git.ipfire.org Git - thirdparty/systemd.git/commit

author	Iago Lopez Galeiras <iagol@microsoft.com>
	Tue, 13 Jul 2021 07:51:06 +0000 (09:51 +0200)
committer	Iago Lopez Galeiras <iagol@microsoft.com>
	Wed, 6 Oct 2021 08:52:14 +0000 (10:52 +0200)
commit	184b4f78cfbded54a6e06bbe1152256c204a7a73
tree	c2ba69bab7524fe384aece04684a2cec64e13d7f	tree \| snapshot
parent	510cdbeb5ba841c9e9d9fa62303ecb2673b77b9e	commit \| diff

core: add BPF LSM functions

This adds 6 functions to implement RestrictFileSystems=

* lsm_bpf_supported() checks if LSM BPF is supported. It checks that
  cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF
  LSM program which makes sure BTF and hash of maps are supported, and
  BPF LSM programs can be loaded.
* lsm_bpf_setup() loads and attaches the LSM BPF program.
* lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the
  cgroupID and the set of allowed or denied filesystems.
* lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps.
* lsm_bpf_map_restrict_fs_fd() is a helper function to get the file
  descriptor of the BPF map.
* lsm_bpf_destroy() is a wrapper around the destroy function of the BPF
  skeleton file.

src/core/bpf-lsm.c	[new file with mode: 0644]	blob
src/core/bpf-lsm.h	[new file with mode: 0644]	blob
src/core/cgroup.c		diff \| blob \| blame \| history
src/core/manager.h		diff \| blob \| blame \| history
src/core/meson.build		diff \| blob \| blame \| history
src/core/unit.h		diff \| blob \| blame \| history