couldn't find index of network interface '%s', ignoring: %m",
+ iface);
continue;
}
if (sym_bpf_map_update_elem(map_fd, &ifindex, &dummy, BPF_ANY))
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to update BPF map '%s' fd: %m",
+ "restrict-interfaces: Failed to update BPF map '%s' fd: %m",
sym_bpf_map__name(obj->maps.sd_restrictif));
}
return (supported = false);
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SKB, /*ifindex=*/0)) {
- log_debug("BPF program type cgroup_skb is not supported");
+ log_debug("restrict-interfaces: BPF program type cgroup_skb is not supported");
return (supported = false);
}
r = prepare_restrict_ifaces_bpf(NULL, true, NULL, &obj);
if (r < 0) {
- log_debug_errno(r, "Failed to load BPF object: %m");
+ log_debug_errno(r, "restrict-interfaces: Failed to load BPF object: %m");
return (supported = false);
}
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to get cgroup path: %m");
if (!cc->restrict_network_interfaces)
return 0;
ingress_link = sym_bpf_program__attach_cgroup(obj->progs.sd_restrictif_i, cgroup_fd);
r = sym_libbpf_get_error(ingress_link);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to create ingress cgroup link: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to create ingress cgroup link: %m");
egress_link = sym_bpf_program__attach_cgroup(obj->progs.sd_restrictif_e, cgroup_fd);
r = sym_libbpf_get_error(egress_link);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to create egress cgroup link: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to create egress cgroup link: %m");
u->restrict_ifaces_ingress_bpf_link = TAKE_PTR(ingress_link);
u->restrict_ifaces_egress_bpf_link = TAKE_PTR(egress_link);
r = fdset_put(u->initial_restric_ifaces_link_fds, fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put restrict-ifaces-bpf-fd %d to restored fdset: %m", fd);
+ return log_unit_error_errno(u, r,
+ "restrict-interfaces: Failed to put restrict-ifaces-bpf-fd %d to restored fdset: %m", fd);
return 0;
}
int restrict_network_interfaces_install(Unit *u) {
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to install RestrictInterfaces: BPF programs built from source code are not supported: %m");
+ "restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m");
}
int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
projects / thirdparty / systemd.git / commitdiff
