| From 4ea79c18f1e2081d59eaa0f1df479dbc7700779e Mon Sep 17 00:00:00 2001 |
| From: Ed Tanous <ed.tanous@intel.com> |
| Date: Sun, 16 Dec 2018 18:27:06 -0800 |
| Subject: [PATCH] core: fix the check if CONFIG_CGROUP_BPF is on |
| |
| Since the commit torvalds/linux@fdb5c4531c1e0e50e609df83f736b6f3a02896e2 |
| the syscall BPF_PROG_ATTACH return EBADF when CONFIG_CGROUP_BPF is |
| turned off and as result the bpf_firewall_supported() returns the |
| incorrect value. |
| |
| This commmit replaces the syscall BPF_PROG_ATTACH with BPF_PROG_DETACH |
| which is still work as expected. |
| |
| Resolves openbmc/linux#159 |
| See also systemd/systemd#7054 |
| |
| Originally written by: |
| Alexander Filippov <a.filippov@yadro.com> |
| |
| Signed-off-by: Ed Tanous <ed.tanous@intel.com> |
| --- |
| src/core/bpf-firewall.c | 14 +++++++------- |
| 1 file changed, 7 insertions(+), 7 deletions(-) |
| |
| diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c |
| index 8b66ef73d..e68b70d0c 100644 |
| --- a/src/core/bpf-firewall.c |
| +++ b/src/core/bpf-firewall.c |
| @@ -660,7 +660,7 @@ int bpf_firewall_supported(void) { |
| * b) whether the unified hierarchy is being used |
| * c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require |
| * d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require |
| - * e) the BPF implementation in the kernel supports the BPF_PROG_ATTACH call, which we require |
| + * e) the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require |
| * |
| */ |
| |
| @@ -714,7 +714,7 @@ int bpf_firewall_supported(void) { |
| * is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF |
| * program if we can't do a thing with it later? |
| * |
| - * We detect this case by issuing the BPF_PROG_ATTACH bpf() call with invalid file descriptors: if |
| + * We detect this case by issuing the BPF_PROG_DETACH bpf() call with invalid file descriptors: if |
| * CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the |
| * parameters are validated however, and that'll fail with EBADF then. */ |
| |
| @@ -724,15 +724,15 @@ int bpf_firewall_supported(void) { |
| .attach_bpf_fd = -1, |
| }; |
| |
| - if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { |
| + if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { |
| if (errno != EBADF) { |
| - log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m"); |
| + log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m"); |
| return supported = BPF_FIREWALL_UNSUPPORTED; |
| } |
| |
| /* YAY! */ |
| } else { |
| - log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| + log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| return supported = BPF_FIREWALL_UNSUPPORTED; |
| } |
| |
| @@ -748,7 +748,7 @@ int bpf_firewall_supported(void) { |
| .attach_flags = BPF_F_ALLOW_MULTI, |
| }; |
| |
| - if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { |
| + if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { |
| if (errno == EBADF) { |
| log_debug_errno(errno, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!"); |
| return supported = BPF_FIREWALL_SUPPORTED_WITH_MULTI; |
| @@ -761,7 +761,7 @@ int bpf_firewall_supported(void) { |
| |
| return supported = BPF_FIREWALL_SUPPORTED; |
| } else { |
| - log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| + log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| return supported = BPF_FIREWALL_UNSUPPORTED; |
| } |
| } |
| -- |
| 2.17.1 |
| |