projects / systemd / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 58a56b6)
bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports
authorJulia Kartseva <hex@fb.com>
Thu, 4 Feb 2021 06:15:27 +0000 (22:15 -0800)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 15 May 2021 17:31:29 +0000 (19:31 +0200)
Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.

Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.

[0] https://github.com/systemd/systemd/pull/17495/commits/4e42210d40f96e185a55d43041dd6b962ea830dd

(cherry picked from commit a442ccb4ebdbc3a9ff9d4504eb9724092149fd42)
(cherry picked from commit 0af3810d4b1c8bb4f0683758f47e042e8cb76972)

src/core/bpf-firewall.c patch | blob | history

diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 99783aca22a015d1343e4e39b31ff16db1b7ad73..b015e54c08acec5bf756a0961b48e30b1b0e59f8 100644 (file)
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -702,8 +702,7 @@ int bpf_firewall_install(Unit *u) {
         if (r < 0)
                 return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
 
-        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
-                 (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;
+        flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0;
 
         /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
          * minimize the time window when we don't account for IP traffic. */
@@ -711,8 +710,7 @@ int bpf_firewall_install(Unit *u) {
         u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
 
         if (u->ip_bpf_egress) {
-                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path,
-                                              flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));
+                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
                 if (r < 0)
                         return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
 
@@ -721,8 +719,7 @@ int bpf_firewall_install(Unit *u) {
         }
 
         if (u->ip_bpf_ingress) {
-                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path,
-                                              flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));
+                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
                 if (r < 0)
                         return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
 
https://github.com/systemd/systemd.git