mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-30 23:34:12 +03:00
systemd: enable BPF_FRAMEWORK
by default (withLibBPF=true
)
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a result, some Systemd features like `RestrictNetworkInterfaces=` cannot work. To make things worse, Systemd doesn't even complain when using a feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect: # systemctl --version | grep -o "\-BPF_FRAMEWORK" -BPF_FRAMEWORK # systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8 This commit enables `BPF_FRAMEWORK` by default. This is in line with other distros (e.g., Fedora). Also note that BPF does not support stack protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a small `CFLAGS` patch to the BPF building to keep using stack protector as a default. I also added an appropriate NixOS test.
This commit is contained in:
parent
495b19d5b3
commit
ca0120a4bc
@ -541,6 +541,7 @@ in {
|
||||
systemd-analyze = handleTest ./systemd-analyze.nix {};
|
||||
systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {};
|
||||
systemd-boot = handleTest ./systemd-boot.nix {};
|
||||
systemd-bpf = handleTest ./systemd-bpf.nix {};
|
||||
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
||||
systemd-coredump = handleTest ./systemd-coredump.nix {};
|
||||
systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {};
|
||||
|
42
nixos/tests/systemd-bpf.nix
Normal file
42
nixos/tests/systemd-bpf.nix
Normal file
@ -0,0 +1,42 @@
|
||||
import ./make-test-python.nix ({ lib, ... }: {
|
||||
name = "systemd-bpf";
|
||||
meta = with lib.maintainers; {
|
||||
maintainers = [ veehaitch ];
|
||||
};
|
||||
nodes = {
|
||||
node1 = {
|
||||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
firewall.enable = false;
|
||||
interfaces.eth1.ipv4.addresses = [
|
||||
{ address = "192.168.1.1"; prefixLength = 24; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
node2 = {
|
||||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
firewall.enable = false;
|
||||
interfaces.eth1.ipv4.addresses = [
|
||||
{ address = "192.168.1.2"; prefixLength = 24; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
node1.wait_for_unit("systemd-networkd-wait-online.service")
|
||||
node2.wait_for_unit("systemd-networkd-wait-online.service")
|
||||
|
||||
with subtest("test RestrictNetworkInterfaces= works"):
|
||||
node1.succeed("ping -c 5 192.168.1.2")
|
||||
node1.succeed("systemd-run -t -p RestrictNetworkInterfaces='eth1' ping -c 5 192.168.1.2")
|
||||
node1.fail("systemd-run -t -p RestrictNetworkInterfaces='lo' ping -c 5 192.168.1.2")
|
||||
'';
|
||||
})
|
@ -83,7 +83,7 @@
|
||||
, withHostnamed ? true
|
||||
, withHwdb ? true
|
||||
, withImportd ? !stdenv.hostPlatform.isMusl
|
||||
, withLibBPF ? false # currently fails while generating BPF objects
|
||||
, withLibBPF ? true
|
||||
, withLocaled ? true
|
||||
, withLogind ? true
|
||||
, withMachined ? true
|
||||
@ -207,6 +207,10 @@ stdenv.mkDerivation {
|
||||
--replace \
|
||||
"run_command(cc.cmd_array(), '-print-prog-name=objcopy', check: true).stdout().strip()" \
|
||||
"'${stdenv.cc.bintools.targetPrefix}objcopy'"
|
||||
'' + lib.optionalString withLibBPF ''
|
||||
# BPF does not work with stack protector
|
||||
substituteInPlace src/core/bpf/meson.build \
|
||||
--replace "clang_flags = [" "clang_flags = [ '-fno-stack-protector',"
|
||||
'' + (
|
||||
let
|
||||
# The following patches references to dynamic libraries to ensure that
|
||||
|
Loading…
Reference in New Issue
Block a user