diff --git a/SOURCES/17495.patch b/SOURCES/17495.patch index fc6302c..d71f54e 100644 --- a/SOURCES/17495.patch +++ b/SOURCES/17495.patch @@ -1,8 +1,7 @@ -From 5adb2f01405d7cb7ba3cf9d4ee035f57952f79a6 Mon Sep 17 00:00:00 2001 +From 4e42210d40f96e185a55d43041dd6b962ea830dd Mon Sep 17 00:00:00 2001 From: Chris Down Date: Thu, 29 Oct 2020 12:03:52 +0000 -Subject: [PATCH 3/3] bpf: pid1: Pin reference to BPF programs for - post-coldplug +Subject: [PATCH] bpf: pid1: Pin reference to BPF programs for post-coldplug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -75,47 +74,47 @@ approach with reference pinning is immediately tangible. 6 files changed, 189 insertions(+), 7 deletions(-) diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c -index 99783aca22..c205ba1b19 100644 +index 0f588b6ca5f..6283f15737b 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c -@@ -702,8 +702,7 @@ int bpf_firewall_install(Unit *u) { +@@ -698,8 +698,7 @@ int bpf_firewall_install(Unit *u) { if (r < 0) return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m"); - + - flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI && - (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0; + flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI) ? BPF_F_ALLOW_MULTI : 0; - + /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to * minimize the time window when we don't account for IP traffic. */ -@@ -711,8 +710,7 @@ int bpf_firewall_install(Unit *u) { +@@ -707,8 +706,7 @@ int bpf_firewall_install(Unit *u) { u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); - + if (u->ip_bpf_egress) { - r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, - flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI)); + r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags); if (r < 0) return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path); - -@@ -721,8 +719,7 @@ int bpf_firewall_install(Unit *u) { + +@@ -717,8 +715,7 @@ int bpf_firewall_install(Unit *u) { } - + if (u->ip_bpf_ingress) { - r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, - flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI)); + r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags); if (r < 0) return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path); - + diff --git a/src/core/main.c b/src/core/main.c -index a280b756ff..2ace4cb89c 100644 +index eaa56aca2a4..0edf8c0abad 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1144,6 +1144,14 @@ static int prepare_reexecute( if (!fds) return log_oom(); - + + /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF + * program is active during task execution within a cgroup. This would be bad since this may have + * security or reliability implications: devices we should filter won't be filtered, network activity @@ -130,13 +129,13 @@ index a280b756ff..2ace4cb89c 100644 @@ -1159,6 +1167,7 @@ static int prepare_reexecute( if (r < 0) return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m"); - + + TAKE_PTR(m_unpin); *ret_f = TAKE_PTR(f); *ret_fds = TAKE_PTR(fds); - + diff --git a/src/core/manager.c b/src/core/manager.c -index a1d6f7cc10..b373d27844 100644 +index 4b215a61766..c330a02bf79 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -65,6 +65,7 @@ @@ -147,10 +146,10 @@ index a1d6f7cc10..b373d27844 100644 #include "signal-util.h" #include "socket-util.h" #include "special.h" -@@ -3217,6 +3218,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) { +@@ -3213,6 +3214,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) { manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid"); } - + +static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) { + int copy; + _cleanup_free_ char *ap = NULL; @@ -227,40 +226,40 @@ index a1d6f7cc10..b373d27844 100644 int manager_serialize( Manager *m, FILE *f, -@@ -3226,6 +3300,7 @@ int manager_serialize( +@@ -3222,6 +3296,7 @@ int manager_serialize( const char *t; Unit *u; int r; + BPFProgram *p; - + assert(m); assert(f); -@@ -3270,6 +3345,9 @@ int manager_serialize( +@@ -3266,6 +3341,9 @@ int manager_serialize( (void) serialize_dual_timestamp(f, joined, m->timestamps + q); } - + + SET_FOREACH(p, m->bpf_limbo_progs) + (void) serialize_limbo_bpf_program(f, fds, p); + if (!switching_root) (void) serialize_strv(f, "env", m->client_environment); - -@@ -3588,7 +3666,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + +@@ -3584,7 +3662,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { else m->n_failed_jobs += n; - + - } else if ((val = startswith(l, "taint-usr="))) { + } else if ((val = startswith(l, "bpf-limbo="))) + deserialize_limbo_bpf_program(m, fds, val); + + else if ((val = startswith(l, "taint-usr="))) { int b; - + b = parse_boolean(val); -@@ -3764,6 +3845,65 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { +@@ -3760,6 +3841,65 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { return manager_deserialize_units(m, f, fds); } - + +Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) { + int r; + Unit *u; @@ -323,10 +322,10 @@ index a1d6f7cc10..b373d27844 100644 int manager_reload(Manager *m) { _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; _cleanup_fdset_free_ FDSet *fds = NULL; -@@ -3783,6 +3923,13 @@ int manager_reload(Manager *m) { +@@ -3779,6 +3919,13 @@ int manager_reload(Manager *m) { /* We are officially in reload mode from here on. */ reloading = manager_reloading_start(m); - + + /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF + * program is active during task execution within a cgroup. This would be bad since this may have + * security or reliability implications: devices we should filter won't be filtered, network activity @@ -337,10 +336,10 @@ index a1d6f7cc10..b373d27844 100644 r = manager_serialize(m, f, fds, false); if (r < 0) return r; -@@ -3807,6 +3954,12 @@ int manager_reload(Manager *m) { +@@ -3803,6 +3950,12 @@ int manager_reload(Manager *m) { m->uid_refs = hashmap_free(m->uid_refs); m->gid_refs = hashmap_free(m->gid_refs); - + + /* The only canonical reference left to the dynamically allocated parts of these BPF programs is + * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The + * program itself will be detached as part of manager_vacuum. */ @@ -350,8 +349,8 @@ index a1d6f7cc10..b373d27844 100644 r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL); if (r < 0) log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m"); -@@ -4741,6 +4894,12 @@ static void manager_vacuum(Manager *m) { - +@@ -4737,6 +4890,12 @@ static void manager_vacuum(Manager *m) { + /* Release any runtimes no longer referenced */ exec_runtime_vacuum(m); + @@ -361,10 +360,10 @@ index a1d6f7cc10..b373d27844 100644 + (void) manager_dispatch_cgroup_realize_queue(m); + manager_unpin_all_cgroup_bpf_programs(m); } - + int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) { diff --git a/src/core/manager.h b/src/core/manager.h -index 19df889dd8..2c4a2b6063 100644 +index 19df889dd89..2c4a2b60632 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -438,6 +438,8 @@ struct Manager { @@ -374,12 +373,12 @@ index 19df889dd8..2c4a2b6063 100644 + + Set *bpf_limbo_progs; }; - + static inline usec_t manager_default_timeout_abort_usec(Manager *m) { @@ -479,6 +481,10 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, Job **ret); int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e); - + +Manager* manager_pin_all_cgroup_bpf_programs(Manager *m); +void manager_unpin_all_cgroup_bpf_programs(Manager *m); +DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_unpin_all_cgroup_bpf_programs); @@ -388,13 +387,13 @@ index 19df889dd8..2c4a2b6063 100644 void manager_dump_jobs(Manager *s, FILE *f, const char *prefix); void manager_dump(Manager *s, FILE *f, const char *prefix); diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c -index 10239142af..549490da6c 100644 +index 10239142af3..549490da6ce 100644 --- a/src/shared/bpf-program.c +++ b/src/shared/bpf-program.c @@ -209,6 +209,16 @@ int bpf_program_cgroup_detach(BPFProgram *p) { return 0; } - + +void bpf_program_skeletonize(BPFProgram *p) { + assert(p); + @@ -409,7 +408,7 @@ index 10239142af..549490da6c 100644 union bpf_attr attr; int fd; diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h -index eef77f9d8e..5957a6ce30 100644 +index eef77f9d8e1..5957a6ce300 100644 --- a/src/shared/bpf-program.h +++ b/src/shared/bpf-program.h @@ -28,6 +28,7 @@ struct BPFProgram { @@ -417,9 +416,6 @@ index eef77f9d8e..5957a6ce30 100644 BPFProgram *bpf_program_unref(BPFProgram *p); BPFProgram *bpf_program_ref(BPFProgram *p); +void bpf_program_skeletonize(BPFProgram *p); - + int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); --- -2.29.2 - diff --git a/SOURCES/17872.patch b/SOURCES/17872.patch index ffedc20..fd1ff35 100644 --- a/SOURCES/17872.patch +++ b/SOURCES/17872.patch @@ -1,8 +1,7 @@ -From 963a018bade094e38a71bf1b7e10d37b44225836 Mon Sep 17 00:00:00 2001 +From 5b98412c6f0cb9e63a7c8f795064d2043cc0baaa Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 6 Dec 2020 22:29:43 +0900 -Subject: [PATCH 2/3] core/namespace: use existing /proc when not enough - priviledge +Subject: [PATCH] core/namespace: use existing /proc when not enough priviledge Fixes #17860. --- @@ -10,7 +9,7 @@ Fixes #17860. 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/src/core/namespace.c b/src/core/namespace.c -index cdf427a6ea..8560ad9a75 100644 +index cdf427a6ea9..8560ad9a754 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -859,25 +859,15 @@ static int mount_sysfs(const MountEntry *m) { @@ -97,6 +96,3 @@ index cdf427a6ea..8560ad9a75 100644 return 1; } --- -2.29.2 - diff --git a/SOURCES/18211.patch b/SOURCES/18211.patch index 15a2d9b..922721d 100644 --- a/SOURCES/18211.patch +++ b/SOURCES/18211.patch @@ -1,7 +1,7 @@ -From 51f14e78a2ae0a971af1ce3cfcbbf8ca8250ca22 Mon Sep 17 00:00:00 2001 +From 1d225dbe60540867624da8f099852881f28f4293 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Mon, 11 Jan 2021 20:04:20 -0800 -Subject: [PATCH 1/3] core: update setings on the unit and job as the result of +Subject: [PATCH] core: update setings on the unit and job as the result of ExecCondition= Update ExecCondition= to set Unit->condition_result and return JOB_DONE @@ -17,7 +17,7 @@ Fixes: #18207 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/core/job.c b/src/core/job.c -index f3c1a02831..7d5c288ea4 100644 +index f3c1a028316..7d5c288ea41 100644 --- a/src/core/job.c +++ b/src/core/job.c @@ -882,8 +882,7 @@ static void job_log_done_status_message(Unit *u, uint32_t job_id, JobType t, Job @@ -31,10 +31,10 @@ index f3c1a02831..7d5c288ea4 100644 "MESSAGE=Condition check resulted in %s being skipped.", unit_status_string(u), "JOB_ID=%" PRIu32, job_id, diff --git a/src/core/service.c b/src/core/service.c -index d7bdeb7cca..3b144153f4 100644 +index b1a4d0bf181..93cf711de42 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -1129,8 +1129,7 @@ static void service_set_state(Service *s, ServiceState state) { +@@ -1105,8 +1105,7 @@ static void service_set_state(Service *s, ServiceState state) { unit_notify(UNIT(s), table[old_state], table[state], (s->reload_result == SERVICE_SUCCESS ? 0 : UNIT_NOTIFY_RELOAD_FAILURE) | @@ -44,7 +44,7 @@ index d7bdeb7cca..3b144153f4 100644 } static usec_t service_coldplug_timeout(Service *s) { -@@ -3546,10 +3545,6 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) { +@@ -3521,10 +3520,6 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) { } else if (s->control_pid == pid) { s->control_pid = 0; @@ -55,7 +55,7 @@ index d7bdeb7cca..3b144153f4 100644 if (s->control_command) { exec_status_exit(&s->control_command->exec_status, &s->exec_context, pid, code, status); -@@ -3557,6 +3552,15 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) { +@@ -3532,6 +3527,15 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) { f = SERVICE_SUCCESS; } @@ -71,7 +71,7 @@ index d7bdeb7cca..3b144153f4 100644 unit_log_process_exit( u, "Control process", -@@ -4601,7 +4605,6 @@ const UnitVTable service_vtable = { +@@ -4576,7 +4580,6 @@ const UnitVTable service_vtable = { }, .finished_start_job = { [JOB_FAILED] = "Failed to start %s.", @@ -80,10 +80,10 @@ index d7bdeb7cca..3b144153f4 100644 .finished_stop_job = { [JOB_DONE] = "Stopped %s.", diff --git a/src/core/unit.c b/src/core/unit.c -index 45a417a090..9614fb84aa 100644 +index e209efd4a66..53273b5984b 100644 --- a/src/core/unit.c +++ b/src/core/unit.c -@@ -2561,8 +2561,6 @@ static bool unit_process_job(Job *j, UnitActiveState ns, UnitNotifyFlags flags) +@@ -2559,8 +2559,6 @@ static bool unit_process_job(Job *j, UnitActiveState ns, UnitNotifyFlags flags) if (UNIT_IS_INACTIVE_OR_FAILED(ns)) { if (ns == UNIT_FAILED) result = JOB_FAILED; @@ -93,7 +93,7 @@ index 45a417a090..9614fb84aa 100644 result = JOB_DONE; diff --git a/src/core/unit.h b/src/core/unit.h -index 02b2b24206..f040e9dfe6 100644 +index 02b2b24206f..f040e9dfe6f 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -738,7 +738,6 @@ int unit_kill_common(Unit *u, KillWho who, int signo, pid_t main_pid, pid_t cont @@ -104,6 +104,3 @@ index 02b2b24206..f040e9dfe6 100644 } UnitNotifyFlags; void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, UnitNotifyFlags flags); --- -2.29.2 -