Bug 2035608

Summary: Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported
Product: [Fedora] Fedora Reporter: François Rigault <francois.rigault>
Component: systemdAssignee: systemd-maint
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: dan, fedoraproject, filbranden, flepied, lnykryn, msekleta, ryncsn, ssahani, s, systemd-maint, yuwatana, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-250-2.fc36 systemd-250.1-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-04 18:09:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2036145    
Attachments:
Description Flags
patch systemd.spec to build with bpf framework none

Description François Rigault 2021-12-25 13:17:38 UTC 
Description of problem:
RestrictNetworkInterfaces option is not working (https://raw.githubusercontent.com/systemd/systemd/v250-rc1/NEWS)

Version-Release number of selected component (if applicable):
systemd-250~rc1-3.fc36.x86_64

How reproducible:
all the time

Steps to Reproduce:
1. sudo systemd-run -p RestrictNetworkInterfaces=lo  --wait curl -o `pwd`/f https://www.google.com/   --fail
2.
3.

Actual results:
curl command works as network is not restricted

Expected results:
curl command should fail as network should be restricted

Additional info:
debug logs:
~~
Dec 25 12:46:14 fedora3 systemd[1]: Detected architecture x86-64.
Dec 25 12:46:14 fedora3 systemd[1]: Detected initialized system, this is not the first boot.
Dec 25 12:46:14 fedora3 systemd[1]: Hostname set to <fedora3>.
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address 127.0.0.1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address ::1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Successfully brought loopback interface up
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/file-max' to '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: No change in value '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: ', suppressing write
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/nr_open' to '2147483640
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: Couldn't write fs.nr_open as 2147483640, halving it.
Dec 25 12:46:14 fedora3 systemd[1]: Skipping bump, value is already larger.
Dec 25 12:46:14 fedora3 systemd[1]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 25 12:46:14 fedora3 systemd[1]: Unified cgroup hierarchy is located at /sys/fs/cgroup.
Dec 25 12:46:14 fedora3 systemd[1]: Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpu' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuacct' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuset' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'io' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'blkio' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'memory' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'devices' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'pids' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-firewall' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-devices' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-foreign' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-socket-bind' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-restrict-network-interfaces' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Set up TFD_TIMER_CANCEL_ON_SET timerfd.
Dec 25 12:46:14 fedora3 systemd[1]: Enabling (yes) showing of status (commandline).
Dec 25 12:46:14 fedora3 systemd[1]: Successfully forked off '(sd-executor)' as PID 497.
~~

per https://kojipkgs.fedoraproject.org//work/tasks/7774/80387774/build.log
it seems we are not compiling with BPF_FRAMEWORK.
Comment 1 François Rigault 2021-12-25 21:11:22 UTC 
Created attachment 1847787 [details]
patch systemd.spec to build with bpf framework
Comment 2 Zbigniew Jędrzejewski-Szmek 2021-12-26 11:15:58 UTC 
Thanks for the patch!
Unfortunately it doesn't work on arm and ppc64el, see
https://kojipkgs.fedoraproject.org//work/tasks/4221/80464221/build.log and
https://kojipkgs.fedoraproject.org//work/tasks/4225/80464225/build.log.
Because of the holidays, I didn't have the will to really look into this.
Comment 3 François Rigault 2021-12-26 11:55:43 UTC 
https://github.com/systemd/systemd/issues/21900 for the ppc64 build issue
Comment 4 Zbigniew Jędrzejewski-Szmek 2021-12-28 17:09:32 UTC 
This is now fixed except on arm and ppc64el.
Comment 5 Dan Horák 2022-01-03 17:49:05 UTC 
This breaks booting on s390x

...
[    5.380524] systemd[1]: Hostname set to <fedora>.
[    5.380852] systemd[1]: Initializing machine ID from random generator.
[    5.676504] systemd[1]: Failed to link 'restrict_filesystems' LSM BPF program: Cannot allocate memory
[    5.695467] systemd[1]: Failed to allocate manager object: Cannot allocate memory
[!!!!!!] Failed to allocate manager object.
[    5.695718] systemd[1]: Freezing execution.


starting with Fedora-Rawhide-20211231.n.0 which is the first compose with systemd >= 250-2.fc36
Comment 6 Zbigniew Jędrzejewski-Szmek 2022-01-04 08:36:30 UTC 
Dan: this is a different issue, an opposite one in fact. This bug was about the functionality not
being compiled in, and that's been fixed. A patch was just merged upstream that should make the code
successfully compile on all architectures. Unfortunately that *exposes* the bug you see, the fact
that the kernel/libbpf don't work as expected on some architectures. This is tracked in #2036145.
I'll add your comment there.