build: fix build without seccomp

- execute.c: bpf functions were in the middle of an #if HAVE_SECCOMP
  block for no reason
- test-fd-util.c: make seccomp-util.h includable without depending on
  <seccomp.h>, and make is_seccomp_available() hardcoded to returning
  false in this case.
  Also fix a stray DEFINED() -- HAVE_SECCOMP is defined as 0, so normal
  #if should be used like everywhere else.

diff --git a/src/core/execute.c b/src/core/execute.c
index ba66b9e6ece2f40ed25d118557da72f323df05cf..39c50310656c1fdcbcbeaf12e04471a3462c5c51 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1701,29 +1701,6 @@ static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
         return seccomp_restrict_namespaces(c->restrict_namespaces);
 }
 
-#if HAVE_LIBBPF
-static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) {
-        if (lsm_bpf_supported())
-                return false;
-
-        log_unit_debug(u, "LSM BPF not supported, skipping %s", msg);
-        return true;
-}
-
-static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
-        assert(u);
-        assert(c);
-
-        if (!exec_context_restrict_filesystems_set(c))
-                return 0;
-
-        if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems="))
-                return 0;
-
-        return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list);
-}
-#endif
-
 static int apply_lock_personality(const Unit* u, const ExecContext *c) {
         unsigned long personality;
         int r;
@@ -1752,6 +1729,29 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
 
 #endif
 
+#if HAVE_LIBBPF
+static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) {
+        if (lsm_bpf_supported())
+                return false;
+
+        log_unit_debug(u, "LSM BPF not supported, skipping %s", msg);
+        return true;
+}
+
+static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
+        assert(u);
+        assert(c);
+
+        if (!exec_context_restrict_filesystems_set(c))
+                return 0;
+
+        if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems="))
+                return 0;
+
+        return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list);
+}
+#endif
+
 static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
         assert(u);
         assert(c);

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4f4bc48431dea62ee7e904afa9119085a8a5cf80..aa249539f33d1bdeef38a62606008feb87081af0 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -1,6 +1,8 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#if HAVE_SECCOMP
+
 #include <seccomp.h>
 #include <stdbool.h>
 #include <stdint.h>
@@ -152,3 +154,11 @@ static inline const char *seccomp_errno_or_action_to_string(int num) {
 int parse_syscall_and_errno(const char *in, char **name, int *error);
 
 int seccomp_suppress_sync(void);
+
+#else
+
+static inline bool is_seccomp_available(void) {
+        return false;
+}
+
+#endif

diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c
index 3638103bf141e67e5a30d684986c2e9981b85737..8e8dd023afa4c3f411742b483314a77f67ae1432 100644 (file)
--- a/src/test/test-fd-util.c
+++ b/src/test/test-fd-util.c
@@ -292,7 +292,7 @@ static void test_close_all_fds_inner(void) {
 }
 
 static int seccomp_prohibit_close_range(void) {
-#if defined(HAVE_SECCOMP) && defined(__SNR_close_range)
+#if HAVE_SECCOMP && defined(__SNR_close_range)
         _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
         int r;