core: rename "bpf-lsm.[ch]" → "bpf-restrict-fs.[ch]"

This file is a bit misnamed. What it actually implements is one specific
BPF LSM module, that restricts file systems. As such it really should be
named after that, and not primarily by the mechanism it uses for that.

With this our glue code is now named the same way as the actual bpf code
files in src/core/bpf/, thus things become a bit more symmetric.

This is particular relevant as we'll soon have another BPF LSM in our
tree, see #26826, and we should be able to distinguish them by name.

This commit just renames the files and does some dumb search/replace of
the string. A follow-up commit will name some functions more expressively
inside the files.

diff --git a/src/core/bpf-lsm.c b/src/core/bpf-restrict-fs.c
similarity index 82%
rename from src/core/bpf-lsm.c
rename to src/core/bpf-restrict-fs.c
index 216fc341c18ec65f1d430a53fd5ed064f869b57b..14ef52faf1f7635a15c95edff946488bac926101 100644 (file)
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-restrict-fs.c
@@ -10,7 +10,7 @@
 #include <unistd.h>
 
 #include "alloc-util.h"
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
 #include "cgroup-util.h"
 #include "fd-util.h"
 #include "fileio.h"
@@ -63,29 +63,29 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
 
         obj = restrict_fs_bpf__open();
         if (!obj)
-                return log_error_errno(errno, "bpf-lsm: Failed to open BPF object: %m");
+                return log_error_errno(errno, "bpf-restrict-fs: Failed to open BPF object: %m");
 
         /* TODO Maybe choose a number based on runtime information? */
         r = sym_bpf_map__set_max_entries(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX);
         assert(r <= 0);
         if (r < 0)
-                return log_error_errno(r, "bpf-lsm: Failed to resize BPF map '%s': %m",
+                return log_error_errno(r, "bpf-restrict-fs: Failed to resize BPF map '%s': %m",
                                        sym_bpf_map__name(obj->maps.cgroup_hash));
 
         /* Dummy map to satisfy the verifier */
         inner_map_fd = compat_bpf_map_create(BPF_MAP_TYPE_HASH, NULL, sizeof(uint32_t), sizeof(uint32_t), 128U, NULL);
         if (inner_map_fd < 0)
-                return log_error_errno(errno, "bpf-lsm: Failed to create BPF map: %m");
+                return log_error_errno(errno, "bpf-restrict-fs: Failed to create BPF map: %m");
 
         r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd);
         assert(r <= 0);
         if (r < 0)
-                return log_error_errno(r, "bpf-lsm: Failed to set inner map fd: %m");
+                return log_error_errno(r, "bpf-restrict-fs: Failed to set inner map fd: %m");
 
         r = restrict_fs_bpf__load(obj);
         assert(r <= 0);
         if (r < 0)
-                return log_error_errno(r, "bpf-lsm: Failed to load BPF object: %m");
+                return log_error_errno(r, "bpf-restrict-fs: Failed to load BPF object: %m");
 
         *ret_obj = TAKE_PTR(obj);
 
@@ -107,12 +107,12 @@ bool lsm_bpf_supported(bool initialize) {
 
         r = lsm_supported("bpf");
         if (r < 0) {
-                log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
+                log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m");
                 return (supported = false);
         }
         if (r == 0) {
                 log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                               "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
+                               "bpf-restrict-fs: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
                 return (supported = false);
         }
 
@@ -122,7 +122,7 @@ bool lsm_bpf_supported(bool initialize) {
 
         if (!bpf_can_link_lsm_program(obj->progs.restrict_filesystems)) {
                 log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                  "bpf-lsm: Failed to link program; assuming BPF LSM is not available");
+                                  "bpf-restrict-fs: Failed to link program; assuming BPF LSM is not available");
                 return (supported = false);
         }
 
@@ -143,10 +143,10 @@ int lsm_bpf_setup(Manager *m) {
         link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems);
         r = sym_libbpf_get_error(link);
         if (r != 0)
-                return log_error_errno(r, "bpf-lsm: Failed to link '%s' LSM BPF program: %m",
+                return log_error_errno(r, "bpf-restrict-fs: Failed to link '%s' LSM BPF program: %m",
                                        sym_bpf_program__name(obj->progs.restrict_filesystems));
 
-        log_info("bpf-lsm: LSM BPF program attached");
+        log_info("bpf-restrict-fs: LSM BPF program attached");
 
         obj->links.restrict_filesystems = TAKE_PTR(link);
         m->restrict_fs = TAKE_PTR(obj);
@@ -171,35 +171,35 @@ int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int
                         128U, /* Should be enough for all filesystem types */
                         NULL);
         if (inner_map_fd < 0)
-                return log_error_errno(errno, "bpf-lsm: Failed to create inner BPF map: %m");
+                return log_error_errno(errno, "bpf-restrict-fs: Failed to create inner BPF map: %m");
 
         if (sym_bpf_map_update_elem(outer_map_fd, &cgroup_id, &inner_map_fd, BPF_ANY) != 0)
-                return log_error_errno(errno, "bpf-lsm: Error populating BPF map: %m");
+                return log_error_errno(errno, "bpf-restrict-fs: Error populating BPF map: %m");
 
         uint32_t allow = allow_list;
 
         /* Use key 0 to store whether this is an allow list or a deny list */
         if (sym_bpf_map_update_elem(inner_map_fd, &zero, &allow, BPF_ANY) != 0)
-                return log_error_errno(errno, "bpf-lsm: Error initializing map: %m");
+                return log_error_errno(errno, "bpf-restrict-fs: Error initializing map: %m");
 
         SET_FOREACH(fs, filesystems) {
                 r = fs_type_from_string(fs, &magic);
                 if (r < 0) {
-                        log_warning("bpf-lsm: Invalid filesystem name '%s', ignoring.", fs);
+                        log_warning("bpf-restrict-fs: Invalid filesystem name '%s', ignoring.", fs);
                         continue;
                 }
 
-                log_debug("bpf-lsm: Restricting filesystem access to '%s'", fs);
+                log_debug("bpf-restrict-fs: Restricting filesystem access to '%s'", fs);
 
                 for (int i = 0; i < FILESYSTEM_MAGIC_MAX; i++) {
                         if (magic[i] == 0)
                                 break;
 
                         if (sym_bpf_map_update_elem(inner_map_fd, &magic[i], &dummy_value, BPF_ANY) != 0) {
-                                r = log_error_errno(errno, "bpf-lsm: Failed to update BPF map: %m");
+                                r = log_error_errno(errno, "bpf-restrict-fs: Failed to update BPF map: %m");
 
                                 if (sym_bpf_map_delete_elem(outer_map_fd, &cgroup_id) != 0)
-                                        log_debug_errno(errno, "bpf-lsm: Failed to delete cgroup entry from BPF map: %m");
+                                        log_debug_errno(errno, "bpf-restrict-fs: Failed to delete cgroup entry from BPF map: %m");
 
                                 return r;
                         }
@@ -225,10 +225,10 @@ int lsm_bpf_cleanup(const Unit *u) {
 
         int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
         if (fd < 0)
-                return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
+                return log_unit_error_errno(u, errno, "bpf-restrict-fs: Failed to get BPF map fd: %m");
 
         if (sym_bpf_map_delete_elem(fd, &u->cgroup_id) != 0 && errno != ENOENT)
-                return log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from LSM BPF map: %m");
+                return log_unit_debug_errno(u, errno, "bpf-restrict-fs: Failed to delete cgroup entry from LSM BPF map: %m");
 
         return 0;
 }
@@ -252,11 +252,11 @@ bool lsm_bpf_supported(bool initialize) {
 }
 
 int lsm_bpf_setup(Manager *m) {
-        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to set up LSM BPF: %m");
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to set up LSM BPF: %m");
 }
 
 int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) {
-        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to restrict filesystems using LSM BPF: %m");
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to restrict filesystems using LSM BPF: %m");
 }
 
 int lsm_bpf_cleanup(const Unit *u) {
@@ -290,7 +290,7 @@ int lsm_bpf_parse_filesystem(
                 set = filesystem_set_find(name);
                 if (!set) {
                         log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
-                                   "bpf-lsm: Unknown filesystem group, ignoring: %s", name);
+                                   "bpf-restrict-fs: Unknown filesystem group, ignoring: %s", name);
                         return 0;
                 }
 

diff --git a/src/core/bpf-lsm.h b/src/core/bpf-restrict-fs.h
similarity index 100%
rename from src/core/bpf-lsm.h
rename to src/core/bpf-restrict-fs.h

diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 6cb04f4eb26e25de6c876f85fd62825d7f47e77e..d834cb8bbd2bbc52628ed00bb56e3d2528eb8b73 100644 (file)
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -3,7 +3,7 @@
 
 #include <stdbool.h>
 
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
 #include "cgroup-util.h"
 #include "cpu-set-util.h"
 #include "firewall-util.h"

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 829e094f519b442dd4b419bf2177911d83aafcf3..b98e9e6a4b3173ee170062fa659a156b7d809cfd 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -22,7 +22,7 @@
 #include "argv-util.h"
 #include "barrier.h"
 #include "bpf-dlopen.h"
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
 #include "btrfs-util.h"
 #include "capability-util.h"
 #include "cgroup-setup.h"

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 5f4e642e545c89f7426c79adc51f7873350d3265..cecd01fdcf851d48870b42684626d7c4bd711984 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -16,8 +16,8 @@
 #include "all-units.h"
 #include "alloc-util.h"
 #include "bpf-firewall.h"
-#include "bpf-lsm.h"
 #include "bpf-program.h"
+#include "bpf-restrict-fs.h"
 #include "bpf-socket-bind.h"
 #include "bus-error.h"
 #include "bus-internal.h"

diff --git a/src/core/main.c b/src/core/main.c
index 10f60c24251c333751f929f3b2c8c6f5b364629e..1e66770df048250f5269e8217d8443413bb737f4 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -21,7 +21,7 @@
 #include "architecture.h"
 #include "argv-util.h"
 #if HAVE_LIBBPF
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
 #endif
 #include "build.h"
 #include "bus-error.h"

diff --git a/src/core/meson.build b/src/core/meson.build
index 7701d3de0a35f4aa43a99a4c2d69fe48c36661ec..a32f0739ce97f332e3d08c0aacbff72c9e545fc7 100644 (file)
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -7,7 +7,7 @@ libcore_sources = files(
         'bpf-devices.c',
         'bpf-firewall.c',
         'bpf-foreign.c',
-        'bpf-lsm.c',
+        'bpf-restrict-fs.c',
         'bpf-socket-bind.c',
         'cgroup.c',
         'core-varlink.c',

diff --git a/src/test/meson.build b/src/test/meson.build
index 5acf5b4a61453790c5363be6b20f2c165af3827e..ef741388d5524685a26dc4676e08cc7ebee8c835 100644 (file)
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -478,7 +478,7 @@ executables += [
                 'sources' : files('test-bpf-foreign-programs.c'),
         },
         core_test_template + {
-                'sources' : files('test-bpf-lsm.c'),
+                'sources' : files('test-bpf-restrict-fs.c'),
                 'dependencies' : common_test_dependencies,
         },
         core_test_template + {

diff --git a/src/test/test-bpf-lsm.c b/src/test/test-bpf-restrict-fs.c
similarity index 99%
rename from src/test/test-bpf-lsm.c
rename to src/test/test-bpf-restrict-fs.c
index 42ea64cd0a1f2f7ef29f4b7f3799d0838b768fef..b6293932178c3e908de6bdfa1b720a60028dfb0b 100644 (file)
--- a/src/test/test-bpf-lsm.c
+++ b/src/test/test-bpf-restrict-fs.c
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
 #include "load-fragment.h"
 #include "manager.h"
 #include "process-util.h"