2035608 – Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2035608 - Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported

Summary: Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2036145
TreeView+	depends on / blocked

Reported:	2021-12-25 13:17 UTC by François Rigault
Modified:	2022-01-04 18:09 UTC (History)
CC List:	12 users (show)
Fixed In Version:	systemd-250-2.fc36 systemd-250.1-1.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-04 18:09:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch systemd.spec to build with bpf framework (deleted) 2021-12-25 21:11 UTC, François Rigault	no flags	Details \| Diff
View All

Description François Rigault 2021-12-25 13:17:38 UTC

Description of problem:
RestrictNetworkInterfaces option is not working (https://raw.githubusercontent.com/systemd/systemd/v250-rc1/NEWS)

Version-Release number of selected component (if applicable):
systemd-250~rc1-3.fc36.x86_64

How reproducible:
all the time

Steps to Reproduce:
1. sudo systemd-run -p RestrictNetworkInterfaces=lo  --wait curl -o `pwd`/f https://www.google.com/   --fail
2.
3.

Actual results:
curl command works as network is not restricted

Expected results:
curl command should fail as network should be restricted

Additional info:
debug logs:
~~
Dec 25 12:46:14 fedora3 systemd[1]: Detected architecture x86-64.
Dec 25 12:46:14 fedora3 systemd[1]: Detected initialized system, this is not the first boot.
Dec 25 12:46:14 fedora3 systemd[1]: Hostname set to <fedora3>.
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address 127.0.0.1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address ::1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Successfully brought loopback interface up
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/file-max' to '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: No change in value '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: ', suppressing write
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/nr_open' to '2147483640
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: Couldn't write fs.nr_open as 2147483640, halving it.
Dec 25 12:46:14 fedora3 systemd[1]: Skipping bump, value is already larger.
Dec 25 12:46:14 fedora3 systemd[1]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 25 12:46:14 fedora3 systemd[1]: Unified cgroup hierarchy is located at /sys/fs/cgroup.
Dec 25 12:46:14 fedora3 systemd[1]: Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpu' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuacct' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuset' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'io' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'blkio' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'memory' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'devices' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'pids' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-firewall' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-devices' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-foreign' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-socket-bind' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-restrict-network-interfaces' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Set up TFD_TIMER_CANCEL_ON_SET timerfd.
Dec 25 12:46:14 fedora3 systemd[1]: Enabling (yes) showing of status (commandline).
Dec 25 12:46:14 fedora3 systemd[1]: Successfully forked off '(sd-executor)' as PID 497.
~~

per https://kojipkgs.fedoraproject.org//work/tasks/7774/80387774/build.log
it seems we are not compiling with BPF_FRAMEWORK.

Comment 1 François Rigault 2021-12-25 21:11:22 UTC

Created attachment 1847787 [details]
patch systemd.spec to build with bpf framework

Comment 2 Zbigniew Jędrzejewski-Szmek 2021-12-26 11:15:58 UTC

Thanks for the patch!
Unfortunately it doesn't work on arm and ppc64el, see
https://kojipkgs.fedoraproject.org//work/tasks/4221/80464221/build.log and
https://kojipkgs.fedoraproject.org//work/tasks/4225/80464225/build.log.
Because of the holidays, I didn't have the will to really look into this.

Comment 3 François Rigault 2021-12-26 11:55:43 UTC

https://github.com/systemd/systemd/issues/21900 for the ppc64 build issue

Comment 4 Zbigniew Jędrzejewski-Szmek 2021-12-28 17:09:32 UTC

This is now fixed except on arm and ppc64el.

Comment 5 Dan Horák 2022-01-03 17:49:05 UTC

This breaks booting on s390x

...
[    5.380524] systemd[1]: Hostname set to <fedora>.
[    5.380852] systemd[1]: Initializing machine ID from random generator.
[    5.676504] systemd[1]: Failed to link 'restrict_filesystems' LSM BPF program: Cannot allocate memory
[    5.695467] systemd[1]: Failed to allocate manager object: Cannot allocate memory
[!!!!!!] Failed to allocate manager object.
[    5.695718] systemd[1]: Freezing execution.


starting with Fedora-Rawhide-20211231.n.0 which is the first compose with systemd >= 250-2.fc36

Comment 6 Zbigniew Jędrzejewski-Szmek 2022-01-04 08:36:30 UTC

Dan: this is a different issue, an opposite one in fact. This bug was about the functionality not
being compiled in, and that's been fixed. A patch was just merged upstream that should make the code
successfully compile on all architectures. Unfortunately that *exposes* the bug you see, the fact
that the kernel/libbpf don't work as expected on some architectures. This is tracked in #2036145.
I'll add your comment there.

Note You need to log in before you can comment on or make changes to this bug.