#include <unistd.h>
#include "alloc-util.h"
-#include "bpf-lsm.h"
+#include "bpf-restrict-fs.h"
#include "cgroup-util.h"
#include "fd-util.h"
#include "fileio.h"
obj = restrict_fs_bpf__open();
if (!obj)
- return log_error_errno(errno, "bpf-lsm: Failed to open BPF object: %m");
+ return log_error_errno(errno, "bpf-restrict-fs: Failed to open BPF object: %m");
/* TODO Maybe choose a number based on runtime information? */
r = sym_bpf_map__set_max_entries(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "bpf-lsm: Failed to resize BPF map '%s': %m",
+ return log_error_errno(r, "bpf-restrict-fs: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.cgroup_hash));
/* Dummy map to satisfy the verifier */
inner_map_fd = compat_bpf_map_create(BPF_MAP_TYPE_HASH, NULL, sizeof(uint32_t), sizeof(uint32_t), 128U, NULL);
if (inner_map_fd < 0)
- return log_error_errno(errno, "bpf-lsm: Failed to create BPF map: %m");
+ return log_error_errno(errno, "bpf-restrict-fs: Failed to create BPF map: %m");
r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "bpf-lsm: Failed to set inner map fd: %m");
+ return log_error_errno(r, "bpf-restrict-fs: Failed to set inner map fd: %m");
r = restrict_fs_bpf__load(obj);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "bpf-lsm: Failed to load BPF object: %m");
+ return log_error_errno(r, "bpf-restrict-fs: Failed to load BPF object: %m");
*ret_obj = TAKE_PTR(obj);
r = lsm_supported("bpf");
if (r < 0) {
- log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
+ log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
+ "bpf-restrict-fs: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
return (supported = false);
}
if (!bpf_can_link_lsm_program(obj->progs.restrict_filesystems)) {
log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "bpf-lsm: Failed to link program; assuming BPF LSM is not available");
+ "bpf-restrict-fs: Failed to link program; assuming BPF LSM is not available");
return (supported = false);
}
link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems);
r = sym_libbpf_get_error(link);
if (r != 0)
- return log_error_errno(r, "bpf-lsm: Failed to link '%s' LSM BPF program: %m",
+ return log_error_errno(r, "bpf-restrict-fs: Failed to link '%s' LSM BPF program: %m",
sym_bpf_program__name(obj->progs.restrict_filesystems));
- log_info("bpf-lsm: LSM BPF program attached");
+ log_info("bpf-restrict-fs: LSM BPF program attached");
obj->links.restrict_filesystems = TAKE_PTR(link);
m->restrict_fs = TAKE_PTR(obj);
128U, /* Should be enough for all filesystem types */
NULL);
if (inner_map_fd < 0)
- return log_error_errno(errno, "bpf-lsm: Failed to create inner BPF map: %m");
+ return log_error_errno(errno, "bpf-restrict-fs: Failed to create inner BPF map: %m");
if (sym_bpf_map_update_elem(outer_map_fd, &cgroup_id, &inner_map_fd, BPF_ANY) != 0)
- return log_error_errno(errno, "bpf-lsm: Error populating BPF map: %m");
+ return log_error_errno(errno, "bpf-restrict-fs: Error populating BPF map: %m");
uint32_t allow = allow_list;
/* Use key 0 to store whether this is an allow list or a deny list */
if (sym_bpf_map_update_elem(inner_map_fd, &zero, &allow, BPF_ANY) != 0)
- return log_error_errno(errno, "bpf-lsm: Error initializing map: %m");
+ return log_error_errno(errno, "bpf-restrict-fs: Error initializing map: %m");
SET_FOREACH(fs, filesystems) {
r = fs_type_from_string(fs, &magic);
if (r < 0) {
- log_warning("bpf-lsm: Invalid filesystem name '%s', ignoring.", fs);
+ log_warning("bpf-restrict-fs: Invalid filesystem name '%s', ignoring.", fs);
continue;
}
- log_debug("bpf-lsm: Restricting filesystem access to '%s'", fs);
+ log_debug("bpf-restrict-fs: Restricting filesystem access to '%s'", fs);
for (int i = 0; i < FILESYSTEM_MAGIC_MAX; i++) {
if (magic[i] == 0)
break;
if (sym_bpf_map_update_elem(inner_map_fd, &magic[i], &dummy_value, BPF_ANY) != 0) {
- r = log_error_errno(errno, "bpf-lsm: Failed to update BPF map: %m");
+ r = log_error_errno(errno, "bpf-restrict-fs: Failed to update BPF map: %m");
if (sym_bpf_map_delete_elem(outer_map_fd, &cgroup_id) != 0)
- log_debug_errno(errno, "bpf-lsm: Failed to delete cgroup entry from BPF map: %m");
+ log_debug_errno(errno, "bpf-restrict-fs: Failed to delete cgroup entry from BPF map: %m");
return r;
}
int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (fd < 0)
- return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
+ return log_unit_error_errno(u, errno, "bpf-restrict-fs: Failed to get BPF map fd: %m");
if (sym_bpf_map_delete_elem(fd, &u->cgroup_id) != 0 && errno != ENOENT)
- return log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from LSM BPF map: %m");
+ return log_unit_debug_errno(u, errno, "bpf-restrict-fs: Failed to delete cgroup entry from LSM BPF map: %m");
return 0;
}
}
int lsm_bpf_setup(Manager *m) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to set up LSM BPF: %m");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to set up LSM BPF: %m");
}
int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to restrict filesystems using LSM BPF: %m");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to restrict filesystems using LSM BPF: %m");
}
int lsm_bpf_cleanup(const Unit *u) {
set = filesystem_set_find(name);
if (!set) {
log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
- "bpf-lsm: Unknown filesystem group, ignoring: %s", name);
+ "bpf-restrict-fs: Unknown filesystem group, ignoring: %s", name);
return 0;
}