diff options
| author | Julia Kartseva <hex@fb.com> | 2021-02-03 22:15:27 -0800 |
|---|---|---|
| committer | Julia Kartseva <hex@fb.com> | 2021-04-09 20:28:47 -0700 |
| commit | a442ccb4ebdbc3a9ff9d4504eb9724092149fd42 (patch) | |
| tree | 7e16686e823e3f548d7cb6790befe10c747419d6 /src/core/bpf-firewall.c | |
| parent | e2e40e9a9e4074eaca7984b70a5d1cd7a7f0cbe0 (diff) | |
| download | systemd-a442ccb4ebdbc3a9ff9d4504eb9724092149fd42.tar.gz | |
bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports
Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.
Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.
[0] https://github.com/systemd/systemd/pull/17495/commits/4e42210d40f96e185a55d43041dd6b962ea830dd
Diffstat (limited to 'src/core/bpf-firewall.c')
| -rw-r--r-- | src/core/bpf-firewall.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 0f588b6ca5..02e33399c3 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -698,8 +698,7 @@ int bpf_firewall_install(Unit *u) { if (r < 0) return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m"); - flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI && - (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0; + flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0; /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to * minimize the time window when we don't account for IP traffic. */ @@ -707,8 +706,7 @@ int bpf_firewall_install(Unit *u) { u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); if (u->ip_bpf_egress) { - r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, - flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI)); + r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags); if (r < 0) return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path); @@ -717,8 +715,7 @@ int bpf_firewall_install(Unit *u) { } if (u->ip_bpf_ingress) { - r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, - flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI)); + r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags); if (r < 0) return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path); |