| Summary: | sys-apps/systemd: wire up USE=bpf | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sam James <sam> |
| Component: | Current packages | Assignee: | Gentoo systemd Team <systemd> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | arsen, dlan, exnihilo, holger, jsmolic |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=890004 https://github.com/gentoo/gentoo/pull/36632 https://github.com/systemd/systemd/issues/32968 https://github.com/gentoo/gentoo/pull/38264 https://bugs.gentoo.org/show_bug.cgi?id=938562 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 938169 | ||
| Bug Blocks: | |||
|
Description
Sam James
2023-11-12 07:18:40 UTC
Arsen or I will likely handle this. The first step is getting bpf-toolchain into ::gentoo which I've put up a PR for. Then we need to speak to the folks handling BPF integration into the GNU toolchain to find out if it's ready for systemd. I hope I'm not out of my depth here and that it's useful for possible implentation of it all. I'm having some fun compiling kernels and it seems to me that including BPF in systemd (used for RestrictFileSystems), is not fully compatible with some kernel options, also relating to security/hardening: - For systemd BPF_FRAMEWORK, CONFIG_DEBUG_INFO_BTF is needed for filesystem restriction: https://github.com/systemd/systemd/issues/32968 - CONFIG_DEBUG_INFO_BTF has the following dependencies: ( ! CONFIG_GCC_PLUGIN_RANDSTRUCT || CONFIG_COMPILE_TEST ) which may be linked to this discussion https://lore.kernel.org/bpf/202003301016.D0E239A0@keescook/T/ Moving ahead without CONFIG_DEBUG_INFO_BTF, I have the following errors on similar systems: systemd[1]: bpf-restrict-fs: Failed to load BPF object: No such process (libbpf 1.4.3) systemd[1]: bpf-lsm: Failed to load BPF object: No such process (libbpf 1.2.0) So it seems that it's not possible to have both the DEBUG_INFO_NONE (and the KSPP option of Gentoo) + BPF_FRAMEWORK with systemd, or well, maybe some options will not work (RestrictFileSystems). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e802488062f680f9a5ffe2a2ccb3bbefc3a8adb5 commit e802488062f680f9a5ffe2a2ccb3bbefc3a8adb5 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-05-06 17:30:21 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-07 02:52:39 +0000 sys-devel/bpf-toolchain: new package, add 14.2.0 Heavily inspired by, and based on, dev-util/mingw64-toolchain. This provides the bpf-unknown-none toolchain for use with DTrace (to be packaged) and systemd. Users may wish to use crossdev if they want to customise their toolchain - this is "just" a convenience option for e.g. aforementioned ebuilds to depend on and have things Just Work. Bug: https://bugs.gentoo.org/917228 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/bpf-toolchain/Manifest | 2 + .../bpf-toolchain/bpf-toolchain-14.2.0.ebuild | 201 +++++++++++++++++++++ sys-devel/bpf-toolchain/metadata.xml | 12 ++ 3 files changed, 215 insertions(+) (In reply to Thomas from comment #2) > I hope I'm not out of my depth here and that it's useful for possible > implentation of it all. > Thomas, I think this is an important point - could you file a new bug specifically about the kconfig meta option being problematic? It's going to cause issues for dtrace too. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de67dbf4abdef923ca8f7af0e48d4fcc5b220a96 commit de67dbf4abdef923ca8f7af0e48d4fcc5b220a96 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-08-23 16:08:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-25 13:56:09 +0000 sys-apps/systemd: wire up BPF support Clang support is not yet done. Bug: https://bugs.gentoo.org/917228 Signed-off-by: Sam James <sam@gentoo.org> profiles/arch/alpha/package.use.mask | 4 ++++ profiles/arch/hppa/package.use.mask | 4 ++++ profiles/arch/ia64/package.use.mask | 4 ++++ profiles/arch/loong/package.use.mask | 4 ++++ profiles/arch/s390/package.use.mask | 4 ++++ profiles/arch/sparc/package.use.mask | 4 ++++ sys-apps/systemd/files/256-bpf-gcc.patch | 26 ++++++++++++++++++++++++++ sys-apps/systemd/metadata.xml | 1 + sys-apps/systemd/systemd-256.5.ebuild | 10 +++++++++- sys-apps/systemd/systemd-9999.ebuild | 9 ++++++++- 10 files changed, 68 insertions(+), 2 deletions(-) All done. I'm having discussions with misc. people about the randstruct problem. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cabb52b81ae9e040b57148085fd436ca1708695d commit cabb52b81ae9e040b57148085fd436ca1708695d Author: Haochen Tong <i@hexchain.org> AuthorDate: 2024-09-23 16:00:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-26 22:14:55 +0000 sys-apps/systemd: add missing dependency libbpf Bug: https://bugs.gentoo.org/917228 Signed-off-by: Haochen Tong <i@hexchain.org> Closes: https://github.com/gentoo/gentoo/pull/38745 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/systemd/systemd-256.6.ebuild | 1 + sys-apps/systemd/systemd-9999.ebuild | 1 + 2 files changed, 2 insertions(+) |