From 0848715cab537f83f51a51f32c9ce2507d23928c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 8 Nov 2019 20:33:10 +0100 Subject: [PATCH] bpf: make bpf_devices_apply_policy() independent of any unit code --- src/core/bpf-devices.c | 26 +++++++++++++++----------- src/core/bpf-devices.h | 11 ++++++++--- src/core/cgroup.c | 2 +- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index dd38a61..49c8456 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -159,13 +159,18 @@ int bpf_devices_cgroup_init(BPFProgram **ret, CGroupDevicePolicy policy, bool wh return 0; } -int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy, bool whitelist) { - _cleanup_free_ char *path = NULL; +int bpf_devices_apply_policy( + BPFProgram *prog, + CGroupDevicePolicy policy, + bool whitelist, + const char *cgroup_path, + BPFProgram **prog_installed) { int r; + /* This will assign *keep_program if everything goes well. */ if (!prog) { /* Remove existing program. */ - u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed); + *prog_installed = bpf_program_unref(*prog_installed); return 0; } @@ -201,20 +206,19 @@ int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy polic if (r < 0) return log_error_errno(r, "Extending device control BPF program failed: %m"); - r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &path); + _cleanup_free_ char *controller_path = NULL; + r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, NULL, &controller_path); if (r < 0) return log_error_errno(r, "Failed to determine cgroup path: %m"); - r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, path, BPF_F_ALLOW_MULTI); + r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI); if (r < 0) - return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", path); + return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", + cgroup_path); /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ - u->bpf_device_control_installed = bpf_program_unref(u->bpf_device_control_installed); - - /* Remember that this BPF program is installed now. */ - u->bpf_device_control_installed = bpf_program_ref(prog); - + bpf_program_unref(*prog_installed); + *prog_installed = bpf_program_ref(prog); return 0; } diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h index cd5f074..4a5f4b1 100644 --- a/src/core/bpf-devices.h +++ b/src/core/bpf-devices.h @@ -3,12 +3,17 @@ #include -#include "unit.h" +#include "cgroup.h" -struct BPFProgram; +typedef struct BPFProgram BPFProgram; int bpf_devices_cgroup_init(BPFProgram **ret, CGroupDevicePolicy policy, bool whitelist); -int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy, bool whitelist); +int bpf_devices_apply_policy( + BPFProgram *prog, + CGroupDevicePolicy policy, + bool whitelist, + const char *cgroup_path, + BPFProgram **prog_installed); int bpf_devices_supported(void); int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 10273b4..5f9a6b6 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1013,7 +1013,7 @@ static int cgroup_apply_devices(Unit *u) { log_unit_debug(u, "Ignoring device '%s' while writing cgroup attribute.", a->path); } - r = bpf_devices_apply_policy(u, prog, c->device_policy, c->device_allow); + r = bpf_devices_apply_policy(prog, c->device_policy, c->device_allow, path, &u->bpf_device_control_installed); if (r < 0) { static bool warned = false; -- 2.7.4