mirror of
https://github.com/Dasharo/systemd.git
synced 2026-03-06 15:02:31 -08:00
core: rename restrict-ifaces.[ch] → bpf-restrict-ifaces.[ch]
Let's also clean-up naming of the "restrict-ifaces" BPF code. Let's name the userspace glue analogous to the actual bpf code in src/core/bpf.
This commit is contained in:
Lennart Poettering
@@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "fd-util.h"
|
||||
#include "restrict-ifaces.h"
|
||||
#include "bpf-restrict-ifaces.h"
|
||||
#include "netlink-util.h"
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
@@ -72,7 +72,7 @@ static int prepare_restrict_ifaces_bpf(
|
||||
return 0;
|
||||
}
|
||||
|
||||
int restrict_network_interfaces_supported(void) {
|
||||
int bpf_restrict_ifaces_supported(void) {
|
||||
_cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL;
|
||||
static int supported = -1;
|
||||
int r;
|
||||
@@ -97,7 +97,7 @@ int restrict_network_interfaces_supported(void) {
|
||||
return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
|
||||
}
|
||||
|
||||
static int restrict_network_interfaces_install_impl(Unit *u) {
|
||||
static int restrict_ifaces_install_impl(Unit *u) {
|
||||
_cleanup_(bpf_link_freep) struct bpf_link *egress_link = NULL, *ingress_link = NULL;
|
||||
_cleanup_(restrict_ifaces_bpf_freep) struct restrict_ifaces_bpf *obj = NULL;
|
||||
_cleanup_free_ char *cgroup_path = NULL;
|
||||
@@ -143,13 +143,15 @@ static int restrict_network_interfaces_install_impl(Unit *u) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int restrict_network_interfaces_install(Unit *u) {
|
||||
int r = restrict_network_interfaces_install_impl(u);
|
||||
int bpf_restrict_ifaces_install(Unit *u) {
|
||||
int r;
|
||||
|
||||
r = restrict_ifaces_install_impl(u);
|
||||
fdset_close(u->initial_restric_ifaces_link_fds);
|
||||
return r;
|
||||
}
|
||||
|
||||
int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
|
||||
int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) {
|
||||
int r;
|
||||
|
||||
assert(u);
|
||||
@@ -161,7 +163,7 @@ int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
|
||||
return bpf_serialize_link(f, fds, "restrict-ifaces-bpf-fd", u->restrict_ifaces_egress_bpf_link);
|
||||
}
|
||||
|
||||
int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
|
||||
int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) {
|
||||
int r;
|
||||
|
||||
assert(u);
|
||||
@@ -181,20 +183,20 @@ int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
|
||||
}
|
||||
|
||||
#else /* ! BPF_FRAMEWORK */
|
||||
int restrict_network_interfaces_supported(void) {
|
||||
int bpf_restrict_ifaces_supported(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int restrict_network_interfaces_install(Unit *u) {
|
||||
int bpf_restrict_ifaces_install(Unit *u) {
|
||||
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m");
|
||||
}
|
||||
|
||||
int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
|
||||
int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
|
||||
int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@@ -6,11 +6,11 @@
|
||||
|
||||
typedef struct Unit Unit;
|
||||
|
||||
int restrict_network_interfaces_supported(void);
|
||||
int restrict_network_interfaces_install(Unit *u);
|
||||
int bpf_restrict_ifaces_supported(void);
|
||||
int bpf_restrict_ifaces_install(Unit *u);
|
||||
|
||||
int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds);
|
||||
int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds);
|
||||
|
||||
/* Add BPF link fd created before daemon-reload or daemon-reexec.
|
||||
* FDs will be closed at the end of restrict_network_interfaces_install. */
|
||||
int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd);
|
||||
int bpf_restrict_ifaces_add_initial_link_fd(Unit *u, int fd);
|
||||
@@ -10,6 +10,7 @@
|
||||
#include "bpf-devices.h"
|
||||
#include "bpf-firewall.h"
|
||||
#include "bpf-foreign.h"
|
||||
#include "bpf-restrict-ifaces.h"
|
||||
#include "bpf-socket-bind.h"
|
||||
#include "btrfs-util.h"
|
||||
#include "bus-error.h"
|
||||
@@ -32,7 +33,6 @@
|
||||
#include "percent-util.h"
|
||||
#include "process-util.h"
|
||||
#include "procfs-util.h"
|
||||
#include "restrict-ifaces.h"
|
||||
#include "set.h"
|
||||
#include "special.h"
|
||||
#include "stdio-util.h"
|
||||
@@ -1849,7 +1849,7 @@ static void cgroup_apply_socket_bind(Unit *u) {
|
||||
static void cgroup_apply_restrict_network_interfaces(Unit *u) {
|
||||
assert(u);
|
||||
|
||||
(void) restrict_network_interfaces_install(u);
|
||||
(void) bpf_restrict_ifaces_install(u);
|
||||
}
|
||||
|
||||
static int cgroup_apply_devices(Unit *u) {
|
||||
@@ -3987,7 +3987,7 @@ static int cg_bpf_mask_supported(CGroupMask *ret) {
|
||||
mask |= CGROUP_MASK_BPF_SOCKET_BIND;
|
||||
|
||||
/* BPF-based cgroup_skb/{egress|ingress} hooks */
|
||||
r = restrict_network_interfaces_supported();
|
||||
r = bpf_restrict_ifaces_supported();
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r > 0)
|
||||
|
||||
@@ -8,6 +8,7 @@ libcore_sources = files(
|
||||
'bpf-firewall.c',
|
||||
'bpf-foreign.c',
|
||||
'bpf-restrict-fs.c',
|
||||
'bpf-restrict-ifaces.c',
|
||||
'bpf-socket-bind.c',
|
||||
'cgroup.c',
|
||||
'core-varlink.c',
|
||||
@@ -51,7 +52,6 @@ libcore_sources = files(
|
||||
'mount.c',
|
||||
'namespace.c',
|
||||
'path.c',
|
||||
'restrict-ifaces.c',
|
||||
'scope.c',
|
||||
'selinux-access.c',
|
||||
'selinux-setup.c',
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "bpf-restrict-ifaces.h"
|
||||
#include "bpf-socket-bind.h"
|
||||
#include "bus-util.h"
|
||||
#include "dbus.h"
|
||||
@@ -7,7 +8,6 @@
|
||||
#include "fileio.h"
|
||||
#include "format-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "restrict-ifaces.h"
|
||||
#include "serialize.h"
|
||||
#include "string-table.h"
|
||||
#include "unit-serialize.h"
|
||||
@@ -199,7 +199,7 @@ int unit_serialize_state(Unit *u, FILE *f, FDSet *fds, bool switching_root) {
|
||||
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
|
||||
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
|
||||
|
||||
(void) serialize_restrict_network_interfaces(u, f, fds);
|
||||
(void) bpf_restrict_ifaces_serialize(u, f, fds);
|
||||
|
||||
if (uid_is_valid(u->ref_uid))
|
||||
(void) serialize_item_format(f, "ref-uid", UID_FMT, u->ref_uid);
|
||||
@@ -445,7 +445,7 @@ int unit_deserialize_state(Unit *u, FILE *f, FDSet *fds) {
|
||||
|
||||
fd = deserialize_fd(fds, v);
|
||||
if (fd >= 0)
|
||||
(void) restrict_network_interfaces_add_initial_link_fd(u, fd);
|
||||
(void) bpf_restrict_ifaces_add_initial_link_fd(u, fd);
|
||||
|
||||
continue;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user