From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Tue, 17 May 2022 08:13:49 +0000 (+0200)
Subject: manager: skip BPF cleanup if we never initialized
X-Git-Tag: v251~23^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F23407%2Fhead;p=thirdparty%2Fsystemd.git

manager: skip BPF cleanup if we never initialized

This fixes a spurious warning from the manager running in user mode:

systemd[1668]: Reached target sockets.target.
systemd[1669]: Failed to create BPF map: Operation not permitted
systemd[1669]: Finished systemd-tmpfiles-setup.service.
systemd[1669]: Listening on dbus.socket.
systemd[1669]: Reached target sockets.target.
systemd[1669]: Reached target basic.target.
systemd[1]: Started user@6.service.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2084955.
---

diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c
index 174aa259c02..d3e92b98a62 100644
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-lsm.c
@@ -125,13 +125,15 @@ static int mac_bpf_use(void) {
         }
 }
 
-bool lsm_bpf_supported(void) {
+bool lsm_bpf_supported(bool initialize) {
         _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
         static int supported = -1;
         int r;
 
         if (supported >= 0)
                 return supported;
+        if (!initialize)
+                return false;
 
         r = dlopen_bpf();
         if (r < 0) {
@@ -267,7 +269,8 @@ int lsm_bpf_cleanup(const Unit *u) {
         assert(u);
         assert(u->manager);
 
-        if (!lsm_bpf_supported())
+        /* If we never successfully detected support, there is nothing to clean up. */
+        if (!lsm_bpf_supported(/* initialize = */ false))
                 return 0;
 
         if (!u->manager->restrict_fs)
@@ -297,7 +300,7 @@ void lsm_bpf_destroy(struct restrict_fs_bpf *prog) {
         restrict_fs_bpf__destroy(prog);
 }
 #else /* ! BPF_FRAMEWORK */
-bool lsm_bpf_supported(void) {
+bool lsm_bpf_supported(bool initialize) {
         return false;
 }
 
diff --git a/src/core/bpf-lsm.h b/src/core/bpf-lsm.h
index e609d99330b..dff581279d7 100644
--- a/src/core/bpf-lsm.h
+++ b/src/core/bpf-lsm.h
@@ -14,7 +14,7 @@ typedef struct Manager Manager;
 
 typedef struct restrict_fs_bpf restrict_fs_bpf;
 
-bool lsm_bpf_supported(void);
+bool lsm_bpf_supported(bool initialize);
 int lsm_bpf_setup(Manager *m);
 int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allow_list);
 int lsm_bpf_cleanup(const Unit *u);
diff --git a/src/core/manager.c b/src/core/manager.c
index 98daa764ebb..296b7599598 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -951,7 +951,7 @@ int manager_new(LookupScope scope, ManagerTestRunFlags test_run_flags, Manager *
                         return r;
 
 #if HAVE_LIBBPF
-                if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported()) {
+                if (MANAGER_IS_SYSTEM(m) && lsm_bpf_supported(/* initialize = */ true)) {
                         r = lsm_bpf_setup(m);
                         if (r < 0)
                                 log_warning_errno(r, "Failed to setup LSM BPF, ignoring: %m");
diff --git a/src/test/test-bpf-lsm.c b/src/test/test-bpf-lsm.c
index d2b5c966245..630d60dbf53 100644
--- a/src/test/test-bpf-lsm.c
+++ b/src/test/test-bpf-lsm.c
@@ -78,7 +78,7 @@ int main(int argc, char *argv[]) {
         if (!can_memlock())
                 return log_tests_skipped("Can't use mlock()");
 
-        if (!lsm_bpf_supported())
+        if (!lsm_bpf_supported(/* initialize = */ true))
                 return log_tests_skipped("LSM BPF hooks are not supported");
 
         r = enter_cgroup_subroot(NULL);