Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 4ea79c18f1e2081d59eaa0f1df479dbc7700779e Mon Sep 17 00:00:00 2001 |
| 2 | From: Ed Tanous <ed.tanous@intel.com> |
| 3 | Date: Sun, 16 Dec 2018 18:27:06 -0800 |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 4 | Subject: [PATCH] core: fix the check if CONFIG_CGROUP_BPF is on |
| 5 | |
| 6 | Since the commit torvalds/linux@fdb5c4531c1e0e50e609df83f736b6f3a02896e2 |
| 7 | the syscall BPF_PROG_ATTACH return EBADF when CONFIG_CGROUP_BPF is |
| 8 | turned off and as result the bpf_firewall_supported() returns the |
| 9 | incorrect value. |
| 10 | |
| 11 | This commmit replaces the syscall BPF_PROG_ATTACH with BPF_PROG_DETACH |
| 12 | which is still work as expected. |
| 13 | |
| 14 | Resolves openbmc/linux#159 |
| 15 | See also systemd/systemd#7054 |
| 16 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 17 | Originally written by: |
| 18 | Alexander Filippov <a.filippov@yadro.com> |
| 19 | |
| 20 | Signed-off-by: Ed Tanous <ed.tanous@intel.com> |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 21 | --- |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 22 | src/core/bpf-firewall.c | 14 +++++++------- |
| 23 | 1 file changed, 7 insertions(+), 7 deletions(-) |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 24 | |
| 25 | diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 26 | index 8b66ef73d..e68b70d0c 100644 |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 27 | --- a/src/core/bpf-firewall.c |
| 28 | +++ b/src/core/bpf-firewall.c |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 29 | @@ -660,7 +660,7 @@ int bpf_firewall_supported(void) { |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 30 | * b) whether the unified hierarchy is being used |
| 31 | * c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require |
| 32 | * d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require |
| 33 | - * e) the BPF implementation in the kernel supports the BPF_PROG_ATTACH call, which we require |
| 34 | + * e) the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require |
| 35 | * |
| 36 | */ |
| 37 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 38 | @@ -714,7 +714,7 @@ int bpf_firewall_supported(void) { |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 39 | * is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF |
| 40 | * program if we can't do a thing with it later? |
| 41 | * |
| 42 | - * We detect this case by issuing the BPF_PROG_ATTACH bpf() call with invalid file descriptors: if |
| 43 | + * We detect this case by issuing the BPF_PROG_DETACH bpf() call with invalid file descriptors: if |
| 44 | * CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the |
| 45 | * parameters are validated however, and that'll fail with EBADF then. */ |
| 46 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 47 | @@ -724,15 +724,15 @@ int bpf_firewall_supported(void) { |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 48 | .attach_bpf_fd = -1, |
| 49 | }; |
| 50 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 51 | - if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { |
| 52 | + if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { |
| 53 | if (errno != EBADF) { |
| 54 | - log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m"); |
| 55 | + log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m"); |
| 56 | return supported = BPF_FIREWALL_UNSUPPORTED; |
| 57 | } |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 58 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 59 | /* YAY! */ |
| 60 | } else { |
| 61 | - log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| 62 | + log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| 63 | return supported = BPF_FIREWALL_UNSUPPORTED; |
| 64 | } |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 65 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 66 | @@ -748,7 +748,7 @@ int bpf_firewall_supported(void) { |
| 67 | .attach_flags = BPF_F_ALLOW_MULTI, |
| 68 | }; |
| 69 | |
| 70 | - if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { |
| 71 | + if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { |
| 72 | if (errno == EBADF) { |
| 73 | log_debug_errno(errno, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!"); |
| 74 | return supported = BPF_FIREWALL_SUPPORTED_WITH_MULTI; |
| 75 | @@ -761,7 +761,7 @@ int bpf_firewall_supported(void) { |
| 76 | |
| 77 | return supported = BPF_FIREWALL_SUPPORTED; |
| 78 | } else { |
| 79 | - log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| 80 | + log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); |
| 81 | return supported = BPF_FIREWALL_UNSUPPORTED; |
| 82 | } |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 83 | } |
| 84 | -- |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 85 | 2.17.1 |
Alexander Filippov | 2525cde | 2018-09-17 12:09:30 +0300 | [diff] [blame] | 86 | |