mirror of
https://github.com/systemd/systemd
synced 2026-03-19 19:44:48 +01:00
Compare commits
No commits in common. "f76f0f99354b0485e3e13c2608bc26f969312687" and "f3c67f7e16e23d385113461033f06e76789df1cd" have entirely different histories.
f76f0f9935
...
f3c67f7e16
@ -49,18 +49,25 @@ int bpf_bind_network_interface_supported(void) {
|
||||
return (supported = bpf_can_link_program(obj->progs.sd_bind_interface));
|
||||
}
|
||||
|
||||
static int bind_network_interface_install_impl(Unit *u, CGroupRuntime *crt) {
|
||||
int bpf_bind_network_interface_install(Unit *u) {
|
||||
_cleanup_(bpf_link_freep) struct bpf_link *link = NULL;
|
||||
_cleanup_(bind_iface_bpf_freep) struct bind_iface_bpf *obj = NULL;
|
||||
_cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
|
||||
_cleanup_free_ char *cgroup_path = NULL;
|
||||
_cleanup_close_ int cgroup_fd = -EBADF;
|
||||
CGroupContext *cc;
|
||||
CGroupRuntime *crt;
|
||||
int r, ifindex;
|
||||
|
||||
assert(u);
|
||||
assert(crt);
|
||||
|
||||
CGroupContext *cc = ASSERT_PTR(unit_get_cgroup_context(u));
|
||||
cc = unit_get_cgroup_context(u);
|
||||
if (!cc)
|
||||
return 0;
|
||||
|
||||
crt = unit_get_cgroup_runtime(u);
|
||||
if (!crt)
|
||||
return 0;
|
||||
|
||||
if (isempty(cc->bind_network_interface))
|
||||
return 0;
|
||||
@ -111,21 +118,6 @@ static int bind_network_interface_install_impl(Unit *u, CGroupRuntime *crt) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int bpf_bind_network_interface_install(Unit *u) {
|
||||
CGroupRuntime *crt;
|
||||
int r;
|
||||
|
||||
assert(u);
|
||||
|
||||
crt = unit_get_cgroup_runtime(u);
|
||||
if (!crt)
|
||||
return 0;
|
||||
|
||||
r = bind_network_interface_install_impl(u, crt);
|
||||
crt->initial_bind_network_interface_link_fd = safe_close(crt->initial_bind_network_interface_link_fd);
|
||||
return r;
|
||||
}
|
||||
|
||||
int bpf_bind_network_interface_serialize(Unit *u, FILE *f, FDSet *fds) {
|
||||
CGroupRuntime *crt;
|
||||
|
||||
@ -135,7 +127,7 @@ int bpf_bind_network_interface_serialize(Unit *u, FILE *f, FDSet *fds) {
|
||||
if (!crt)
|
||||
return 0;
|
||||
|
||||
return bpf_serialize_link(f, fds, "bind-iface-bpf-fd", crt->bpf_bind_network_interface_link);
|
||||
return bpf_serialize_link(f, fds, "bind-interface-fd", crt->bpf_bind_network_interface_link);
|
||||
}
|
||||
|
||||
#else /* ! BPF_FRAMEWORK */
|
||||
|
||||
@ -98,17 +98,22 @@ int bpf_restrict_ifaces_supported(void) {
|
||||
return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
|
||||
}
|
||||
|
||||
static int restrict_ifaces_install_impl(Unit *u, CGroupRuntime *crt) {
|
||||
static int restrict_ifaces_install_impl(Unit *u) {
|
||||
_cleanup_(bpf_link_freep) struct bpf_link *egress_link = NULL, *ingress_link = NULL;
|
||||
_cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL;
|
||||
_cleanup_free_ char *cgroup_path = NULL;
|
||||
_cleanup_close_ int cgroup_fd = -EBADF;
|
||||
CGroupContext *cc;
|
||||
CGroupRuntime *crt;
|
||||
int r;
|
||||
|
||||
assert(u);
|
||||
assert(crt);
|
||||
cc = unit_get_cgroup_context(u);
|
||||
if (!cc)
|
||||
return 0;
|
||||
|
||||
CGroupContext *cc = ASSERT_PTR(unit_get_cgroup_context(u));
|
||||
crt = unit_get_cgroup_runtime(u);
|
||||
if (!crt)
|
||||
return 0;
|
||||
|
||||
r = cg_get_path(crt->cgroup_path, /* suffix= */ NULL, &cgroup_path);
|
||||
if (r < 0)
|
||||
@ -154,7 +159,7 @@ int bpf_restrict_ifaces_install(Unit *u) {
|
||||
if (!crt)
|
||||
return 0;
|
||||
|
||||
r = restrict_ifaces_install_impl(u, crt);
|
||||
r = restrict_ifaces_install_impl(u);
|
||||
fdset_close(crt->initial_restrict_ifaces_link_fds, /* async= */ false);
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -571,7 +571,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
|
||||
fprintf(f, "%sDelegateSubgroup: %s\n",
|
||||
prefix, c->delegate_subgroup);
|
||||
|
||||
if (c->bind_network_interface)
|
||||
if (!isempty(c->bind_network_interface))
|
||||
fprintf(f, "%sBindNetworkInterface: %s\n",
|
||||
prefix, c->bind_network_interface);
|
||||
|
||||
@ -1698,7 +1698,7 @@ static bool unit_get_needs_bind_network_interface(Unit *u) {
|
||||
if (!c)
|
||||
return false;
|
||||
|
||||
return c->bind_network_interface;
|
||||
return !isempty(c->bind_network_interface);
|
||||
}
|
||||
|
||||
static CGroupMask unit_get_cgroup_mask(Unit *u) {
|
||||
@ -3050,7 +3050,9 @@ int unit_check_oom(Unit *u) {
|
||||
if (!crt || !crt->cgroup_path)
|
||||
return 0;
|
||||
|
||||
CGroupContext *ctx = ASSERT_PTR(unit_get_cgroup_context(u));
|
||||
CGroupContext *ctx = unit_get_cgroup_context(u);
|
||||
if (!ctx)
|
||||
return 0;
|
||||
|
||||
/* If memory.oom.group=1, then look up the oom_group_kill field, which reports how many times the
|
||||
* kernel killed every process recursively in this cgroup and its descendants, similar to
|
||||
@ -4199,8 +4201,6 @@ CGroupRuntime* cgroup_runtime_new(void) {
|
||||
.ipv4_deny_map_fd = -EBADF,
|
||||
.ipv6_deny_map_fd = -EBADF,
|
||||
|
||||
.initial_bind_network_interface_link_fd = -EBADF,
|
||||
|
||||
.cgroup_invalidated_mask = _CGROUP_MASK_ALL,
|
||||
|
||||
.deserialized_cgroup_realized = -1,
|
||||
@ -4235,7 +4235,6 @@ CGroupRuntime* cgroup_runtime_free(CGroupRuntime *crt) {
|
||||
#endif
|
||||
|
||||
fdset_free(crt->initial_restrict_ifaces_link_fds);
|
||||
safe_close(crt->initial_bind_network_interface_link_fd);
|
||||
|
||||
bpf_firewall_close(crt);
|
||||
|
||||
@ -4462,24 +4461,34 @@ int cgroup_runtime_deserialize_one(Unit *u, const char *key, const char *value,
|
||||
if (MATCH_DESERIALIZE_IMMEDIATE(u, "cgroup-invalidated-mask", key, value, cg_mask_from_string, cgroup_invalidated_mask))
|
||||
return 1;
|
||||
|
||||
if (STR_IN_SET(key, "ipv4-socket-bind-bpf-link-fd", "ipv6-socket-bind-bpf-link-fd")) {
|
||||
int fd;
|
||||
|
||||
fd = deserialize_fd(fds, value);
|
||||
if (fd >= 0)
|
||||
(void) bpf_socket_bind_add_initial_link_fd(u, fd);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (STR_IN_SET(key,
|
||||
"bpf-device-control-installed",
|
||||
"ip-bpf-ingress-installed", "ip-bpf-egress-installed",
|
||||
"bpf-device-control-installed",
|
||||
"ip-bpf-custom-ingress-installed", "ip-bpf-custom-egress-installed")) {
|
||||
|
||||
CGroupRuntime *crt = unit_setup_cgroup_runtime(u);
|
||||
if (!crt)
|
||||
log_oom_debug();
|
||||
else {
|
||||
if (streq(key, "bpf-device-control-installed"))
|
||||
(void) bpf_program_deserialize_attachment(value, fds, &crt->bpf_device_control_installed);
|
||||
|
||||
if (streq(key, "ip-bpf-ingress-installed"))
|
||||
(void) bpf_program_deserialize_attachment(value, fds, &crt->ip_bpf_ingress_installed);
|
||||
|
||||
if (streq(key, "ip-bpf-egress-installed"))
|
||||
(void) bpf_program_deserialize_attachment(value, fds, &crt->ip_bpf_egress_installed);
|
||||
|
||||
if (streq(key, "bpf-device-control-installed"))
|
||||
(void) bpf_program_deserialize_attachment(value, fds, &crt->bpf_device_control_installed);
|
||||
|
||||
if (streq(key, "ip-bpf-custom-ingress-installed"))
|
||||
(void) bpf_program_deserialize_attachment_set(value, fds, &crt->ip_bpf_custom_ingress_installed);
|
||||
|
||||
@ -4490,47 +4499,12 @@ int cgroup_runtime_deserialize_one(Unit *u, const char *key, const char *value,
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* We keep the previous bpf link fds stashed until we reattach anew, to close the window where
|
||||
* the cgroup restrictions would otherwise be lifted. */
|
||||
|
||||
if (STR_IN_SET(key, "ipv4-socket-bind-bpf-link-fd", "ipv6-socket-bind-bpf-link-fd")) {
|
||||
_cleanup_close_ int fd = -EBADF;
|
||||
|
||||
fd = deserialize_fd(fds, value);
|
||||
if (fd >= 0) {
|
||||
r = bpf_socket_bind_add_initial_link_fd(u, fd);
|
||||
if (r >= 0)
|
||||
TAKE_FD(fd);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (streq(key, "restrict-ifaces-bpf-fd")) {
|
||||
_cleanup_close_ int fd = -EBADF;
|
||||
int fd;
|
||||
|
||||
fd = deserialize_fd(fds, value);
|
||||
if (fd >= 0) {
|
||||
r = bpf_restrict_ifaces_add_initial_link_fd(u, fd);
|
||||
if (r >= 0)
|
||||
TAKE_FD(fd);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (streq(key, "bind-iface-bpf-fd")) {
|
||||
_cleanup_close_ int fd = -EBADF;
|
||||
|
||||
fd = deserialize_fd(fds, value);
|
||||
if (fd >= 0) {
|
||||
CGroupRuntime *crt = unit_setup_cgroup_runtime(u);
|
||||
if (!crt)
|
||||
log_oom_debug();
|
||||
else
|
||||
close_and_replace(crt->initial_bind_network_interface_link_fd, fd);
|
||||
}
|
||||
|
||||
if (fd >= 0)
|
||||
(void) bpf_restrict_ifaces_add_initial_link_fd(u, fd);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
@ -325,13 +325,6 @@ typedef struct CGroupRuntime {
|
||||
struct bpf_link *restrict_ifaces_egress_bpf_link;
|
||||
#endif
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
/* BPF link to BPF programs attached to cgroup/sock_create hooks and
|
||||
* responsible for binding created sockets to a given VRF interface. */
|
||||
struct bpf_link *bpf_bind_network_interface_link;
|
||||
#endif
|
||||
int initial_bind_network_interface_link_fd;
|
||||
|
||||
bool cgroup_members_mask_valid:1;
|
||||
|
||||
/* Reset cgroup accounting next time we fork something off */
|
||||
@ -341,6 +334,12 @@ typedef struct CGroupRuntime {
|
||||
bool warned_clamping_cpu_quota_period:1;
|
||||
|
||||
int deserialized_cgroup_realized; /* tristate, for backwards compat */
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
/* BPF link to BPF programs attached to cgroup/sock_create hooks and
|
||||
* responsible for binding created sockets to a given VRF interface. */
|
||||
struct bpf_link *bpf_bind_network_interface_link;
|
||||
#endif
|
||||
} CGroupRuntime;
|
||||
|
||||
uint64_t cgroup_context_cpu_weight(CGroupContext *c, ManagerState state);
|
||||
|
||||
@ -1893,7 +1893,6 @@ int bus_cgroup_set_property(
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (streq(name, "RestrictNetworkInterfaces")) {
|
||||
int is_allow_list;
|
||||
_cleanup_strv_free_ char **l = NULL;
|
||||
@ -1959,15 +1958,19 @@ int bus_cgroup_set_property(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (!isempty(s) && !ifname_valid_full(s, IFNAME_VALID_ALTERNATIVE))
|
||||
if (!ifname_valid_full(s, IFNAME_VALID_ALTERNATIVE))
|
||||
return sd_bus_error_setf(reterr_error, SD_BUS_ERROR_INVALID_ARGS, "Invalid interface name: %s", s);
|
||||
|
||||
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
||||
r = free_and_strdup_warn(&c->bind_network_interface, empty_to_null(s));
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r > 0)
|
||||
unit_write_settingf(u, flags, name, "BindNetworkInterface=%s", s);
|
||||
if (isempty(s))
|
||||
c->bind_network_interface = mfree(c->bind_network_interface);
|
||||
else {
|
||||
r = free_and_strdup_warn(&c->bind_network_interface, s);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
unit_write_settingf(u, flags, name, "BindNetworkInterface=%s", strempty(s));
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
@ -5141,11 +5141,12 @@ int unit_setup_exec_runtime(Unit *u) {
|
||||
return r;
|
||||
}
|
||||
|
||||
CGroupRuntime* unit_setup_cgroup_runtime(Unit *u) {
|
||||
assert(u);
|
||||
assert(UNIT_HAS_CGROUP_CONTEXT(u));
|
||||
CGroupRuntime *unit_setup_cgroup_runtime(Unit *u) {
|
||||
size_t offset;
|
||||
|
||||
size_t offset = UNIT_VTABLE(u)->cgroup_runtime_offset;
|
||||
assert(u);
|
||||
|
||||
offset = UNIT_VTABLE(u)->cgroup_runtime_offset;
|
||||
assert(offset > 0);
|
||||
|
||||
CGroupRuntime **rt = (CGroupRuntime**) ((uint8_t*) u + offset);
|
||||
|
||||
@ -2370,7 +2370,6 @@ static const BusProperty cgroup_properties[] = {
|
||||
{ "SocketBindDeny", bus_append_socket_filter },
|
||||
{ "MemoryPressureThresholdSec", bus_append_parse_sec_rename },
|
||||
{ "NFTSet", bus_append_nft_set },
|
||||
{ "BindNetworkInterface", bus_append_string },
|
||||
|
||||
/* While infinity is disallowed in unit file, infinity is allowed in D-Bus API which
|
||||
* means use the default memory pressure duration from oomd.conf. */
|
||||
@ -2552,6 +2551,7 @@ static const BusProperty execute_properties[] = {
|
||||
{ "StateDirectoryAccounting", bus_append_parse_boolean },
|
||||
{ "CacheDirectoryAccounting", bus_append_parse_boolean },
|
||||
{ "LogsDirectoryAccounting", bus_append_parse_boolean },
|
||||
{ "BindNetworkInterface", bus_append_string },
|
||||
|
||||
{ NULL, bus_try_append_resource_limit, dump_resource_limits },
|
||||
{}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user