bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports

Reduced version of [0]. Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports it. Aside from addressing security issue in [0] attaching with 'multi' allows further attaching of cgroup egress, ingress hooks specified by BPFProgram=. [0] systemd/systemd@4e42210 (cherry picked from commit a442ccb) (cherry picked from commit 0af3810) (cherry picked from commit baff489)
systemd · May 15, 2021 · 8e6acd9 · 8e6acd9
1 parent 3aafd07
commit 8e6acd9
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
@@ -703,17 +703,15 @@ int bpf_firewall_install(Unit *u) {
         if (r < 0)
                 return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
 
-        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
-                 (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;
+        flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0;
 
         /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
          * minimize the time window when we don't account for IP traffic. */
         u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed);
         u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
 
         if (u->ip_bpf_egress) {
-                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path,
-                                              flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));
+                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
                 if (r < 0)
                         return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
 
@@ -722,8 +720,7 @@ int bpf_firewall_install(Unit *u) {
         }
 
         if (u->ip_bpf_ingress) {
-                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path,
-                                              flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));
+                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
                 if (r < 0)
                         return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);