From: Lennart Poettering Date: Thu, 16 Mar 2023 16:56:23 +0000 (+0100) Subject: lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper X-Git-Tag: v254-rc1~694 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b3a062cb80bfa4ca96a321aa4736fe4f939ff7cd;p=thirdparty%2Fsystemd.git lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper This makes the bpf LSM check generic, so that we can use it elsewhere. it also drops the caching inside it, given that bpf-lsm code in PID1 will cache it a second time a stack frame further up when it checks for various other bpf functionality. --- diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c index 0be250af5cc..5f614ead040 100644 --- a/src/core/bpf-lsm.c +++ b/src/core/bpf-lsm.c @@ -16,6 +16,7 @@ #include "fileio.h" #include "filesystems.h" #include "log.h" +#include "lsm-util.h" #include "manager.h" #include "mkdir.h" #include "nulstr-util.h" @@ -91,41 +92,6 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) { return 0; } -static int mac_bpf_use(void) { - _cleanup_free_ char *lsm_list = NULL; - static int cached_use = -1; - int r; - - if (cached_use >= 0) - return cached_use; - - cached_use = 0; - - r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list); - if (r < 0) { - if (r != -ENOENT) - log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); - return 0; - } - - for (const char *p = lsm_list;;) { - _cleanup_free_ char *word = NULL; - - r = extract_first_word(&p, &word, ",", 0); - if (r == 0) - return 0; - if (r == -ENOMEM) - return log_oom(); - if (r < 0) { - log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); - return 0; - } - - if (streq(word, "bpf")) - return cached_use = 1; - } -} - bool lsm_bpf_supported(bool initialize) { _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL; static int supported = -1; @@ -139,12 +105,11 @@ bool lsm_bpf_supported(bool initialize) { if (!cgroup_bpf_supported()) return (supported = false); - r = mac_bpf_use(); + r = lsm_supported("bpf"); if (r < 0) { log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m"); return (supported = false); } - if (r == 0) { log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported"); diff --git a/src/shared/lsm-util.c b/src/shared/lsm-util.c new file mode 100644 index 00000000000..7b6d419ce10 --- /dev/null +++ b/src/shared/lsm-util.c @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "alloc-util.h" +#include "extract-word.h" +#include "fileio.h" +#include "lsm-util.h" +#include "string-util.h" + +int lsm_supported(const char *name) { + _cleanup_free_ char *lsm_list = NULL; + int r; + + assert(name); + + r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list); + if (r == -ENOENT) /* LSM support not available at all? */ + return false; + if (r < 0) + return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m"); + + for (const char *p = lsm_list;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&p, &word, ",", 0); + if (r == 0) + return false; + if (r < 0) + return log_debug_errno(r, "Failed to parse /sys/kernel/security/lsm: %m"); + + if (streq(word, name)) + return true; + } +} diff --git a/src/shared/lsm-util.h b/src/shared/lsm-util.h new file mode 100644 index 00000000000..c4d9027b767 --- /dev/null +++ b/src/shared/lsm-util.h @@ -0,0 +1,4 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +int lsm_supported(const char *name); diff --git a/src/shared/meson.build b/src/shared/meson.build index df82778f9dd..060e528555e 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -105,6 +105,7 @@ shared_sources = files( 'logs-show.c', 'loop-util.c', 'loopback-setup.c', + 'lsm-util.c', 'machine-id-setup.c', 'machine-pool.c', 'macvlan-util.c',