From: Lennart Poettering <lennart@amutable.com>
Date: Tue, 2 Jun 2026 16:51:13 +0000 (+0200)
Subject: bpf-restrict-fsaccess: move STAT_DEV_TO_KERNEL into generic code
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce72c94accaaa9c4b056df05258d9b4bd51d1dff;p=thirdparty%2Fsystemd.git

bpf-restrict-fsaccess: move STAT_DEV_TO_KERNEL into generic code

We want to reuse it when processing sock-diag messages, hence let's
generalize this.
---

diff --git a/src/basic/devnum-util.h b/src/basic/devnum-util.h
index 8588b434fba..b5ae0dee575 100644
--- a/src/basic/devnum-util.h
+++ b/src/basic/devnum-util.h
@@ -56,3 +56,9 @@ static inline bool devnum_is_zero(dev_t d) {
 
 #define DEVNUM_TO_PTR(u) ((void*) (uintptr_t) (u))
 #define PTR_TO_DEVNUM(p) ((dev_t) ((uintptr_t) (p)))
+
+/* Convert a userspace dev_t (as returned by stat()) to the kernel's internal dev_t encoding. stat() returns
+ * new_encode_dev(s_dev), while various kernel interfaces (e.g. the BPF sb helpers, or unix_diag's
+ * udiag_vfs_dev) report s_dev directly, which uses MKDEV(major, minor) = (major << 20) | minor. */
+#define STAT_DEV_TO_KERNEL(dev) \
+        ((uint32_t) major(dev) << 20 | (uint32_t) minor(dev))
diff --git a/src/core/bpf-restrict-fsaccess.c b/src/core/bpf-restrict-fsaccess.c
index 4e0af5596af..daa64e6afd3 100644
--- a/src/core/bpf-restrict-fsaccess.c
+++ b/src/core/bpf-restrict-fsaccess.c
@@ -5,6 +5,7 @@
 #include <sys/stat.h>
 
 #include "bpf-restrict-fsaccess.h"
+#include "devnum-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "initrd-util.h"
diff --git a/src/core/bpf-restrict-fsaccess.h b/src/core/bpf-restrict-fsaccess.h
index a39f602539a..39b79353bea 100644
--- a/src/core/bpf-restrict-fsaccess.h
+++ b/src/core/bpf-restrict-fsaccess.h
@@ -1,8 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include <sys/sysmacros.h>
-
 #include "core-forward.h"
 #include "macro.h"
 #include "shared-forward.h"
@@ -33,12 +31,6 @@ enum {
 /* Maximum number of dm-verity devices tracked in the BPF hash map. */
 #define DMVERITY_DEVICES_MAX (16U*1024U)
 
-/* Convert userspace dev_t (from stat()) to kernel dev_t encoding (MKDEV).
- * stat() returns new_encode_dev(s_dev); the BPF program reads s_dev directly
- * which uses MKDEV(major, minor) = (major << 20) | minor. */
-#define STAT_DEV_TO_KERNEL(dev) \
-        ((uint32_t)major(dev) << 20 | (uint32_t)minor(dev))
-
 /* Mirrors the BPF program's .bss section layout for read-modify-write via
  * bpf_map_lookup_elem/bpf_map_update_elem on the serialized .bss map FD. */
 struct restrict_fsaccess_bss {
diff --git a/src/test/test-bpf-restrict-fsaccess.c b/src/test/test-bpf-restrict-fsaccess.c
index 80d448815cf..776d75eaec8 100644
--- a/src/test/test-bpf-restrict-fsaccess.c
+++ b/src/test/test-bpf-restrict-fsaccess.c
@@ -25,6 +25,7 @@
 #include <unistd.h>
 
 #include "bpf-restrict-fsaccess.h"
+#include "devnum-util.h"
 #include "fd-util.h"
 #include "log.h"
 #include "string-util.h"