From 8ec64d07783616a23dfff5911f13d5611e213d6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 7 Jan 2022 19:24:49 +0100
Subject: [PATCH] bpf: actually skip RestrictFileSystems= when not supported

Units would fail to start, incl. systemd-journald.service and systemd-udevd.service.
Since unit->manager->restrict_fs will be set if and only if we can use it,
we can just check for that and remove the other checks.
Follow-up for 299d9417238e0727a48ebaabb5a9de0c908ec5c8.

(cherry picked from commit 46004616a12dcdaf11020b8d58f956a006c9d9cf)
---
 src/core/execute.c | 28 +++++++---------------------
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index 4c96c30cf4..16f346f339 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1731,21 +1731,6 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
 #endif
 
 #if HAVE_LIBBPF
-static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) {
-        assert(u);
-        assert(u->manager);
-
-        if (lsm_bpf_supported())
-                return false;
-
-        /* lsm_bpf_setup succeeded */
-        if (u->manager->restrict_fs)
-                return false;
-
-        log_unit_debug(u, "LSM BPF not supported, skipping %s", msg);
-        return true;
-}
-
 static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
         assert(u);
         assert(c);
@@ -1753,8 +1738,11 @@ static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
         if (!exec_context_restrict_filesystems_set(c))
                 return 0;
 
-        if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems="))
+        if (!u->manager->restrict_fs) {
+                /* LSM BPF is unsupported or lsm_bpf_setup failed */
+                log_unit_debug(u, "LSM BPF not supported, skipping RestrictFileSystems=");
                 return 0;
+        }
 
         return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list);
 }
@@ -3975,13 +3963,11 @@ static int exec_child(
         }
 
 #if HAVE_LIBBPF
-        if (MANAGER_IS_SYSTEM(unit->manager) && lsm_bpf_supported()) {
-                int bpf_map_fd = -1;
-
-                bpf_map_fd = lsm_bpf_map_restrict_fs_fd(unit);
+        if (unit->manager->restrict_fs) {
+                int bpf_map_fd = lsm_bpf_map_restrict_fs_fd(unit);
                 if (bpf_map_fd < 0) {
                         *exit_status = EXIT_FDS;
-                        return log_unit_error_errno(unit, r, "Failed to get restrict filesystems BPF map fd: %m");
+                        return log_unit_error_errno(unit, bpf_map_fd, "Failed to get restrict filesystems BPF map fd: %m");
                 }
 
                 r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, bpf_map_fd, &bpf_map_fd);