From: Christian Brauner <brauner@kernel.org>
Date: Fri, 8 May 2026 08:50:20 +0000 (+0200)
Subject: core: expose internal helpers for test-bpf-restrict-fsaccess
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad5eb75e607d2184c7ab6b778b2559cca4a17796;p=thirdparty%2Fsystemd.git

core: expose internal helpers for test-bpf-restrict-fsaccess

Make dm_verity_require_signatures() non-static and declare it in the
header so the test helper binary can exercise the same precondition
checks that PID1 uses.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---

diff --git a/src/core/bpf-restrict-fsaccess.c b/src/core/bpf-restrict-fsaccess.c
index af8a97c6627..a38665a6e20 100644
--- a/src/core/bpf-restrict-fsaccess.c
+++ b/src/core/bpf-restrict-fsaccess.c
@@ -75,7 +75,7 @@ assert_cc(offsetof(struct restrict_fsaccess_bss, protected_map_id_bss) ==
         [RESTRICT_FILESYSTEM_ACCESS_LINK_BPF_GUARD]         = (obj)->links.restrict_fsaccess_bpf_guard,                  \
 }
 
-static bool dm_verity_require_signatures(void) {
+bool dm_verity_require_signatures(void) {
         int r;
 
         r = read_boolean_file("/sys/module/dm_verity/parameters/require_signatures");
@@ -103,7 +103,7 @@ static int get_root_s_dev(uint32_t *ret) {
         return 0;
 }
 
-static int prepare_restrict_fsaccess_bpf(struct restrict_fsaccess_bpf **ret) {
+int bpf_restrict_fsaccess_prepare(struct restrict_fsaccess_bpf **ret) {
         _cleanup_(restrict_fsaccess_bpf_freep) struct restrict_fsaccess_bpf *obj = NULL;
         int r;
 
@@ -149,7 +149,7 @@ bool bpf_restrict_fsaccess_supported(void) {
                 return (supported = false);
         }
 
-        r = prepare_restrict_fsaccess_bpf(&obj);
+        r = bpf_restrict_fsaccess_prepare(&obj);
         if (r < 0)
                 return (supported = false);
 
@@ -371,7 +371,7 @@ int bpf_restrict_fsaccess_setup(Manager *m) {
                                        "RestrictFileSystemAccess= requires the kernel to enforce dm-verity signatures. "
                                        "Set dm_verity.require_signatures=1 on the kernel command line.");
 
-        r = prepare_restrict_fsaccess_bpf(&obj);
+        r = bpf_restrict_fsaccess_prepare(&obj);
         if (r < 0)
                 return r;
 
@@ -477,6 +477,10 @@ int bpf_restrict_fsaccess_serialize(Manager *m, FILE *f, FDSet *fds) {
 
 #else /* ! BPF_FRAMEWORK || ! HAVE_LSM_INTEGRITY_TYPE */
 
+bool dm_verity_require_signatures(void) {
+        return false;
+}
+
 bool bpf_restrict_fsaccess_supported(void) {
         return false;
 }
@@ -489,6 +493,10 @@ int bpf_restrict_fsaccess_setup(Manager *m) {
                                  "bpf-restrict-fsaccess: RestrictFileSystemAccess= requested but BPF framework is not compiled in.");
 }
 
+int bpf_restrict_fsaccess_prepare(struct restrict_fsaccess_bpf **ret) {
+        return -EOPNOTSUPP;
+}
+
 int bpf_restrict_fsaccess_populate_guard(struct restrict_fsaccess_bpf *obj) {
         return 0;
 }
diff --git a/src/core/bpf-restrict-fsaccess.h b/src/core/bpf-restrict-fsaccess.h
index a23beab4ce5..a39f602539a 100644
--- a/src/core/bpf-restrict-fsaccess.h
+++ b/src/core/bpf-restrict-fsaccess.h
@@ -51,8 +51,10 @@ struct restrict_fsaccess_bss {
 
 extern const char* const restrict_fsaccess_link_names[_RESTRICT_FILESYSTEM_ACCESS_LINK_MAX];
 
+bool dm_verity_require_signatures(void);
 bool bpf_restrict_fsaccess_supported(void);
 int bpf_restrict_fsaccess_setup(Manager *m);
+int bpf_restrict_fsaccess_prepare(struct restrict_fsaccess_bpf **ret);
 int bpf_restrict_fsaccess_populate_guard(struct restrict_fsaccess_bpf *obj);
 
 int bpf_restrict_fsaccess_close_initramfs_trust(Manager *m);