lsm: improve logging about absence of lsm-bpf

In containers securityfs is typically not mounted. Our lsm-bpf code
so far detected this situation and claimed the kernel was lacking
lsm-bpf support. Which isn't quite true though, it might very well
support it. This made boots of systemd in systemd-nspawn a bit ugly,
because of the misleading log message at boot.

Let's improve things, and make clearer what is going on.

diff --git a/src/core/bpf-restrict-fs.c b/src/core/bpf-restrict-fs.c
index d36bfb5d5ec5305b3407b70843b4e073c254441c..c6c6dffed4e05a3623b951291644b13f8d08aa70 100644 (file)
--- a/src/core/bpf-restrict-fs.c
+++ b/src/core/bpf-restrict-fs.c
@@ -106,6 +106,10 @@ bool bpf_restrict_fs_supported(bool initialize) {
                 return (supported = false);
 
         r = lsm_supported("bpf");
+        if (r == -ENOPKG) {
+                log_info_errno(r, "bpf-restrict-fs: securityfs not mounted, BPF LSM support not available.");
+                return (supported = false);
+        }
         if (r < 0) {
                 log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m");
                 return (supported = false);

diff --git a/src/nsresourced/userns-restrict.c b/src/nsresourced/userns-restrict.c
index aed2e135cb788995c67351a1a861aa501c898ae9..d57061e8fbd35cdc9a0d3027557beb733145fd6e 100644 (file)
--- a/src/nsresourced/userns-restrict.c
+++ b/src/nsresourced/userns-restrict.c
@@ -54,8 +54,11 @@ int userns_restrict_install(
         int r;
 
         r = lsm_supported("bpf");
+        if (r == -ENOPKG)
+                /* We propagate this as EOPNOTSUPP! */
+                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm support not available, as securityfs is not mounted.");
         if (r < 0)
-                return r;
+                return log_error_errno(r, "Failed to check if bpf-lsm support is available: %m");
         if (r == 0)
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm not supported, can't lock down user namespace.");
 

diff --git a/src/shared/lsm-util.c b/src/shared/lsm-util.c
index 7b6d419ce104013a48070284bdc8760a5c8ee0c4..0a50acf59bf000041a4523fc843a97674e27440b 100644 (file)
--- a/src/shared/lsm-util.c
+++ b/src/shared/lsm-util.c
@@ -4,6 +4,7 @@
 #include "extract-word.h"
 #include "fileio.h"
 #include "lsm-util.h"
+#include "mountpoint-util.h"
 #include "string-util.h"
 
 int lsm_supported(const char *name) {
@@ -13,8 +14,18 @@ int lsm_supported(const char *name) {
         assert(name);
 
         r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
-        if (r == -ENOENT) /* LSM support not available at all? */
+        if (r == -ENOENT) { /* LSM support not available at all? */
+                /* If securityfs is not mounted, then propagate this as ENOPKG, to indicate that LSM might be
+                 * available we just can't determine it */
+
+                r = path_is_mount_point("/sys/kernel/security");
+                if (r < 0 && r != -ENOENT)
+                        return log_debug_errno(r, "Failed to check if /sys/kernel/security is a mount point: %m");
+                if (r == 0)
+                        return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "/sys/kernel/security is not mounted, can't determine LSM status.");
+
                 return false;
+        }
         if (r < 0)
                 return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m");