This fixes a spurious warning from the manager running in user mode:
systemd[1668]: Reached target sockets.target.
systemd[1669]: Failed to create BPF map: Operation not permitted
systemd[1669]: Finished systemd-tmpfiles-setup.service.
systemd[1669]: Listening on dbus.socket.
systemd[1669]: Reached target sockets.target.
systemd[1669]: Reached target basic.target.
systemd[1]: Started user@6.service.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=
2084955.
}
}
-bool lsm_bpf_supported(void) {
+bool lsm_bpf_supported(bool initialize) {
_cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
static int supported = -1;
int r;
if (supported >= 0)
return supported;
+ if (!initialize)
+ return false;
r = dlopen_bpf();
if (r < 0) {
assert(u);
assert(u->manager);
- if (!lsm_bpf_supported())
+ /* If we never successfully detected support, there is nothing to clean up. */
+ if (!lsm_bpf_supported(/* initialize = */ false))
return 0;
if (!u->manager->restrict_fs)
restrict_fs_bpf__destroy(prog);
}
#else /* ! BPF_FRAMEWORK */
-bool lsm_bpf_supported(void) {
+bool lsm_bpf_supported(bool initialize) {
return false;
}
typedef struct restrict_fs_bpf restrict_fs_bpf;
-bool lsm_bpf_supported(void);
+bool lsm_bpf_supported(bool initialize);
int lsm_bpf_setup(Manager *m);
int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allow_list);
int lsm_bpf_cleanup(const Unit *u);
return r;
#if HAVE_LIBBPF
- if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported()) {
+ if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported(/* initialize = */ true)) {
r = lsm_bpf_setup(m);
if (r < 0)
log_warning_errno(r, "Failed to setup LSM BPF, ignoring: %m");
if (!can_memlock())
return log_tests_skipped("Can't use mlock()");
- if (!lsm_bpf_supported())
+ if (!lsm_bpf_supported(/* initialize = */ true))
return log_tests_skipped("LSM BPF hooks are not supported");
r = enter_cgroup_subroot(NULL);
projects / thirdparty / systemd.git / commitdiff
