]>
Commit | Line | Data |
---|---|---|
084c7007 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
124e05b3 ZJS |
2 | |
3 | #include <fnmatch.h> | |
01234e1f | 4 | #include <linux/bpf_insn.h> |
084c7007 RG |
5 | |
6 | #include "bpf-devices.h" | |
7 | #include "bpf-program.h" | |
124e05b3 ZJS |
8 | #include "fd-util.h" |
9 | #include "fileio.h" | |
a9aac7d8 | 10 | #include "nulstr-util.h" |
124e05b3 ZJS |
11 | #include "parse-util.h" |
12 | #include "stat-util.h" | |
13 | #include "stdio-util.h" | |
14 | #include "string-util.h" | |
084c7007 RG |
15 | |
16 | #define PASS_JUMP_OFF 4096 | |
17 | ||
18 | static int bpf_access_type(const char *acc) { | |
19 | int r = 0; | |
20 | ||
21 | assert(acc); | |
22 | ||
23 | for (; *acc; acc++) | |
24 | switch(*acc) { | |
25 | case 'r': | |
26 | r |= BPF_DEVCG_ACC_READ; | |
27 | break; | |
28 | case 'w': | |
29 | r |= BPF_DEVCG_ACC_WRITE; | |
30 | break; | |
31 | case 'm': | |
32 | r |= BPF_DEVCG_ACC_MKNOD; | |
33 | break; | |
34 | default: | |
35 | return -EINVAL; | |
36 | } | |
37 | ||
38 | return r; | |
39 | } | |
40 | ||
6b000af4 | 41 | static int bpf_prog_allow_list_device( |
07141aa0 LP |
42 | BPFProgram *prog, |
43 | char type, | |
44 | int major, | |
45 | int minor, | |
46 | const char *acc) { | |
47 | ||
084c7007 RG |
48 | int r, access; |
49 | ||
50 | assert(prog); | |
51 | assert(acc); | |
52 | ||
786cce00 ZJS |
53 | log_trace("%s: %c %d:%d %s", __func__, type, major, minor, acc); |
54 | ||
084c7007 RG |
55 | access = bpf_access_type(acc); |
56 | if (access <= 0) | |
57 | return -EINVAL; | |
58 | ||
8ad08622 ZJS |
59 | assert(IN_SET(type, 'b', 'c')); |
60 | const int bpf_type = type == 'c' ? BPF_DEVCG_DEV_CHAR : BPF_DEVCG_DEV_BLOCK; | |
61 | ||
2899aac4 | 62 | const struct bpf_insn insn[] = { |
00486578 | 63 | BPF_MOV32_REG(BPF_REG_1, BPF_REG_3), |
2899aac4 | 64 | BPF_ALU32_IMM(BPF_AND, BPF_REG_1, access), |
00486578 ZJS |
65 | BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_3, 4), /* compare access type */ |
66 | ||
67 | BPF_JMP_IMM(BPF_JNE, BPF_REG_2, bpf_type, 3), /* compare device type */ | |
68 | BPF_JMP_IMM(BPF_JNE, BPF_REG_4, major, 2), /* compare major */ | |
69 | BPF_JMP_IMM(BPF_JNE, BPF_REG_5, minor, 1), /* compare minor */ | |
70 | BPF_JMP_A(PASS_JUMP_OFF), /* jump to PASS */ | |
2899aac4 | 71 | }; |
084c7007 | 72 | |
00486578 ZJS |
73 | if (FLAGS_SET(access, BPF_DEVCG_ACC_READ | BPF_DEVCG_ACC_WRITE | BPF_DEVCG_ACC_MKNOD)) |
74 | r = bpf_program_add_instructions(prog, insn + 3, ELEMENTSOF(insn) - 3); | |
75 | else | |
76 | r = bpf_program_add_instructions(prog, insn, ELEMENTSOF(insn)); | |
084c7007 RG |
77 | if (r < 0) |
78 | log_error_errno(r, "Extending device control BPF program failed: %m"); | |
79 | ||
80 | return r; | |
81 | } | |
82 | ||
6b000af4 | 83 | static int bpf_prog_allow_list_major( |
07141aa0 LP |
84 | BPFProgram *prog, |
85 | char type, | |
86 | int major, | |
87 | const char *acc) { | |
88 | ||
084c7007 RG |
89 | int r, access; |
90 | ||
91 | assert(prog); | |
92 | assert(acc); | |
93 | ||
786cce00 ZJS |
94 | log_trace("%s: %c %d:* %s", __func__, type, major, acc); |
95 | ||
084c7007 RG |
96 | access = bpf_access_type(acc); |
97 | if (access <= 0) | |
98 | return -EINVAL; | |
99 | ||
8ad08622 ZJS |
100 | assert(IN_SET(type, 'b', 'c')); |
101 | const int bpf_type = type == 'c' ? BPF_DEVCG_DEV_CHAR : BPF_DEVCG_DEV_BLOCK; | |
102 | ||
2899aac4 | 103 | const struct bpf_insn insn[] = { |
00486578 | 104 | BPF_MOV32_REG(BPF_REG_1, BPF_REG_3), |
2899aac4 | 105 | BPF_ALU32_IMM(BPF_AND, BPF_REG_1, access), |
00486578 ZJS |
106 | BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_3, 3), /* compare access type */ |
107 | ||
108 | BPF_JMP_IMM(BPF_JNE, BPF_REG_2, bpf_type, 2), /* compare device type */ | |
109 | BPF_JMP_IMM(BPF_JNE, BPF_REG_4, major, 1), /* compare major */ | |
110 | BPF_JMP_A(PASS_JUMP_OFF), /* jump to PASS */ | |
2899aac4 | 111 | }; |
084c7007 | 112 | |
00486578 ZJS |
113 | if (FLAGS_SET(access, BPF_DEVCG_ACC_READ | BPF_DEVCG_ACC_WRITE | BPF_DEVCG_ACC_MKNOD)) |
114 | r = bpf_program_add_instructions(prog, insn + 3, ELEMENTSOF(insn) - 3); | |
115 | else | |
116 | r = bpf_program_add_instructions(prog, insn, ELEMENTSOF(insn)); | |
084c7007 RG |
117 | if (r < 0) |
118 | log_error_errno(r, "Extending device control BPF program failed: %m"); | |
8e8b5d2e LP |
119 | |
120 | return r; | |
121 | } | |
122 | ||
6b000af4 | 123 | static int bpf_prog_allow_list_class( |
07141aa0 LP |
124 | BPFProgram *prog, |
125 | char type, | |
126 | const char *acc) { | |
127 | ||
8e8b5d2e LP |
128 | int r, access; |
129 | ||
130 | assert(prog); | |
131 | assert(acc); | |
132 | ||
786cce00 ZJS |
133 | log_trace("%s: %c *:* %s", __func__, type, acc); |
134 | ||
8e8b5d2e LP |
135 | access = bpf_access_type(acc); |
136 | if (access <= 0) | |
137 | return -EINVAL; | |
138 | ||
8ad08622 ZJS |
139 | assert(IN_SET(type, 'b', 'c')); |
140 | const int bpf_type = type == 'c' ? BPF_DEVCG_DEV_CHAR : BPF_DEVCG_DEV_BLOCK; | |
141 | ||
2899aac4 | 142 | const struct bpf_insn insn[] = { |
00486578 | 143 | BPF_MOV32_REG(BPF_REG_1, BPF_REG_3), |
2899aac4 | 144 | BPF_ALU32_IMM(BPF_AND, BPF_REG_1, access), |
00486578 ZJS |
145 | BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_3, 2), /* compare access type */ |
146 | ||
147 | BPF_JMP_IMM(BPF_JNE, BPF_REG_2, bpf_type, 1), /* compare device type */ | |
148 | BPF_JMP_A(PASS_JUMP_OFF), /* jump to PASS */ | |
2899aac4 | 149 | }; |
8e8b5d2e | 150 | |
00486578 ZJS |
151 | if (FLAGS_SET(access, BPF_DEVCG_ACC_READ | BPF_DEVCG_ACC_WRITE | BPF_DEVCG_ACC_MKNOD)) |
152 | r = bpf_program_add_instructions(prog, insn + 3, ELEMENTSOF(insn) - 3); | |
153 | else | |
154 | r = bpf_program_add_instructions(prog, insn, ELEMENTSOF(insn)); | |
8e8b5d2e LP |
155 | if (r < 0) |
156 | log_error_errno(r, "Extending device control BPF program failed: %m"); | |
084c7007 RG |
157 | |
158 | return r; | |
159 | } | |
160 | ||
07141aa0 LP |
161 | int bpf_devices_cgroup_init( |
162 | BPFProgram **ret, | |
163 | CGroupDevicePolicy policy, | |
6b000af4 | 164 | bool allow_list) { |
07141aa0 | 165 | |
2899aac4 | 166 | const struct bpf_insn pre_insn[] = { |
084c7007 | 167 | /* load device type to r2 */ |
415fe5ec | 168 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
084c7007 | 169 | offsetof(struct bpf_cgroup_dev_ctx, access_type)), |
415fe5ec | 170 | BPF_ALU32_IMM(BPF_AND, BPF_REG_2, 0xFFFF), |
084c7007 RG |
171 | |
172 | /* load access type to r3 */ | |
173 | BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, | |
174 | offsetof(struct bpf_cgroup_dev_ctx, access_type)), | |
175 | BPF_ALU32_IMM(BPF_RSH, BPF_REG_3, 16), | |
176 | ||
177 | /* load major number to r4 */ | |
178 | BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, | |
179 | offsetof(struct bpf_cgroup_dev_ctx, major)), | |
180 | ||
181 | /* load minor number to r5 */ | |
182 | BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, | |
183 | offsetof(struct bpf_cgroup_dev_ctx, minor)), | |
184 | }; | |
185 | ||
186 | _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; | |
187 | int r; | |
188 | ||
189 | assert(ret); | |
190 | ||
6b000af4 | 191 | if (policy == CGROUP_DEVICE_POLICY_AUTO && !allow_list) |
084c7007 RG |
192 | return 0; |
193 | ||
194 | r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog); | |
195 | if (r < 0) | |
196 | return log_error_errno(r, "Loading device control BPF program failed: %m"); | |
197 | ||
6b000af4 | 198 | if (policy == CGROUP_DEVICE_POLICY_CLOSED || allow_list) { |
084c7007 RG |
199 | r = bpf_program_add_instructions(prog, pre_insn, ELEMENTSOF(pre_insn)); |
200 | if (r < 0) | |
201 | return log_error_errno(r, "Extending device control BPF program failed: %m"); | |
202 | } | |
203 | ||
204 | *ret = TAKE_PTR(prog); | |
205 | ||
206 | return 0; | |
207 | } | |
208 | ||
0848715c ZJS |
209 | int bpf_devices_apply_policy( |
210 | BPFProgram *prog, | |
211 | CGroupDevicePolicy policy, | |
6b000af4 | 212 | bool allow_list, |
0848715c ZJS |
213 | const char *cgroup_path, |
214 | BPFProgram **prog_installed) { | |
7973f564 ZJS |
215 | |
216 | _cleanup_free_ char *controller_path = NULL; | |
084c7007 RG |
217 | int r; |
218 | ||
0848715c | 219 | /* This will assign *keep_program if everything goes well. */ |
7973f564 ZJS |
220 | |
221 | if (!prog) | |
222 | goto finish; | |
084c7007 | 223 | |
6b000af4 | 224 | const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !allow_list; |
084c7007 | 225 | |
2899aac4 ZJS |
226 | const struct bpf_insn post_insn[] = { |
227 | /* return DENY */ | |
228 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
229 | BPF_JMP_A(1), | |
230 | }; | |
231 | ||
232 | const struct bpf_insn exit_insn[] = { | |
233 | /* finally return DENY if deny_everything else ALLOW */ | |
234 | BPF_MOV64_IMM(BPF_REG_0, deny_everything ? 0 : 1), | |
235 | BPF_EXIT_INSN() | |
236 | }; | |
237 | ||
238 | if (!deny_everything) { | |
084c7007 RG |
239 | r = bpf_program_add_instructions(prog, post_insn, ELEMENTSOF(post_insn)); |
240 | if (r < 0) | |
241 | return log_error_errno(r, "Extending device control BPF program failed: %m"); | |
242 | ||
243 | /* Fixup PASS_JUMP_OFF jump offsets. */ | |
2899aac4 | 244 | for (size_t off = 0; off < prog->n_instructions; off++) { |
084c7007 RG |
245 | struct bpf_insn *ins = &prog->instructions[off]; |
246 | ||
247 | if (ins->code == (BPF_JMP | BPF_JA) && ins->off == PASS_JUMP_OFF) | |
248 | ins->off = prog->n_instructions - off - 1; | |
249 | } | |
2899aac4 | 250 | } |
084c7007 RG |
251 | |
252 | r = bpf_program_add_instructions(prog, exit_insn, ELEMENTSOF(exit_insn)); | |
253 | if (r < 0) | |
254 | return log_error_errno(r, "Extending device control BPF program failed: %m"); | |
255 | ||
0848715c | 256 | r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, NULL, &controller_path); |
084c7007 RG |
257 | if (r < 0) |
258 | return log_error_errno(r, "Failed to determine cgroup path: %m"); | |
259 | ||
0848715c | 260 | r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI); |
084c7007 | 261 | if (r < 0) |
0848715c ZJS |
262 | return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", |
263 | cgroup_path); | |
084c7007 | 264 | |
7973f564 | 265 | finish: |
2af3eed1 | 266 | /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ |
7973f564 ZJS |
267 | if (prog_installed) { |
268 | bpf_program_unref(*prog_installed); | |
269 | *prog_installed = bpf_program_ref(prog); | |
270 | } | |
084c7007 RG |
271 | return 0; |
272 | } | |
273 | ||
274 | int bpf_devices_supported(void) { | |
2899aac4 | 275 | const struct bpf_insn trivial[] = { |
084c7007 RG |
276 | BPF_MOV64_IMM(BPF_REG_0, 1), |
277 | BPF_EXIT_INSN() | |
278 | }; | |
279 | ||
280 | _cleanup_(bpf_program_unrefp) BPFProgram *program = NULL; | |
281 | static int supported = -1; | |
282 | int r; | |
283 | ||
284 | /* Checks whether BPF device controller is supported. For this, we check five things: | |
285 | * | |
286 | * a) whether we are privileged | |
287 | * b) whether the unified hierarchy is being used | |
288 | * c) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require | |
289 | */ | |
290 | ||
291 | if (supported >= 0) | |
292 | return supported; | |
293 | ||
294 | if (geteuid() != 0) { | |
295 | log_debug("Not enough privileges, BPF device control is not supported."); | |
296 | return supported = 0; | |
297 | } | |
298 | ||
299 | r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER); | |
300 | if (r < 0) | |
301 | return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m"); | |
302 | if (r == 0) { | |
303 | log_debug("Not running with unified cgroups, BPF device control is not supported."); | |
304 | return supported = 0; | |
305 | } | |
306 | ||
307 | r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &program); | |
308 | if (r < 0) { | |
309 | log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m"); | |
310 | return supported = 0; | |
311 | } | |
312 | ||
313 | r = bpf_program_add_instructions(program, trivial, ELEMENTSOF(trivial)); | |
314 | if (r < 0) { | |
315 | log_debug_errno(r, "Can't add trivial instructions to CGROUP DEVICE BPF program, BPF device control is not supported: %m"); | |
316 | return supported = 0; | |
317 | } | |
318 | ||
319 | r = bpf_program_load_kernel(program, NULL, 0); | |
320 | if (r < 0) { | |
321 | log_debug_errno(r, "Can't load kernel CGROUP DEVICE BPF program, BPF device control is not supported: %m"); | |
322 | return supported = 0; | |
323 | } | |
324 | ||
0b82cd25 | 325 | return supported = 1; |
084c7007 | 326 | } |
124e05b3 | 327 | |
6b000af4 | 328 | static int allow_list_device_pattern( |
07141aa0 LP |
329 | BPFProgram *prog, |
330 | const char *path, | |
331 | char type, | |
332 | const unsigned *maj, | |
333 | const unsigned *min, | |
334 | const char *acc) { | |
335 | ||
124e05b3 ZJS |
336 | assert(IN_SET(type, 'b', 'c')); |
337 | ||
338 | if (cg_all_unified() > 0) { | |
339 | if (!prog) | |
340 | return 0; | |
341 | ||
124e05b3 | 342 | if (maj && min) |
6b000af4 | 343 | return bpf_prog_allow_list_device(prog, type, *maj, *min, acc); |
124e05b3 | 344 | else if (maj) |
6b000af4 | 345 | return bpf_prog_allow_list_major(prog, type, *maj, acc); |
124e05b3 | 346 | else |
6b000af4 | 347 | return bpf_prog_allow_list_class(prog, type, acc); |
124e05b3 ZJS |
348 | |
349 | } else { | |
350 | char buf[2+DECIMAL_STR_MAX(unsigned)*2+2+4]; | |
351 | int r; | |
352 | ||
353 | if (maj && min) | |
354 | xsprintf(buf, "%c %u:%u %s", type, *maj, *min, acc); | |
355 | else if (maj) | |
356 | xsprintf(buf, "%c %u:* %s", type, *maj, acc); | |
357 | else | |
358 | xsprintf(buf, "%c *:* %s", type, acc); | |
359 | ||
360 | /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore | |
361 | * EINVAL here. */ | |
362 | ||
363 | r = cg_set_attribute("devices", path, "devices.allow", buf); | |
364 | if (r < 0) | |
365 | log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING, | |
366 | r, "Failed to set devices.allow on %s: %m", path); | |
367 | ||
368 | return r; | |
369 | } | |
370 | } | |
371 | ||
6b000af4 | 372 | int bpf_devices_allow_list_device( |
07141aa0 LP |
373 | BPFProgram *prog, |
374 | const char *path, | |
375 | const char *node, | |
376 | const char *acc) { | |
377 | ||
124e05b3 ZJS |
378 | mode_t mode; |
379 | dev_t rdev; | |
380 | int r; | |
381 | ||
382 | assert(path); | |
383 | assert(acc); | |
384 | assert(strlen(acc) <= 3); | |
385 | ||
786cce00 ZJS |
386 | log_trace("%s: %s %s", __func__, node, acc); |
387 | ||
124e05b3 ZJS |
388 | /* Some special handling for /dev/block/%u:%u, /dev/char/%u:%u, /run/systemd/inaccessible/chr and |
389 | * /run/systemd/inaccessible/blk paths. Instead of stat()ing these we parse out the major/minor directly. This | |
390 | * means clients can use these path without the device node actually around */ | |
391 | r = device_path_parse_major_minor(node, &mode, &rdev); | |
392 | if (r < 0) { | |
393 | if (r != -ENODEV) | |
394 | return log_warning_errno(r, "Couldn't parse major/minor from device path '%s': %m", node); | |
395 | ||
396 | struct stat st; | |
397 | if (stat(node, &st) < 0) | |
398 | return log_warning_errno(errno, "Couldn't stat device %s: %m", node); | |
399 | ||
400 | if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) | |
401 | return log_warning_errno(SYNTHETIC_ERRNO(ENODEV), "%s is not a device.", node); | |
402 | ||
403 | mode = st.st_mode; | |
404 | rdev = (dev_t) st.st_rdev; | |
405 | } | |
406 | ||
407 | unsigned maj = major(rdev), min = minor(rdev); | |
6b000af4 | 408 | return allow_list_device_pattern(prog, path, S_ISCHR(mode) ? 'c' : 'b', &maj, &min, acc); |
124e05b3 ZJS |
409 | } |
410 | ||
6b000af4 | 411 | int bpf_devices_allow_list_major( |
07141aa0 LP |
412 | BPFProgram *prog, |
413 | const char *path, | |
414 | const char *name, | |
415 | char type, | |
416 | const char *acc) { | |
417 | ||
124e05b3 ZJS |
418 | unsigned maj; |
419 | int r; | |
420 | ||
421 | assert(path); | |
422 | assert(acc); | |
423 | assert(IN_SET(type, 'b', 'c')); | |
424 | ||
425 | if (streq(name, "*")) | |
426 | /* If the name is a wildcard, then apply this list to all devices of this type */ | |
6b000af4 | 427 | return allow_list_device_pattern(prog, path, type, NULL, NULL, acc); |
124e05b3 ZJS |
428 | |
429 | if (safe_atou(name, &maj) >= 0 && DEVICE_MAJOR_VALID(maj)) | |
430 | /* The name is numeric and suitable as major. In that case, let's take its major, and create | |
431 | * the entry directly. */ | |
6b000af4 | 432 | return allow_list_device_pattern(prog, path, type, &maj, NULL, acc); |
124e05b3 ZJS |
433 | |
434 | _cleanup_fclose_ FILE *f = NULL; | |
45669ae2 | 435 | bool good = false, any = false; |
124e05b3 ZJS |
436 | |
437 | f = fopen("/proc/devices", "re"); | |
438 | if (!f) | |
439 | return log_warning_errno(errno, "Cannot open /proc/devices to resolve %s: %m", name); | |
440 | ||
441 | for (;;) { | |
442 | _cleanup_free_ char *line = NULL; | |
443 | char *w, *p; | |
444 | ||
445 | r = read_line(f, LONG_LINE_MAX, &line); | |
446 | if (r < 0) | |
447 | return log_warning_errno(r, "Failed to read /proc/devices: %m"); | |
448 | if (r == 0) | |
449 | break; | |
450 | ||
451 | if (type == 'c' && streq(line, "Character devices:")) { | |
452 | good = true; | |
453 | continue; | |
454 | } | |
455 | ||
456 | if (type == 'b' && streq(line, "Block devices:")) { | |
457 | good = true; | |
458 | continue; | |
459 | } | |
460 | ||
461 | if (isempty(line)) { | |
462 | good = false; | |
463 | continue; | |
464 | } | |
465 | ||
466 | if (!good) | |
467 | continue; | |
468 | ||
469 | p = strstrip(line); | |
470 | ||
471 | w = strpbrk(p, WHITESPACE); | |
472 | if (!w) | |
473 | continue; | |
474 | *w = 0; | |
475 | ||
476 | r = safe_atou(p, &maj); | |
477 | if (r < 0) | |
478 | continue; | |
479 | if (maj <= 0) | |
480 | continue; | |
481 | ||
482 | w++; | |
483 | w += strspn(w, WHITESPACE); | |
484 | ||
485 | if (fnmatch(name, w, 0) != 0) | |
486 | continue; | |
487 | ||
45669ae2 | 488 | any = true; |
6b000af4 | 489 | (void) allow_list_device_pattern(prog, path, type, &maj, NULL, acc); |
124e05b3 ZJS |
490 | } |
491 | ||
45669ae2 ZJS |
492 | if (!any) |
493 | return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), | |
6b000af4 | 494 | "Device allow list pattern \"%s\" did not match anything.", name); |
45669ae2 | 495 | |
124e05b3 ZJS |
496 | return 0; |
497 | } | |
a9aac7d8 | 498 | |
6b000af4 | 499 | int bpf_devices_allow_list_static( |
07141aa0 LP |
500 | BPFProgram *prog, |
501 | const char *path) { | |
502 | ||
a9aac7d8 ZJS |
503 | static const char auto_devices[] = |
504 | "/dev/null\0" "rwm\0" | |
505 | "/dev/zero\0" "rwm\0" | |
506 | "/dev/full\0" "rwm\0" | |
507 | "/dev/random\0" "rwm\0" | |
508 | "/dev/urandom\0" "rwm\0" | |
509 | "/dev/tty\0" "rwm\0" | |
510 | "/dev/ptmx\0" "rwm\0" | |
511 | /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */ | |
512 | "/run/systemd/inaccessible/chr\0" "rwm\0" | |
513 | "/run/systemd/inaccessible/blk\0" "rwm\0"; | |
514 | int r = 0, k; | |
515 | ||
516 | const char *node, *acc; | |
517 | NULSTR_FOREACH_PAIR(node, acc, auto_devices) { | |
6b000af4 | 518 | k = bpf_devices_allow_list_device(prog, path, node, acc); |
a9aac7d8 ZJS |
519 | if (r >= 0 && k < 0) |
520 | r = k; | |
521 | } | |
522 | ||
523 | /* PTS (/dev/pts) devices may not be duplicated, but accessed */ | |
6b000af4 | 524 | k = bpf_devices_allow_list_major(prog, path, "pts", 'c', "rw"); |
a9aac7d8 ZJS |
525 | if (r >= 0 && k < 0) |
526 | r = k; | |
527 | ||
528 | return r; | |
529 | } |