From: Lennart Poettering Date: Thu, 25 Jan 2024 12:56:32 +0000 (+0100) Subject: bpf-restrict-fs: also rename functions to bpf_restrict_fs_xyz() X-Git-Tag: v256-rc1~1037^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=352ec23c7f7d487c483137f93a64ea17e7d1ede9;p=thirdparty%2Fsystemd.git bpf-restrict-fs: also rename functions to bpf_restrict_fs_xyz() Rename the functions too, to make clear this is really just about the restrict-fs, and not generic LSM_BPF code. --- diff --git a/src/core/bpf-restrict-fs.c b/src/core/bpf-restrict-fs.c index 14ef52faf1f..15ef86d50fc 100644 --- a/src/core/bpf-restrict-fs.c +++ b/src/core/bpf-restrict-fs.c @@ -92,7 +92,7 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) { return 0; } -bool lsm_bpf_supported(bool initialize) { +bool bpf_restrict_fs_supported(bool initialize) { _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL; static int supported = -1; int r; @@ -129,7 +129,7 @@ bool lsm_bpf_supported(bool initialize) { return (supported = true); } -int lsm_bpf_setup(Manager *m) { +int bpf_restrict_fs_setup(Manager *m) { _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL; _cleanup_(bpf_link_freep) struct bpf_link *link = NULL; int r; @@ -154,7 +154,7 @@ int lsm_bpf_setup(Manager *m) { return 0; } -int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list) { +int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list) { uint32_t dummy_value = 1, zero = 0; const char *fs; const statfs_f_type_t *magic; @@ -209,12 +209,12 @@ int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int return 0; } -int lsm_bpf_cleanup(const Unit *u) { +int bpf_restrict_fs_cleanup(const Unit *u) { assert(u); assert(u->manager); /* If we never successfully detected support, there is nothing to clean up. */ - if (!lsm_bpf_supported(/* initialize = */ false)) + if (!bpf_restrict_fs_supported(/* initialize = */ false)) return 0; if (!u->manager->restrict_fs) @@ -233,7 +233,7 @@ int lsm_bpf_cleanup(const Unit *u) { return 0; } -int lsm_bpf_map_restrict_fs_fd(Unit *unit) { +int bpf_restrict_fs_map_fd(Unit *unit) { assert(unit); assert(unit->manager); @@ -243,36 +243,36 @@ int lsm_bpf_map_restrict_fs_fd(Unit *unit) { return sym_bpf_map__fd(unit->manager->restrict_fs->maps.cgroup_hash); } -void lsm_bpf_destroy(struct restrict_fs_bpf *prog) { +void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog) { restrict_fs_bpf__destroy(prog); } #else /* ! BPF_FRAMEWORK */ -bool lsm_bpf_supported(bool initialize) { +bool bpf_restrict_fs_supported(bool initialize) { return false; } -int lsm_bpf_setup(Manager *m) { +int bpf_restrict_fs_setup(Manager *m) { return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to set up LSM BPF: %m"); } -int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) { +int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) { return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to restrict filesystems using LSM BPF: %m"); } -int lsm_bpf_cleanup(const Unit *u) { +int bpf_restrict_fs_cleanup(const Unit *u) { return 0; } -int lsm_bpf_map_restrict_fs_fd(Unit *unit) { +int bpf_restrict_fs_map_fd(Unit *unit) { return -ENOMEDIUM; } -void lsm_bpf_destroy(struct restrict_fs_bpf *prog) { +void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog) { return; } #endif -int lsm_bpf_parse_filesystem( +int bpf_restrict_fs_parse_filesystem( const char *name, Set **filesystems, FilesystemParseFlags flags, @@ -299,7 +299,7 @@ int lsm_bpf_parse_filesystem( * (i.e. take away the FILESYSTEM_PARSE_LOG flag) since any issues in the group table * are our own problem, not a problem in user configuration data and we shouldn't * pretend otherwise by complaining about them. */ - r = lsm_bpf_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line); + r = bpf_restrict_fs_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line); if (r < 0) return r; } diff --git a/src/core/bpf-restrict-fs.h b/src/core/bpf-restrict-fs.h index a6eda193fe0..ffb360b1178 100644 --- a/src/core/bpf-restrict-fs.h +++ b/src/core/bpf-restrict-fs.h @@ -14,15 +14,10 @@ typedef struct Manager Manager; typedef struct restrict_fs_bpf restrict_fs_bpf; -bool lsm_bpf_supported(bool initialize); -int lsm_bpf_setup(Manager *m); -int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list); -int lsm_bpf_cleanup(const Unit *u); -int lsm_bpf_map_restrict_fs_fd(Unit *u); -void lsm_bpf_destroy(struct restrict_fs_bpf *prog); -int lsm_bpf_parse_filesystem(const char *name, - Set **filesystems, - FilesystemParseFlags flags, - const char *unit, - const char *filename, - unsigned line); +bool bpf_restrict_fs_supported(bool initialize); +int bpf_restrict_fs_setup(Manager *m); +int bpf_restrict_fs_update(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, bool allow_list); +int bpf_restrict_fs_cleanup(const Unit *u); +int bpf_restrict_fs_map_fd(Unit *u); +void bpf_restrict_fs_destroy(struct restrict_fs_bpf *prog); +int bpf_restrict_fs_parse_filesystem(const char *name, Set **filesystems, FilesystemParseFlags flags, const char *unit, const char *filename, unsigned line); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 6c37856faf8..7f360de496c 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -3451,7 +3451,7 @@ void unit_prune_cgroup(Unit *u) { (void) unit_get_memory_accounting(u, metric, /* ret = */ NULL); #if BPF_FRAMEWORK - (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */ + (void) bpf_restrict_fs_cleanup(u); /* Remove cgroup from the global LSM BPF map */ #endif unit_modify_nft_set(u, /* add = */ false); diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 602fec13143..cad6a200b5d 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -1898,7 +1898,7 @@ int bus_exec_context_set_transient_property( c->restrict_filesystems_allow_list = allow_list; STRV_FOREACH(s, l) { - r = lsm_bpf_parse_filesystem( + r = bpf_restrict_fs_parse_filesystem( *s, &c->restrict_filesystems, FILESYSTEM_PARSE_LOG| diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index b98e9e6a4b3..ab13f0342a5 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -1704,7 +1704,7 @@ static int apply_restrict_filesystems(const ExecContext *c, const ExecParameters if (!exec_context_restrict_filesystems_set(c)) return 0; - if (p->bpf_outer_map_fd < 0) { + if (p->bpf_restrict_fs_map_fd < 0) { /* LSM BPF is unsupported or lsm_bpf_setup failed */ log_exec_debug(c, p, "LSM BPF not supported, skipping RestrictFileSystems="); return 0; @@ -1715,7 +1715,7 @@ static int apply_restrict_filesystems(const ExecContext *c, const ExecParameters if (r < 0) return r; - return lsm_bpf_restrict_filesystems(c->restrict_filesystems, p->cgroup_id, p->bpf_outer_map_fd, c->restrict_filesystems_allow_list); + return bpf_restrict_fs_update(c->restrict_filesystems, p->cgroup_id, p->bpf_restrict_fs_map_fd, c->restrict_filesystems_allow_list); } #endif @@ -4139,7 +4139,7 @@ int exec_invoke( } #if HAVE_LIBBPF - r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_outer_map_fd); + r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_restrict_fs_map_fd); if (r < 0) { *exit_status = EXIT_FDS; return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c index ccfc00c6e95..c7cda98ff06 100644 --- a/src/core/execute-serialize.c +++ b/src/core/execute-serialize.c @@ -1365,7 +1365,7 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext return r; if (c && exec_context_restrict_filesystems_set(c)) { - r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd); + r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_restrict_fs_map_fd); if (r < 0) return r; } @@ -1618,7 +1618,7 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) { if (fd < 0) continue; - p->bpf_outer_map_fd = fd; + p->bpf_restrict_fs_map_fd = fd; } else if ((val = startswith(l, "exec-parameters-notify-socket="))) { r = free_and_strdup(&p->notify_socket, val); if (r < 0) diff --git a/src/core/execute.c b/src/core/execute.c index 5c10aabc7ef..d4095ae01a0 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2499,7 +2499,7 @@ void exec_params_shallow_clear(ExecParameters *p) { p->fds = mfree(p->fds); p->exec_fd = safe_close(p->exec_fd); p->user_lookup_fd = -EBADF; - p->bpf_outer_map_fd = -EBADF; + p->bpf_restrict_fs_map_fd = -EBADF; p->unit_id = mfree(p->unit_id); p->invocation_id = SD_ID128_NULL; p->invocation_id_string[0] = '\0'; diff --git a/src/core/execute.h b/src/core/execute.h index e3708e1b014..6f91309b165 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -453,7 +453,8 @@ struct ExecParameters { char **files_env; int user_lookup_fd; - int bpf_outer_map_fd; + + int bpf_restrict_fs_map_fd; /* Used for logging in the executor functions */ char *unit_id; @@ -461,16 +462,16 @@ struct ExecParameters { char invocation_id_string[SD_ID128_STRING_MAX]; }; -#define EXEC_PARAMETERS_INIT(_flags) \ - (ExecParameters) { \ - .flags = (_flags), \ - .stdin_fd = -EBADF, \ - .stdout_fd = -EBADF, \ - .stderr_fd = -EBADF, \ - .exec_fd = -EBADF, \ - .bpf_outer_map_fd = -EBADF, \ - .user_lookup_fd = -EBADF, \ - }; +#define EXEC_PARAMETERS_INIT(_flags) \ + (ExecParameters) { \ + .flags = (_flags), \ + .stdin_fd = -EBADF, \ + .stdout_fd = -EBADF, \ + .stderr_fd = -EBADF, \ + .exec_fd = -EBADF, \ + .bpf_restrict_fs_map_fd = -EBADF, \ + .user_lookup_fd = -EBADF, \ + } #include "unit.h" #include "dynamic-user.h" diff --git a/src/core/fuzz-execute-serialize.c b/src/core/fuzz-execute-serialize.c index 6069efd519f..5b2dc952add 100644 --- a/src/core/fuzz-execute-serialize.c +++ b/src/core/fuzz-execute-serialize.c @@ -56,7 +56,7 @@ static void exec_fuzz_one(FILE *f, FDSet *fdset) { params.stderr_fd = -EBADF; params.exec_fd = -EBADF; params.user_lookup_fd = -EBADF; - params.bpf_outer_map_fd = -EBADF; + params.bpf_restrict_fs_map_fd = -EBADF; if (!params.fds) params.n_socket_fds = params.n_storage_fds = 0; for (size_t i = 0; params.fds && i < params.n_socket_fds + params.n_storage_fds; i++) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index cecd01fdcf8..819cbb27727 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3697,7 +3697,7 @@ int config_parse_restrict_filesystems( break; } - r = lsm_bpf_parse_filesystem( + r = bpf_restrict_fs_parse_filesystem( word, &c->restrict_filesystems, FILESYSTEM_PARSE_LOG| diff --git a/src/core/manager.c b/src/core/manager.c index 47244a4a26c..5014c3e1c89 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -992,8 +992,8 @@ int manager_new(RuntimeScope runtime_scope, ManagerTestRunFlags test_run_flags, return r; #if HAVE_LIBBPF - if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported(/* initialize = */ true)) { - r = lsm_bpf_setup(m); + if (MANAGER_IS_SYSTEM(m) && bpf_restrict_fs_supported(/* initialize = */ true)) { + r = bpf_restrict_fs_setup(m); if (r < 0) log_warning_errno(r, "Failed to setup LSM BPF, ignoring: %m"); } @@ -1710,7 +1710,7 @@ Manager* manager_free(Manager *m) { m->fw_ctx = fw_ctx_free(m->fw_ctx); #if BPF_FRAMEWORK - lsm_bpf_destroy(m->restrict_fs); + bpf_restrict_fs_destroy(m->restrict_fs); #endif safe_close(m->executor_fd); diff --git a/src/core/unit.c b/src/core/unit.c index 6496fc96d41..fd652df35b1 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -5355,12 +5355,12 @@ int unit_set_exec_params(Unit *u, ExecParameters *p) { p->fallback_smack_process_label = u->manager->defaults.smack_process_label; - if (u->manager->restrict_fs && p->bpf_outer_map_fd < 0) { - int fd = lsm_bpf_map_restrict_fs_fd(u); + if (u->manager->restrict_fs && p->bpf_restrict_fs_map_fd < 0) { + int fd = bpf_restrict_fs_map_fd(u); if (fd < 0) return fd; - p->bpf_outer_map_fd = fd; + p->bpf_restrict_fs_map_fd = fd; } p->user_lookup_fd = u->manager->user_lookup_fds[1]; diff --git a/src/test/test-bpf-restrict-fs.c b/src/test/test-bpf-restrict-fs.c index b6293932178..e1d56163ef7 100644 --- a/src/test/test-bpf-restrict-fs.c +++ b/src/test/test-bpf-restrict-fs.c @@ -75,7 +75,7 @@ int main(int argc, char *argv[]) { if (!can_memlock()) return log_tests_skipped("Can't use mlock()"); - if (!lsm_bpf_supported(/* initialize = */ true)) + if (!bpf_restrict_fs_supported(/* initialize = */ true)) return log_tests_skipped("LSM BPF hooks are not supported"); r = enter_cgroup_subroot(NULL);