From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 13 Nov 2017 09:56:43 +0000 (+0100)
Subject: bpf-firewall: properly handle kernels where BPF cgroup is disabled but TRIE maps... 
X-Git-Tag: v236~229
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93e93da5cc0499563710e3b77dcae3c342ed46b0;p=thirdparty%2Fsystemd.git

bpf-firewall: properly handle kernels where BPF cgroup is disabled but TRIE maps are enabled (#7298)

So far, we assumed that kernels where TRIE was on also supported
BPF/cgroup stuff. That's not a correct assumption to make, hence check
for both features separately.

Fixes: #7054
---

diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 909c1c8253f..09c5bd3ddda 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -641,6 +641,12 @@ int bpf_firewall_reset_accounting(int map_fd) {
 
 
 int bpf_firewall_supported(void) {
+        struct bpf_insn trivial[] = {
+                BPF_MOV64_IMM(BPF_REG_0, 1),
+                BPF_EXIT_INSN()
+        };
+
+        _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL;
         static int supported = -1;
         int fd, r;
 
@@ -655,8 +661,10 @@ int bpf_firewall_supported(void) {
         if (supported >= 0)
                 return supported;
 
-        if (geteuid() != 0)
+        if (geteuid() != 0) {
+                log_debug("Not enough privileges, BPF firewalling is not supported.");
                 return supported = false;
+        }
 
         r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
         if (r < 0)
@@ -676,5 +684,22 @@ int bpf_firewall_supported(void) {
 
         safe_close(fd);
 
+        if (bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &program) < 0) {
+                log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+                return supported = false;
+        }
+
+        r = bpf_program_add_instructions(program, trivial, ELEMENTSOF(trivial));
+        if (r < 0) {
+                log_debug_errno(r, "Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+                return supported = false;
+        }
+
+        r = bpf_program_load_kernel(program, NULL, 0);
+        if (r < 0) {
+                log_debug_errno(r, "Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+                return supported = false;
+        }
+
         return supported = true;
 }