systemd BPF firewall warnings

[aither64]

systemd in containers reports

systemd-journal-flush.service: Attaching egress BPF program to cgroup
/sys/fs/cgroup/unified/system.slice/systemd-journal-flush.service failed:
Invalid argument

when starting services with BPF firewall.

strace shows this:

1     bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_CGROUP_SKB, insn_cnt=8, insns=0x5591f02f75d0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0}, 112) = 38
1     openat(AT_FDCWD, "/sys/fs/cgroup/unified/system.slice/systemd-udevd.service", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = 39
1     bpf(BPF_PROG_ATTACH, {target_fd=39, attach_bpf_fd=38, attach_type=BPF_CGROUP_INET_EGRESS, attach_flags=0, replace_bpf_fd=0}, 112) = -1 EINVAL (Invalid argument)

Notice expected_attach_type=BPF_CGROUP_INET_INGRESS in BPF_PROG_LOAD and attach_type=BPF_CGROUP_INET_EGRESS in BPF_PROG_ATTACH, not sure if this can be a problem.

[aither64]

So the issue here seems to be that the BPF program can be loaded, but the kernel disallows attach without CAP_NET_ADMIN:

https://elixir.bootlin.com/linux/v5.10.100/source/kernel/bpf/syscall.c#L2916

Although this returns EPERM, the caller ignores that and returns EINVAL:

https://elixir.bootlin.com/linux/v5.10.100/source/kernel/bpf/syscall.c#L3008

So it seems it's not even supposed to work.