return 0;
}
-bool lsm_bpf_supported(bool initialize) {
+bool bpf_restrict_fs_supported(bool initialize) {
_cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
static int supported = -1;
int r;
return (supported = true);
}
-int lsm_bpf_setup(Manager *m) {
+int bpf_restrict_fs_setup(Manager *m) {
_cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
_cleanup_(bpf_link_freep) struct bpf_link *link = NULL;
int r;
return 0;
}
-int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list) {
+int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list) {
uint32_t dummy_value = 1, zero = 0;
const char *fs;
const statfs_f_type_t *magic;
return 0;
}
-int lsm_bpf_cleanup(const Unit *u) {
+int bpf_restrict_fs_cleanup(const Unit *u) {
assert(u);
assert(u->manager);
/* If we never successfully detected support, there is nothing to clean up. */
- if (!lsm_bpf_supported(/* initialize = */ false))
+ if (!bpf_restrict_fs_supported(/* initialize = */ false))
return 0;
if (!u->manager->restrict_fs)
return 0;
}
-int lsm_bpf_map_restrict_fs_fd(Unit *unit) {
+int bpf_restrict_fs_map_fd(Unit *unit) {
assert(unit);
assert(unit->manager);
return sym_bpf_map__fd(unit->manager->restrict_fs->maps.cgroup_hash);
}
-void lsm_bpf_destroy(struct restrict_fs_bpf *prog) {
+void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog) {
restrict_fs_bpf__destroy(prog);
}
#else /* ! BPF_FRAMEWORK */
-bool lsm_bpf_supported(bool initialize) {
+bool bpf_restrict_fs_supported(bool initialize) {
return false;
}
-int lsm_bpf_setup(Manager *m) {
+int bpf_restrict_fs_setup(Manager *m) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to set up LSM BPF: %m");
}
-int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) {
+int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to restrict filesystems using LSM BPF: %m");
}
-int lsm_bpf_cleanup(const Unit *u) {
+int bpf_restrict_fs_cleanup(const Unit *u) {
return 0;
}
-int lsm_bpf_map_restrict_fs_fd(Unit *unit) {
+int bpf_restrict_fs_map_fd(Unit *unit) {
return -ENOMEDIUM;
}
-void lsm_bpf_destroy(struct restrict_fs_bpf *prog) {
+void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog) {
return;
}
#endif
-int lsm_bpf_parse_filesystem(
+int bpf_restrict_fs_parse_filesystem(
const char *name,
Set **filesystems,
FilesystemParseFlags flags,
* (i.e. take away the FILESYSTEM_PARSE_LOG flag) since any issues in the group table
* are our own problem, not a problem in user configuration data and we shouldn't
* pretend otherwise by complaining about them. */
- r = lsm_bpf_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line);
+ r = bpf_restrict_fs_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line);
if (r < 0)
return r;
}
typedef struct restrict_fs_bpf restrict_fs_bpf;
-bool lsm_bpf_supported(bool initialize);
-int lsm_bpf_setup(Manager *m);
-int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list);
-int lsm_bpf_cleanup(const Unit *u);
-int lsm_bpf_map_restrict_fs_fd(Unit *u);
-void lsm_bpf_destroy(struct restrict_fs_bpf *prog);
-int lsm_bpf_parse_filesystem(const char *name,
- Set **filesystems,
- FilesystemParseFlags flags,
- const char *unit,
- const char *filename,
- unsigned line);
+bool bpf_restrict_fs_supported(bool initialize);
+int bpf_restrict_fs_setup(Manager *m);
+int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list);
+int bpf_restrict_fs_cleanup(const Unit *u);
+int bpf_restrict_fs_map_fd(Unit *u);
+void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog);
+int bpf_restrict_fs_parse_filesystem(const char *name, Set **filesystems, FilesystemParseFlags flags, const char *unit, const char *filename, unsigned line);
(void) unit_get_memory_accounting(u, metric, /* ret = */ NULL);
#if BPF_FRAMEWORK
- (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */
+ (void) bpf_restrict_fs_cleanup(u); /* Remove cgroup from the global LSM BPF map */
#endif
unit_modify_nft_set(u, /* add = */ false);
c->restrict_filesystems_allow_list = allow_list;
STRV_FOREACH(s, l) {
- r = lsm_bpf_parse_filesystem(
+ r = bpf_restrict_fs_parse_filesystem(
*s,
&c->restrict_filesystems,
FILESYSTEM_PARSE_LOG|
if (!exec_context_restrict_filesystems_set(c))
return 0;
- if (p->bpf_outer_map_fd < 0) {
+ if (p->bpf_restrict_fs_map_fd < 0) {
/* LSM BPF is unsupported or lsm_bpf_setup failed */
log_exec_debug(c, p, "LSM BPF not supported, skipping RestrictFileSystems=");
return 0;
if (r < 0)
return r;
- return lsm_bpf_restrict_filesystems(c->restrict_filesystems, p->cgroup_id, p->bpf_outer_map_fd, c->restrict_filesystems_allow_list);
+ return bpf_restrict_fs_update(c->restrict_filesystems, p->cgroup_id, p->bpf_restrict_fs_map_fd, c->restrict_filesystems_allow_list);
}
#endif
}
#if HAVE_LIBBPF
- r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_outer_map_fd);
+ r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_restrict_fs_map_fd);
if (r < 0) {
*exit_status = EXIT_FDS;
return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m");
return r;
if (c && exec_context_restrict_filesystems_set(c)) {
- r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd);
+ r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_restrict_fs_map_fd);
if (r < 0)
return r;
}
if (fd < 0)
continue;
- p->bpf_outer_map_fd = fd;
+ p->bpf_restrict_fs_map_fd = fd;
} else if ((val = startswith(l, "exec-parameters-notify-socket="))) {
r = free_and_strdup(&p->notify_socket, val);
if (r < 0)
p->fds = mfree(p->fds);
p->exec_fd = safe_close(p->exec_fd);
p->user_lookup_fd = -EBADF;
- p->bpf_outer_map_fd = -EBADF;
+ p->bpf_restrict_fs_map_fd = -EBADF;
p->unit_id = mfree(p->unit_id);
p->invocation_id = SD_ID128_NULL;
p->invocation_id_string[0] = '\0';
char **files_env;
int user_lookup_fd;
- int bpf_outer_map_fd;
+
+ int bpf_restrict_fs_map_fd;
/* Used for logging in the executor functions */
char *unit_id;
char invocation_id_string[SD_ID128_STRING_MAX];
};
-#define EXEC_PARAMETERS_INIT(_flags) \
- (ExecParameters) { \
- .flags = (_flags), \
- .stdin_fd = -EBADF, \
- .stdout_fd = -EBADF, \
- .stderr_fd = -EBADF, \
- .exec_fd = -EBADF, \
- .bpf_outer_map_fd = -EBADF, \
- .user_lookup_fd = -EBADF, \
- };
+#define EXEC_PARAMETERS_INIT(_flags) \
+ (ExecParameters) { \
+ .flags = (_flags), \
+ .stdin_fd = -EBADF, \
+ .stdout_fd = -EBADF, \
+ .stderr_fd = -EBADF, \
+ .exec_fd = -EBADF, \
+ .bpf_restrict_fs_map_fd = -EBADF, \
+ .user_lookup_fd = -EBADF, \
+ }
#include "unit.h"
#include "dynamic-user.h"
params.stderr_fd = -EBADF;
params.exec_fd = -EBADF;
params.user_lookup_fd = -EBADF;
- params.bpf_outer_map_fd = -EBADF;
+ params.bpf_restrict_fs_map_fd = -EBADF;
if (!params.fds)
params.n_socket_fds = params.n_storage_fds = 0;
for (size_t i = 0; params.fds && i < params.n_socket_fds + params.n_storage_fds; i++)
break;
}
- r = lsm_bpf_parse_filesystem(
+ r = bpf_restrict_fs_parse_filesystem(
word,
&c->restrict_filesystems,
FILESYSTEM_PARSE_LOG|
return r;
#if HAVE_LIBBPF
- if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported(/* initialize = */ true)) {
- r = lsm_bpf_setup(m);
+ if (MANAGER_IS_SYSTEM(m) && bpf_restrict_fs_supported(/* initialize = */ true)) {
+ r = bpf_restrict_fs_setup(m);
if (r < 0)
log_warning_errno(r, "Failed to setup LSM BPF, ignoring: %m");
}
m->fw_ctx = fw_ctx_free(m->fw_ctx);
#if BPF_FRAMEWORK
- lsm_bpf_destroy(m->restrict_fs);
+ bpf_restrict_fs_destroy(m->restrict_fs);
#endif
safe_close(m->executor_fd);
p->fallback_smack_process_label = u->manager->defaults.smack_process_label;
- if (u->manager->restrict_fs && p->bpf_outer_map_fd < 0) {
- int fd = lsm_bpf_map_restrict_fs_fd(u);
+ if (u->manager->restrict_fs && p->bpf_restrict_fs_map_fd < 0) {
+ int fd = bpf_restrict_fs_map_fd(u);
if (fd < 0)
return fd;
- p->bpf_outer_map_fd = fd;
+ p->bpf_restrict_fs_map_fd = fd;
}
p->user_lookup_fd = u->manager->user_lookup_fds[1];
if (!can_memlock())
return log_tests_skipped("Can't use mlock()");
- if (!lsm_bpf_supported(/* initialize = */ true))
+ if (!bpf_restrict_fs_supported(/* initialize = */ true))
return log_tests_skipped("LSM BPF hooks are not supported");
r = enter_cgroup_subroot(NULL);