From 7a8288f6ed185f8033b59a007ace956df7fc8ff5 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Wed, 24 Nov 2021 23:04:30 +0900 Subject: [PATCH] build: fix build without seccomp - execute.c: bpf functions were in the middle of an #if HAVE_SECCOMP block for no reason - test-fd-util.c: make seccomp-util.h includable without depending on , and make is_seccomp_available() hardcoded to returning false in this case. Also fix a stray DEFINED() -- HAVE_SECCOMP is defined as 0, so normal #if should be used like everywhere else. --- src/core/execute.c | 46 +++++++++++++++++++-------------------- src/shared/seccomp-util.h | 10 +++++++++ src/test/test-fd-util.c | 2 +- 3 files changed, 34 insertions(+), 24 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index ba66b9e6ece..39c50310656 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1701,29 +1701,6 @@ static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) { return seccomp_restrict_namespaces(c->restrict_namespaces); } -#if HAVE_LIBBPF -static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) { - if (lsm_bpf_supported()) - return false; - - log_unit_debug(u, "LSM BPF not supported, skipping %s", msg); - return true; -} - -static int apply_restrict_filesystems(Unit *u, const ExecContext *c) { - assert(u); - assert(c); - - if (!exec_context_restrict_filesystems_set(c)) - return 0; - - if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems=")) - return 0; - - return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list); -} -#endif - static int apply_lock_personality(const Unit* u, const ExecContext *c) { unsigned long personality; int r; @@ -1752,6 +1729,29 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) { #endif +#if HAVE_LIBBPF +static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) { + if (lsm_bpf_supported()) + return false; + + log_unit_debug(u, "LSM BPF not supported, skipping %s", msg); + return true; +} + +static int apply_restrict_filesystems(Unit *u, const ExecContext *c) { + assert(u); + assert(c); + + if (!exec_context_restrict_filesystems_set(c)) + return 0; + + if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems=")) + return 0; + + return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list); +} +#endif + static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) { assert(u); assert(c); diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 4f4bc48431d..aa249539f33 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once +#if HAVE_SECCOMP + #include #include #include @@ -152,3 +154,11 @@ static inline const char *seccomp_errno_or_action_to_string(int num) { int parse_syscall_and_errno(const char *in, char **name, int *error); int seccomp_suppress_sync(void); + +#else + +static inline bool is_seccomp_available(void) { + return false; +} + +#endif diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c index 3638103bf14..8e8dd023afa 100644 --- a/src/test/test-fd-util.c +++ b/src/test/test-fd-util.c @@ -292,7 +292,7 @@ static void test_close_all_fds_inner(void) { } static int seccomp_prohibit_close_range(void) { -#if defined(HAVE_SECCOMP) && defined(__SNR_close_range) +#if HAVE_SECCOMP && defined(__SNR_close_range) _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; int r; -- 2.47.3