Bug 2035608 - Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported
Summary: Controller bpf-restrict-network-interfaces, bpf-socket-bind not supported
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2036145
TreeView+ depends on / blocked
 
Reported: 2021-12-25 13:17 UTC by François Rigault
Modified: 2022-01-04 18:09 UTC (History)
12 users (show)

Fixed In Version: systemd-250-2.fc36 systemd-250.1-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-04 18:09:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
patch systemd.spec to build with bpf framework (643 bytes, patch)
2021-12-25 21:11 UTC, François Rigault 		no flags Details | Diff
View All

Description François Rigault 2021-12-25 13:17:38 UTC 
Description of problem:
RestrictNetworkInterfaces option is not working (https://raw.githubusercontent.com/systemd/systemd/v250-rc1/NEWS)

Version-Release number of selected component (if applicable):
systemd-250~rc1-3.fc36.x86_64

How reproducible:
all the time

Steps to Reproduce:
1. sudo systemd-run -p RestrictNetworkInterfaces=lo  --wait curl -o `pwd`/f https://www.google.com/   --fail
2.
3.

Actual results:
curl command works as network is not restricted

Expected results:
curl command should fail as network should be restricted

Additional info:
debug logs:
~~
Dec 25 12:46:14 fedora3 systemd[1]: Detected architecture x86-64.
Dec 25 12:46:14 fedora3 systemd[1]: Detected initialized system, this is not the first boot.
Dec 25 12:46:14 fedora3 systemd[1]: Hostname set to <fedora3>.
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address 127.0.0.1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Failed to add address ::1 to loopback interface: File exists
Dec 25 12:46:14 fedora3 systemd[1]: Successfully brought loopback interface up
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/file-max' to '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: No change in value '9223372036854775807
Dec 25 12:46:14 fedora3 systemd[1]: ', suppressing write
Dec 25 12:46:14 fedora3 systemd[1]: Setting '/proc/sys/fs/nr_open' to '2147483640
Dec 25 12:46:14 fedora3 systemd[1]: '
Dec 25 12:46:14 fedora3 systemd[1]: Couldn't write fs.nr_open as 2147483640, halving it.
Dec 25 12:46:14 fedora3 systemd[1]: Skipping bump, value is already larger.
Dec 25 12:46:14 fedora3 systemd[1]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 25 12:46:14 fedora3 systemd[1]: Unified cgroup hierarchy is located at /sys/fs/cgroup.
Dec 25 12:46:14 fedora3 systemd[1]: Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpu' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuacct' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'cpuset' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'io' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'blkio' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'memory' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'devices' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'pids' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-firewall' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-devices' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-foreign' supported: yes
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-socket-bind' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Controller 'bpf-restrict-network-interfaces' supported: no
Dec 25 12:46:14 fedora3 systemd[1]: Set up TFD_TIMER_CANCEL_ON_SET timerfd.
Dec 25 12:46:14 fedora3 systemd[1]: Enabling (yes) showing of status (commandline).
Dec 25 12:46:14 fedora3 systemd[1]: Successfully forked off '(sd-executor)' as PID 497.
~~

per https://kojipkgs.fedoraproject.org//work/tasks/7774/80387774/build.log
it seems we are not compiling with BPF_FRAMEWORK.
Comment 1 François Rigault 2021-12-25 21:11:22 UTC 
Created attachment 1847787 [details]
patch systemd.spec to build with bpf framework
Comment 2 Zbigniew Jędrzejewski-Szmek 2021-12-26 11:15:58 UTC 
Thanks for the patch!
Unfortunately it doesn't work on arm and ppc64el, see
https://kojipkgs.fedoraproject.org//work/tasks/4221/80464221/build.log and
https://kojipkgs.fedoraproject.org//work/tasks/4225/80464225/build.log.
Because of the holidays, I didn't have the will to really look into this.
Comment 3 François Rigault 2021-12-26 11:55:43 UTC 
https://github.com/systemd/systemd/issues/21900 for the ppc64 build issue
Comment 4 Zbigniew Jędrzejewski-Szmek 2021-12-28 17:09:32 UTC 
This is now fixed except on arm and ppc64el.
Comment 5 Dan Horák 2022-01-03 17:49:05 UTC 
This breaks booting on s390x

...
[    5.380524] systemd[1]: Hostname set to <fedora>.
[    5.380852] systemd[1]: Initializing machine ID from random generator.
[    5.676504] systemd[1]: Failed to link 'restrict_filesystems' LSM BPF program: Cannot allocate memory
[    5.695467] systemd[1]: Failed to allocate manager object: Cannot allocate memory
[!!!!!!] Failed to allocate manager object.
[    5.695718] systemd[1]: Freezing execution.


starting with Fedora-Rawhide-20211231.n.0 which is the first compose with systemd >= 250-2.fc36
Comment 6 Zbigniew Jędrzejewski-Szmek 2022-01-04 08:36:30 UTC 
Dan: this is a different issue, an opposite one in fact. This bug was about the functionality not
being compiled in, and that's been fixed. A patch was just merged upstream that should make the code
successfully compile on all architectures. Unfortunately that *exposes* the bug you see, the fact
that the kernel/libbpf don't work as expected on some architectures. This is tracked in #2036145.
I'll add your comment there.
Note You need to log in before you can comment on or make changes to this bug.