diff --git a/SOURCES/17495.patch b/SOURCES/17495.patch
index fc6302c..d71f54e 100644
--- a/SOURCES/17495.patch
+++ b/SOURCES/17495.patch
@@ -1,8 +1,7 @@
-From 5adb2f01405d7cb7ba3cf9d4ee035f57952f79a6 Mon Sep 17 00:00:00 2001
+From 4e42210d40f96e185a55d43041dd6b962ea830dd Mon Sep 17 00:00:00 2001
From: Chris Down <chris@chrisdown.name>
Date: Thu, 29 Oct 2020 12:03:52 +0000
-Subject: [PATCH 3/3] bpf: pid1: Pin reference to BPF programs for
- post-coldplug
+Subject: [PATCH] bpf: pid1: Pin reference to BPF programs for post-coldplug
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -75,47 +74,47 @@ approach with reference pinning is immediately tangible.
6 files changed, 189 insertions(+), 7 deletions(-)
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
-index 99783aca22..c205ba1b19 100644
+index 0f588b6ca5f..6283f15737b 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
-@@ -702,8 +702,7 @@ int bpf_firewall_install(Unit *u) {
+@@ -698,8 +698,7 @@ int bpf_firewall_install(Unit *u) {
if (r < 0)
return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
-
+
- flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
- (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;
+ flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI) ? BPF_F_ALLOW_MULTI : 0;
-
+
/* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
* minimize the time window when we don't account for IP traffic. */
-@@ -711,8 +710,7 @@ int bpf_firewall_install(Unit *u) {
+@@ -707,8 +706,7 @@ int bpf_firewall_install(Unit *u) {
u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
-
+
if (u->ip_bpf_egress) {
- r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path,
- flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));
+ r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
if (r < 0)
return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
-
-@@ -721,8 +719,7 @@ int bpf_firewall_install(Unit *u) {
+
+@@ -717,8 +715,7 @@ int bpf_firewall_install(Unit *u) {
}
-
+
if (u->ip_bpf_ingress) {
- r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path,
- flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));
+ r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
if (r < 0)
return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
-
+
diff --git a/src/core/main.c b/src/core/main.c
-index a280b756ff..2ace4cb89c 100644
+index eaa56aca2a4..0edf8c0abad 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1144,6 +1144,14 @@ static int prepare_reexecute(
if (!fds)
return log_oom();
-
+
+ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF
+ * program is active during task execution within a cgroup. This would be bad since this may have
+ * security or reliability implications: devices we should filter won't be filtered, network activity
@@ -130,13 +129,13 @@ index a280b756ff..2ace4cb89c 100644
@@ -1159,6 +1167,7 @@ static int prepare_reexecute(
if (r < 0)
return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m");
-
+
+ TAKE_PTR(m_unpin);
*ret_f = TAKE_PTR(f);
*ret_fds = TAKE_PTR(fds);
-
+
diff --git a/src/core/manager.c b/src/core/manager.c
-index a1d6f7cc10..b373d27844 100644
+index 4b215a61766..c330a02bf79 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -65,6 +65,7 @@
@@ -147,10 +146,10 @@ index a1d6f7cc10..b373d27844 100644
#include "signal-util.h"
#include "socket-util.h"
#include "special.h"
-@@ -3217,6 +3218,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) {
+@@ -3213,6 +3214,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) {
manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid");
}
-
+
+static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) {
+ int copy;
+ _cleanup_free_ char *ap = NULL;
@@ -227,40 +226,40 @@ index a1d6f7cc10..b373d27844 100644
int manager_serialize(
Manager *m,
FILE *f,
-@@ -3226,6 +3300,7 @@ int manager_serialize(
+@@ -3222,6 +3296,7 @@ int manager_serialize(
const char *t;
Unit *u;
int r;
+ BPFProgram *p;
-
+
assert(m);
assert(f);
-@@ -3270,6 +3345,9 @@ int manager_serialize(
+@@ -3266,6 +3341,9 @@ int manager_serialize(
(void) serialize_dual_timestamp(f, joined, m->timestamps + q);
}
-
+
+ SET_FOREACH(p, m->bpf_limbo_progs)
+ (void) serialize_limbo_bpf_program(f, fds, p);
+
if (!switching_root)
(void) serialize_strv(f, "env", m->client_environment);
-
-@@ -3588,7 +3666,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
+
+@@ -3584,7 +3662,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
else
m->n_failed_jobs += n;
-
+
- } else if ((val = startswith(l, "taint-usr="))) {
+ } else if ((val = startswith(l, "bpf-limbo=")))
+ deserialize_limbo_bpf_program(m, fds, val);
+
+ else if ((val = startswith(l, "taint-usr="))) {
int b;
-
+
b = parse_boolean(val);
-@@ -3764,6 +3845,65 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
+@@ -3760,6 +3841,65 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
return manager_deserialize_units(m, f, fds);
}
-
+
+Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) {
+ int r;
+ Unit *u;
@@ -323,10 +322,10 @@ index a1d6f7cc10..b373d27844 100644
int manager_reload(Manager *m) {
_cleanup_(manager_reloading_stopp) Manager *reloading = NULL;
_cleanup_fdset_free_ FDSet *fds = NULL;
-@@ -3783,6 +3923,13 @@ int manager_reload(Manager *m) {
+@@ -3779,6 +3919,13 @@ int manager_reload(Manager *m) {
/* We are officially in reload mode from here on. */
reloading = manager_reloading_start(m);
-
+
+ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF
+ * program is active during task execution within a cgroup. This would be bad since this may have
+ * security or reliability implications: devices we should filter won't be filtered, network activity
@@ -337,10 +336,10 @@ index a1d6f7cc10..b373d27844 100644
r = manager_serialize(m, f, fds, false);
if (r < 0)
return r;
-@@ -3807,6 +3954,12 @@ int manager_reload(Manager *m) {
+@@ -3803,6 +3950,12 @@ int manager_reload(Manager *m) {
m->uid_refs = hashmap_free(m->uid_refs);
m->gid_refs = hashmap_free(m->gid_refs);
-
+
+ /* The only canonical reference left to the dynamically allocated parts of these BPF programs is
+ * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The
+ * program itself will be detached as part of manager_vacuum. */
@@ -350,8 +349,8 @@ index a1d6f7cc10..b373d27844 100644
r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);
if (r < 0)
log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m");
-@@ -4741,6 +4894,12 @@ static void manager_vacuum(Manager *m) {
-
+@@ -4737,6 +4890,12 @@ static void manager_vacuum(Manager *m) {
+
/* Release any runtimes no longer referenced */
exec_runtime_vacuum(m);
+
@@ -361,10 +360,10 @@ index a1d6f7cc10..b373d27844 100644
+ (void) manager_dispatch_cgroup_realize_queue(m);
+ manager_unpin_all_cgroup_bpf_programs(m);
}
-
+
int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
diff --git a/src/core/manager.h b/src/core/manager.h
-index 19df889dd8..2c4a2b6063 100644
+index 19df889dd89..2c4a2b60632 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -438,6 +438,8 @@ struct Manager {
@@ -374,12 +373,12 @@ index 19df889dd8..2c4a2b6063 100644
+
+ Set *bpf_limbo_progs;
};
-
+
static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
@@ -479,6 +481,10 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode
int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, Job **ret);
int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e);
-
+
+Manager* manager_pin_all_cgroup_bpf_programs(Manager *m);
+void manager_unpin_all_cgroup_bpf_programs(Manager *m);
+DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_unpin_all_cgroup_bpf_programs);
@@ -388,13 +387,13 @@ index 19df889dd8..2c4a2b6063 100644
void manager_dump_jobs(Manager *s, FILE *f, const char *prefix);
void manager_dump(Manager *s, FILE *f, const char *prefix);
diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c
-index 10239142af..549490da6c 100644
+index 10239142af3..549490da6ce 100644
--- a/src/shared/bpf-program.c
+++ b/src/shared/bpf-program.c
@@ -209,6 +209,16 @@ int bpf_program_cgroup_detach(BPFProgram *p) {
return 0;
}
-
+
+void bpf_program_skeletonize(BPFProgram *p) {
+ assert(p);
+
@@ -409,7 +408,7 @@ index 10239142af..549490da6c 100644
union bpf_attr attr;
int fd;
diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h
-index eef77f9d8e..5957a6ce30 100644
+index eef77f9d8e1..5957a6ce300 100644
--- a/src/shared/bpf-program.h
+++ b/src/shared/bpf-program.h
@@ -28,6 +28,7 @@ struct BPFProgram {
@@ -417,9 +416,6 @@ index eef77f9d8e..5957a6ce30 100644
BPFProgram *bpf_program_unref(BPFProgram *p);
BPFProgram *bpf_program_ref(BPFProgram *p);
+void bpf_program_skeletonize(BPFProgram *p);
-
+
int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
---
-2.29.2
-
diff --git a/SOURCES/17872.patch b/SOURCES/17872.patch
index ffedc20..fd1ff35 100644
--- a/SOURCES/17872.patch
+++ b/SOURCES/17872.patch
@@ -1,8 +1,7 @@
-From 963a018bade094e38a71bf1b7e10d37b44225836 Mon Sep 17 00:00:00 2001
+From 5b98412c6f0cb9e63a7c8f795064d2043cc0baaa Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 6 Dec 2020 22:29:43 +0900
-Subject: [PATCH 2/3] core/namespace: use existing /proc when not enough
- priviledge
+Subject: [PATCH] core/namespace: use existing /proc when not enough priviledge
Fixes #17860.
---
@@ -10,7 +9,7 @@ Fixes #17860.
1 file changed, 34 insertions(+), 27 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
-index cdf427a6ea..8560ad9a75 100644
+index cdf427a6ea9..8560ad9a754 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -859,25 +859,15 @@ static int mount_sysfs(const MountEntry *m) {
@@ -97,6 +96,3 @@ index cdf427a6ea..8560ad9a75 100644
return 1;
}
---
-2.29.2
-
diff --git a/SOURCES/18211.patch b/SOURCES/18211.patch
index 15a2d9b..922721d 100644
--- a/SOURCES/18211.patch
+++ b/SOURCES/18211.patch
@@ -1,7 +1,7 @@
-From 51f14e78a2ae0a971af1ce3cfcbbf8ca8250ca22 Mon Sep 17 00:00:00 2001
+From 1d225dbe60540867624da8f099852881f28f4293 Mon Sep 17 00:00:00 2001
From: Anita Zhang <the.anitazha@gmail.com>
Date: Mon, 11 Jan 2021 20:04:20 -0800
-Subject: [PATCH 1/3] core: update setings on the unit and job as the result of
+Subject: [PATCH] core: update setings on the unit and job as the result of
ExecCondition=
Update ExecCondition= to set Unit->condition_result and return JOB_DONE
@@ -17,7 +17,7 @@ Fixes: #18207
4 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/core/job.c b/src/core/job.c
-index f3c1a02831..7d5c288ea4 100644
+index f3c1a028316..7d5c288ea41 100644
--- a/src/core/job.c
+++ b/src/core/job.c
@@ -882,8 +882,7 @@ static void job_log_done_status_message(Unit *u, uint32_t job_id, JobType t, Job
@@ -31,10 +31,10 @@ index f3c1a02831..7d5c288ea4 100644
"MESSAGE=Condition check resulted in %s being skipped.", unit_status_string(u),
"JOB_ID=%" PRIu32, job_id,
diff --git a/src/core/service.c b/src/core/service.c
-index d7bdeb7cca..3b144153f4 100644
+index b1a4d0bf181..93cf711de42 100644
--- a/src/core/service.c
+++ b/src/core/service.c
-@@ -1129,8 +1129,7 @@ static void service_set_state(Service *s, ServiceState state) {
+@@ -1105,8 +1105,7 @@ static void service_set_state(Service *s, ServiceState state) {
unit_notify(UNIT(s), table[old_state], table[state],
(s->reload_result == SERVICE_SUCCESS ? 0 : UNIT_NOTIFY_RELOAD_FAILURE) |
@@ -44,7 +44,7 @@ index d7bdeb7cca..3b144153f4 100644
}
static usec_t service_coldplug_timeout(Service *s) {
-@@ -3546,10 +3545,6 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
+@@ -3521,10 +3520,6 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
} else if (s->control_pid == pid) {
s->control_pid = 0;
@@ -55,7 +55,7 @@ index d7bdeb7cca..3b144153f4 100644
if (s->control_command) {
exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status);
-@@ -3557,6 +3552,15 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
+@@ -3532,6 +3527,15 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
f = SERVICE_SUCCESS;
}
@@ -71,7 +71,7 @@ index d7bdeb7cca..3b144153f4 100644
unit_log_process_exit(
u,
"Control process",
-@@ -4601,7 +4605,6 @@ const UnitVTable service_vtable = {
+@@ -4576,7 +4580,6 @@ const UnitVTable service_vtable = {
},
.finished_start_job = {
[JOB_FAILED] = "Failed to start %s.",
@@ -80,10 +80,10 @@ index d7bdeb7cca..3b144153f4 100644
.finished_stop_job = {
[JOB_DONE] = "Stopped %s.",
diff --git a/src/core/unit.c b/src/core/unit.c
-index 45a417a090..9614fb84aa 100644
+index e209efd4a66..53273b5984b 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
-@@ -2561,8 +2561,6 @@ static bool unit_process_job(Job *j, UnitActiveState ns, UnitNotifyFlags flags)
+@@ -2559,8 +2559,6 @@ static bool unit_process_job(Job *j, UnitActiveState ns, UnitNotifyFlags flags)
if (UNIT_IS_INACTIVE_OR_FAILED(ns)) {
if (ns == UNIT_FAILED)
result = JOB_FAILED;
@@ -93,7 +93,7 @@ index 45a417a090..9614fb84aa 100644
result = JOB_DONE;
diff --git a/src/core/unit.h b/src/core/unit.h
-index 02b2b24206..f040e9dfe6 100644
+index 02b2b24206f..f040e9dfe6f 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -738,7 +738,6 @@ int unit_kill_common(Unit *u, KillWho who, int signo, pid_t main_pid, pid_t cont
@@ -104,6 +104,3 @@ index 02b2b24206..f040e9dfe6 100644
} UnitNotifyFlags;
void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, UnitNotifyFlags flags);
---
-2.29.2
-