From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 13 Jan 2025 21:48:26 +0000 (+0100)
Subject: lsm: improve logging about absence of lsm-bpf
X-Git-Tag: v258-rc1~1629
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e35b6a5f7c0e6972a749966138ad42c326fd443;p=thirdparty%2Fsystemd.git

lsm: improve logging about absence of lsm-bpf

In containers securityfs is typically not mounted. Our lsm-bpf code
so far detected this situation and claimed the kernel was lacking
lsm-bpf support. Which isn't quite true though, it might very well
support it. This made boots of systemd in systemd-nspawn a bit ugly,
because of the misleading log message at boot.

Let's improve things, and make clearer what is going on.
---

diff --git a/src/core/bpf-restrict-fs.c b/src/core/bpf-restrict-fs.c
index d36bfb5d5ec..c6c6dffed4e 100644
--- a/src/core/bpf-restrict-fs.c
+++ b/src/core/bpf-restrict-fs.c
@@ -106,6 +106,10 @@ bool bpf_restrict_fs_supported(bool initialize) {
                 return (supported = false);
 
         r = lsm_supported("bpf");
+        if (r == -ENOPKG) {
+                log_info_errno(r, "bpf-restrict-fs: securityfs not mounted, BPF LSM support not available.");
+                return (supported = false);
+        }
         if (r < 0) {
                 log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m");
                 return (supported = false);
diff --git a/src/nsresourced/userns-restrict.c b/src/nsresourced/userns-restrict.c
index aed2e135cb7..d57061e8fbd 100644
--- a/src/nsresourced/userns-restrict.c
+++ b/src/nsresourced/userns-restrict.c
@@ -54,8 +54,11 @@ int userns_restrict_install(
         int r;
 
         r = lsm_supported("bpf");
+        if (r == -ENOPKG)
+                /* We propagate this as EOPNOTSUPP! */
+                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm support not available, as securityfs is not mounted.");
         if (r < 0)
-                return r;
+                return log_error_errno(r, "Failed to check if bpf-lsm support is available: %m");
         if (r == 0)
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm not supported, can't lock down user namespace.");
 
diff --git a/src/shared/lsm-util.c b/src/shared/lsm-util.c
index 7b6d419ce10..0a50acf59bf 100644
--- a/src/shared/lsm-util.c
+++ b/src/shared/lsm-util.c
@@ -4,6 +4,7 @@
 #include "extract-word.h"
 #include "fileio.h"
 #include "lsm-util.h"
+#include "mountpoint-util.h"
 #include "string-util.h"
 
 int lsm_supported(const char *name) {
@@ -13,8 +14,18 @@ int lsm_supported(const char *name) {
         assert(name);
 
         r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
-        if (r == -ENOENT) /* LSM support not available at all? */
+        if (r == -ENOENT) { /* LSM support not available at all? */
+                /* If securityfs is not mounted, then propagate this as ENOPKG, to indicate that LSM might be
+                 * available we just can't determine it */
+
+                r = path_is_mount_point("/sys/kernel/security");
+                if (r < 0 && r != -ENOENT)
+                        return log_debug_errno(r, "Failed to check if /sys/kernel/security is a mount point: %m");
+                if (r == 0)
+                        return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "/sys/kernel/security is not mounted, can't determine LSM status.");
+
                 return false;
+        }
         if (r < 0)
                 return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m");