Since our kernel baseline is v5.10 now.
BPF links and the BPF LSM hook
≥ 5.8 for LOOP_CONFIGURE and STATX_ATTR_MOUNT_ROOT
≥ 5.9 for close_range()
- ≥ 5.10 for STATX_MNT_ID
+ ≥ 5.10 for STATX_MNT_ID and MS_NOSYMFOLLOW mount option
⛔ Kernel versions below 5.10 ("minimum baseline") are not supported at all,
and are missing required functionality as listed above.
* drop support for LOOP_CONFIGURE-less loopback block devices, once kernel
baseline is 5.8.
-* Once baseline is 5.10, remove support or MS_NOSYMFOLLOW-less kernels
-
* Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.
That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for
x86 and v6.2 for arm.
return (cache = true);
}
-unsigned long ms_nosymfollow_supported(void) {
- _cleanup_close_ int fsfd = -EBADF, mntfd = -EBADF;
- static int cache = -1;
-
- /* Returns MS_NOSYMFOLLOW if it is supported, zero otherwise. */
-
- if (cache >= 0)
- return cache ? MS_NOSYMFOLLOW : 0;
-
- if (!mount_new_api_supported())
- goto not_supported;
-
- /* Checks if MS_NOSYMFOLLOW is supported (which was added in 5.10). We use the new mount API's
- * mount_setattr() call for that, which was added in 5.12, which is close enough. */
-
- fsfd = fsopen("tmpfs", FSOPEN_CLOEXEC);
- if (fsfd < 0) {
- if (ERRNO_IS_NOT_SUPPORTED(errno))
- goto not_supported;
-
- log_debug_errno(errno, "Failed to open superblock context for tmpfs: %m");
- return 0;
- }
-
- if (fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) < 0) {
- if (ERRNO_IS_NOT_SUPPORTED(errno))
- goto not_supported;
-
- log_debug_errno(errno, "Failed to create tmpfs superblock: %m");
- return 0;
- }
-
- mntfd = fsmount(fsfd, FSMOUNT_CLOEXEC, 0);
- if (mntfd < 0) {
- if (ERRNO_IS_NOT_SUPPORTED(errno))
- goto not_supported;
-
- log_debug_errno(errno, "Failed to turn superblock fd into mount fd: %m");
- return 0;
- }
-
- if (mount_setattr(mntfd, "", AT_EMPTY_PATH|AT_RECURSIVE,
- &(struct mount_attr) {
- .attr_set = MOUNT_ATTR_NOSYMFOLLOW,
- }, sizeof(struct mount_attr)) < 0) {
- if (ERRNO_IS_NOT_SUPPORTED(errno))
- goto not_supported;
-
- log_debug_errno(errno, "Failed to set MOUNT_ATTR_NOSYMFOLLOW mount attribute: %m");
- return 0;
- }
-
- cache = true;
- return MS_NOSYMFOLLOW;
-
-not_supported:
- cache = false;
- return 0;
-}
-
int mount_option_supported(const char *fstype, const char *key, const char *value) {
_cleanup_close_ int fd = -EBADF;
int r;
bool mount_propagation_flag_is_valid(unsigned long flag);
bool mount_new_api_supported(void);
-unsigned long ms_nosymfollow_supported(void);
int mount_option_supported(const char *fstype, const char *key, const char *value);
"tmpfs",
q,
"tmpfs",
- MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
+ MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_NOSYMFOLLOW,
"size=4M,nr_inodes=64,mode=0755");
if (r < 0)
return r;
/* what= */ NULL,
w,
/* fstype= */ NULL,
- MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
+ MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_NOSYMFOLLOW,
/* options= */ NULL);
if (r < 0)
return r;
/* what= */ NULL,
p,
/* fstype= */ NULL,
- MS_BIND|MS_REMOUNT|MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
+ MS_BIND|MS_REMOUNT|MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_NOSYMFOLLOW,
/* options= */ NULL);
if (r < 0)
return r;
case PARTITION_ESP:
case PARTITION_XBOOTLDR:
- flags |= MS_NOSUID|MS_NOEXEC|ms_nosymfollow_supported();
+ flags |= MS_NOSUID|MS_NOEXEC|MS_NOSYMFOLLOW;
/* The ESP might contain a pre-boot random seed. Let's make this unaccessible to regular
* userspace. ESP/XBOOTLDR is almost certainly VFAT, hence if we don't know assume it is. */
unsigned long credentials_fs_mount_flags(bool ro) {
/* A tight set of mount flags for credentials mounts */
- return MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported()|(ro ? MS_RDONLY : 0);
+ return MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_NOSYMFOLLOW|(ro ? MS_RDONLY : 0);
}
int fsmount_credentials_fs(int *ret_fsfd) {
int trigger_automount_at(int dir_fd, const char *path);
-unsigned long credentials_fs_mount_flags(bool ro);
+unsigned long credentials_fs_mount_flags(bool ro) _const_;
int fsmount_credentials_fs(int *ret_fsfd);
int mount_credentials_fs(const char *path);
ASSERT_OK(is_mount_point_at(fd, "regular", 0));
}
-TEST(ms_nosymfollow_supported) {
- log_info("MS_NOSYMFOLLOW supported: %s", yes_no(ms_nosymfollow_supported()));
-}
-
TEST(mount_option_supported) {
int r;
projects / thirdparty / systemd.git / commitdiff
