diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-14 15:06:27 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 22:23:58 +0900 |
commit | b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch) | |
tree | 58245c4075beb60a8558020b647dc67134beb68e /src/core/cgroup.c | |
parent | 127b26f3d8b589907ed75a34d34ab330995778f9 (diff) | |
download | systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz |
Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.
The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
questionable, at least, there was no justification PID1 should support
it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.
Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
Diffstat (limited to 'src/core/cgroup.c')
-rw-r--r-- | src/core/cgroup.c | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index a3fb44fcb8..25707fce64 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -19,7 +19,6 @@ #include "devnum-util.h" #include "fd-util.h" #include "fileio.h" -#include "firewall-util.h" #include "in-addr-prefix-util.h" #include "inotify-util.h" #include "io-util.h" @@ -280,8 +279,6 @@ void cgroup_context_done(CGroupContext *c) { cpu_set_reset(&c->startup_cpuset_cpus); cpu_set_reset(&c->cpuset_mems); cpu_set_reset(&c->startup_cpuset_mems); - - c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts); } static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) { @@ -612,11 +609,6 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { SET_FOREACH(iface, c->restrict_network_interfaces) fprintf(f, "%sRestrictNetworkInterfaces: %s\n", prefix, iface); } - - for (size_t i = 0; i < c->n_nft_set_contexts; i++) - fprintf(f, "%sControlGroupNFTSet: %s:%s:%s\n", prefix, - nfproto_to_string(c->nft_set_context[i].nfproto), - c->nft_set_context[i].table, c->nft_set_context[i].set); } void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) { @@ -1226,46 +1218,6 @@ static void cgroup_apply_firewall(Unit *u) { (void) bpf_firewall_install(u); } -static void cgroup_apply_nft_set(Unit *u) { - int r; - CGroupContext *c; - - assert(u); - - assert_se(c = unit_get_cgroup_context(u)); - - for (size_t i = 0; i < c->n_nft_set_contexts; i++) { - NFTSetContext *s = &c->nft_set_context[i]; - r = nft_set_element_add_uint64(s, u->cgroup_id); - if (r < 0) - log_warning_errno(r, "Adding NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m", - nfproto_to_string(s->nfproto), - s->table, - s->set, - u->cgroup_id); - } -} - -static void cgroup_delete_nft_set(Unit *u) { - int r; - CGroupContext *c; - - assert(u); - - assert_se(c = unit_get_cgroup_context(u)); - - for (size_t i = 0; i < c->n_nft_set_contexts; i++) { - NFTSetContext *s = &c->nft_set_context[i]; - r = nft_set_element_del_uint64(s, u->cgroup_id); - if (r < 0) - log_warning_errno(r, "Deleting NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m", - nfproto_to_string(s->nfproto), - s->table, - s->set, - u->cgroup_id); - } -} - static void cgroup_apply_socket_bind(Unit *u) { assert(u); @@ -1698,8 +1650,6 @@ static void cgroup_context_apply( if (apply_mask & CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES) cgroup_apply_restrict_network_interfaces(u); - - cgroup_apply_nft_set(u); } static bool unit_get_needs_bpf_firewall(Unit *u) { @@ -2849,8 +2799,6 @@ void unit_prune_cgroup(Unit *u) { (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */ #endif - cgroup_delete_nft_set(u); - is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE); r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice); |