lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper

This makes the bpf LSM check generic, so that we can use it elsewhere.
it also drops the caching inside it, given that bpf-lsm code in PID1
will cache it a second time a stack frame further up when it checks for
various other bpf functionality.

diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c
index 0be250af5cca8250639e4f7cc2b6a653cc60f90e..5f614ead04064212e15e544508b9b75a44dcf82b 100644 (file)
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-lsm.c
@@ -16,6 +16,7 @@
 #include "fileio.h"
 #include "filesystems.h"
 #include "log.h"
+#include "lsm-util.h"
 #include "manager.h"
 #include "mkdir.h"
 #include "nulstr-util.h"
@@ -91,41 +92,6 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
         return 0;
 }
 
-static int mac_bpf_use(void) {
-        _cleanup_free_ char *lsm_list = NULL;
-        static int cached_use = -1;
-        int r;
-
-        if (cached_use >= 0)
-                return cached_use;
-
-        cached_use = 0;
-
-        r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
-        if (r < 0) {
-               if (r != -ENOENT)
-                       log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
-               return 0;
-        }
-
-        for (const char *p = lsm_list;;) {
-                _cleanup_free_ char *word = NULL;
-
-                r = extract_first_word(&p, &word, ",", 0);
-                if (r == 0)
-                        return 0;
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r < 0) {
-                        log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
-                        return 0;
-                }
-
-                if (streq(word, "bpf"))
-                        return cached_use = 1;
-        }
-}
-
 bool lsm_bpf_supported(bool initialize) {
         _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
         static int supported = -1;
@@ -139,12 +105,11 @@ bool lsm_bpf_supported(bool initialize) {
         if (!cgroup_bpf_supported())
                 return (supported = false);
 
-        r = mac_bpf_use();
+        r = lsm_supported("bpf");
         if (r < 0) {
                 log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
                 return (supported = false);
         }
-
         if (r == 0) {
                 log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");

diff --git a/src/shared/lsm-util.c b/src/shared/lsm-util.c
new file mode 100644 (file)
index 0000000..7b6d419
--- /dev/null
+++ b/src/shared/lsm-util.c
@@ -0,0 +1,33 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "extract-word.h"
+#include "fileio.h"
+#include "lsm-util.h"
+#include "string-util.h"
+
+int lsm_supported(const char *name) {
+        _cleanup_free_ char *lsm_list = NULL;
+        int r;
+
+        assert(name);
+
+        r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
+        if (r == -ENOENT) /* LSM support not available at all? */
+                return false;
+        if (r < 0)
+                return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m");
+
+        for (const char *p = lsm_list;;) {
+                _cleanup_free_ char *word = NULL;
+
+                r = extract_first_word(&p, &word, ",", 0);
+                if (r == 0)
+                        return false;
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to parse /sys/kernel/security/lsm: %m");
+
+                if (streq(word, name))
+                        return true;
+        }
+}

diff --git a/src/shared/lsm-util.h b/src/shared/lsm-util.h
new file mode 100644 (file)
index 0000000..c4d9027
--- /dev/null
+++ b/src/shared/lsm-util.h
@@ -0,0 +1,4 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+int lsm_supported(const char *name);

diff --git a/src/shared/meson.build b/src/shared/meson.build
index df82778f9dd2f516d02945005d38d92e385ad859..060e528555e49f364b8f081b761c39f751efabfa 100644 (file)
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -105,6 +105,7 @@ shared_sources = files(
         'logs-show.c',
         'loop-util.c',
         'loopback-setup.c',
+        'lsm-util.c',
         'machine-id-setup.c',
         'machine-pool.c',
         'macvlan-util.c',