morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

core/bpf-devices: drop cgroup v1 support

Browse Source
This commit is contained in:
Yu Watanabe
2025-04-07 04:43:36 +09:00
parent 4ee64e4365
commit ff7f99db30
2 changed files with 12 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
src/core/bpf-devices.c
View File

@@ -261,11 +261,10 @@ int bpf_devices_supported(void) {
static int supported = -1;
int r;
/* Checks whether BPF device controller is supported. For this, we check five things:
/* Checks whether BPF device controller is supported. For this, we check two things:
*
* a) whether we are privileged
* b) whether the unified hierarchy is being used
* c) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
* b) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
*/
if (supported >= 0)
@@ -276,14 +275,6 @@ int bpf_devices_supported(void) {
return supported = 0;
}
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
if (r < 0)
return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
if (r == 0) {
log_debug("Not running with unified cgroups, BPF device control is not supported.");
return supported = 0;
}
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &program);
if (r < 0) {
log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m");
@@ -315,38 +306,15 @@ static int allow_list_device_pattern(
assert(IN_SET(type, 'b', 'c'));
if (cg_all_unified() > 0) {
if (!prog)
return 0;
if (!prog)
return 0;
if (major != UINT_MAX && minor != UINT_MAX)
return bpf_prog_allow_list_device(prog, type, major, minor, p);
else if (major != UINT_MAX)
return bpf_prog_allow_list_major(prog, type, major, p);
else
return bpf_prog_allow_list_class(prog, type, p);
if (major != UINT_MAX && minor != UINT_MAX)
return bpf_prog_allow_list_device(prog, type, major, minor, p);
if (major != UINT_MAX)
return bpf_prog_allow_list_major(prog, type, major, p);
} else {
char buf[2+DECIMAL_STR_MAX(unsigned)*2+2+4];
int r;
if (major != UINT_MAX && minor != UINT_MAX)
xsprintf(buf, "%c %u:%u %s", type, major, minor, cgroup_device_permissions_to_string(p));
else if (major != UINT_MAX)
xsprintf(buf, "%c %u:* %s", type, major, cgroup_device_permissions_to_string(p));
else
xsprintf(buf, "%c *:* %s", type, cgroup_device_permissions_to_string(p));
/* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore
* EINVAL here. */
r = cg_set_attribute("devices", path, "devices.allow", buf);
if (r < 0)
log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING,
r, "Failed to set devices.allow on %s: %m", path);
return r;
}
return bpf_prog_allow_list_class(prog, type, p);
}
int bpf_devices_allow_list_device(

20
src/core/cgroup.c
View File

@@ -1645,23 +1645,9 @@ static int cgroup_apply_devices(Unit *u) {
policy = c->device_policy;
if (cg_all_unified() > 0) {
r = bpf_devices_cgroup_init(&prog, policy, c->device_allow);
if (r < 0)
return log_unit_warning_errno(u, r, "Failed to initialize device control bpf program: %m");
} else {
/* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore
* EINVAL here. */
if (c->device_allow || policy != CGROUP_DEVICE_POLICY_AUTO)
r = cg_set_attribute("devices", crt->cgroup_path, "devices.deny", "a");
else
r = cg_set_attribute("devices", crt->cgroup_path, "devices.allow", "a");
if (r < 0)
log_unit_full_errno(u, IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING, r,
"Failed to reset devices.allow/devices.deny: %m");
}
r = bpf_devices_cgroup_init(&prog, policy, c->device_allow);
if (r < 0)
return log_unit_warning_errno(u, r, "Failed to initialize device control bpf program: %m");
bool allow_list_static = policy == CGROUP_DEVICE_POLICY_CLOSED ||
(policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow);