X Tutup
Skip to content

Commit b57d752

Browse files
poetteringpoettering
committed
bpf-program: serialize attached BPF programs across daemon reexec/reload
Alternative to systemd#17495
1 parent 7a7cf83 commit b57d752

File tree

3 files changed

+165
-3
lines changed

3 files changed

+165
-3
lines changed

src/core/unit-serialize.c

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,11 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) {
166166

167167
(void) bpf_serialize_socket_bind(u, f, fds);
168168

169+
(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);
170+
(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);
171+
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
172+
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
173+
169174
if (uid_is_valid(u->ref_uid))
170175
(void) serialize_item_format(f, "ref-uid", UID_FMT, u->ref_uid);
171176
if (gid_is_valid(u->ref_gid))
@@ -385,16 +390,28 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
385390
else {
386391
if (fdset_remove(fds, fd) < 0) {
387392
log_unit_debug(u, "Failed to remove %s value=%d from fdset", l, fd);
388-
389393
continue;
390394
}
391395

392396
(void) bpf_socket_bind_add_initial_link_fd(u, fd);
393397
}
394398
continue;
395-
}
396399

397-
else if (streq(l, "ref-uid")) {
400+
} else if (streq(l, "ip-bpf-ingress-installed")) {
401+
(void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_ingress_installed);
402+
continue;
403+
} else if (streq(l, "ip-bpf-egress-installed")) {
404+
(void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);
405+
continue;
406+
407+
} else if (streq(l, "ip-bpf-custom-ingress-installed")) {
408+
(void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);
409+
continue;
410+
} else if (streq(l, "ip-bpf-custom-egress-installed")) {
411+
(void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_egress_installed);
412+
continue;
413+
414+
} else if (streq(l, "ref-uid")) {
398415
uid_t uid;
399416

400417
r = parse_uid(v, &uid);

src/shared/bpf-program.c

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,12 @@
77

88
#include "alloc-util.h"
99
#include "bpf-program.h"
10+
#include "escape.h"
1011
#include "fd-util.h"
1112
#include "memory-util.h"
1213
#include "missing_syscall.h"
1314
#include "path-util.h"
15+
#include "serialize.h"
1416
#include "string-table.h"
1517

1618
static const char *const bpf_cgroup_attach_type_table[__MAX_BPF_ATTACH_TYPE] = {
@@ -362,3 +364,139 @@ int bpf_program_get_id_by_fd(int prog_fd, uint32_t *ret_id) {
362364

363365
return 0;
364366
};
367+
368+
int bpf_program_serialize_attachment(
369+
FILE *f,
370+
FDSet *fds,
371+
const char *key,
372+
BPFProgram *p) {
373+
374+
_cleanup_free_ char *escaped = NULL;
375+
int copy, r;
376+
377+
if (!p || !p->attached_path)
378+
return 0;
379+
380+
assert(p->kernel_fd >= 0);
381+
382+
escaped = cescape(p->attached_path);
383+
if (!escaped)
384+
return -ENOMEM;
385+
386+
copy = fdset_put_dup(fds, p->kernel_fd);
387+
if (copy < 0)
388+
return log_error_errno(copy, "Failed to add BPF kernel fd to serialize: %m");
389+
390+
r = serialize_item_format(
391+
f,
392+
key,
393+
"%i %s %s",
394+
copy,
395+
bpf_cgroup_attach_type_to_string(p->attached_type),
396+
escaped);
397+
if (r < 0)
398+
return r;
399+
400+
/* After serialization, let's forget the fact that this program is attached. The attachment — if you
401+
* so will — is now 'owned' by the serialization, and not us anymore. Why does that matter? Because
402+
* of BPF's less-than-ideal lifecycle handling: to detach a program from a cgroup we have to
403+
* explicitly do so, it's not done implicitly on close(). Now, since we are serializing here we don't
404+
* want the program to be detached while freeing things, so that the attachment can be retained after
405+
* deserializing again. bpf_program_free() implicitly detaches things, if attached_path is non-NULL,
406+
* hence we set it to NULL here. */
407+
408+
p->attached_path = mfree(p->attached_path);
409+
return 0;
410+
}
411+
412+
int bpf_program_serialize_attachment_set(FILE *f, FDSet *fds, const char *key, Set *set) {
413+
BPFProgram *p;
414+
int r;
415+
416+
SET_FOREACH(p, set) {
417+
r = bpf_program_serialize_attachment(f, fds, key, p);
418+
if (r < 0)
419+
return r;
420+
}
421+
422+
return 0;
423+
}
424+
425+
int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **bpfp) {
426+
_cleanup_free_ char *sfd = NULL, *sat = NULL, *unescaped = NULL;
427+
_cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
428+
_cleanup_close_ int fd = -1;
429+
int ifd, at, r;
430+
431+
assert(v);
432+
assert(bpfp);
433+
434+
/* Extract first word: the fd number */
435+
r = extract_first_word(&v, &sfd, NULL, 0);
436+
if (r < 0)
437+
return r;
438+
if (r == 0)
439+
return -EINVAL;
440+
441+
r = safe_atoi(sfd, &ifd);
442+
if (r < 0)
443+
return r;
444+
if (ifd < 0)
445+
return -EBADF;
446+
447+
/* Extract second word: the attach type */
448+
r = extract_first_word(&v, &sat, NULL, 0);
449+
if (r < 0)
450+
return r;
451+
if (r == 0)
452+
return -EINVAL;
453+
454+
at = bpf_cgroup_attach_type_from_string(sat);
455+
if (at < 0)
456+
return at;
457+
458+
/* The rest is the path */
459+
r = cunescape(v, 0, &unescaped);
460+
if (r < 0)
461+
return r;
462+
463+
fd = fdset_remove(fds, ifd);
464+
if (fd < 0)
465+
return fd;
466+
467+
p = new(BPFProgram, 1);
468+
if (!p)
469+
return -ENOMEM;
470+
471+
*p = (BPFProgram) {
472+
.n_ref = 1,
473+
.kernel_fd = TAKE_FD(fd),
474+
.prog_type = BPF_PROG_TYPE_UNSPEC,
475+
.attached_path = TAKE_PTR(unescaped),
476+
.attached_type = at,
477+
};
478+
479+
if (*bpfp)
480+
bpf_program_unref(*bpfp);
481+
482+
*bpfp = TAKE_PTR(p);
483+
return 0;
484+
}
485+
486+
int bpf_program_deserialize_attachment_set(const char *v, FDSet *fds, Set **bpfsetp) {
487+
BPFProgram *p = NULL;
488+
int r;
489+
490+
assert(v);
491+
assert(bpfsetp);
492+
493+
r = bpf_program_deserialize_attachment(v, fds, &p);
494+
if (r < 0)
495+
return r;
496+
497+
r = set_ensure_consume(bpfsetp, &bpf_program_hash_ops, p);
498+
if (r < 0)
499+
return r;
500+
501+
return 0;
502+
}

src/shared/bpf-program.h

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,10 @@
33

44
#include <linux/bpf.h>
55
#include <stdint.h>
6+
#include <stdio.h>
67
#include <sys/syscall.h>
78

9+
#include "fdset.h"
810
#include "list.h"
911
#include "macro.h"
1012

@@ -38,6 +40,11 @@ int bpf_program_cgroup_detach(BPFProgram *p);
3840
int bpf_program_pin(int prog_fd, const char *bpffs_path);
3941
int bpf_program_get_id_by_fd(int prog_fd, uint32_t *ret_id);
4042

43+
int bpf_program_serialize_attachment(FILE *f, FDSet *fds, const char *key, BPFProgram *p);
44+
int bpf_program_serialize_attachment_set(FILE *f, FDSet *fds, const char *key, Set *set);
45+
int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **bpfp);
46+
int bpf_program_deserialize_attachment_set(const char *v, FDSet *fds, Set **bpfsetp);
47+
4148
extern const struct hash_ops bpf_program_hash_ops;
4249

4350
int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);

0 commit comments

Comments
 (0)
X Tutup