1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-20 14:03:39 +03:00

bpf: actually skip RestrictFileSystems= when not supported

Units would fail to start, incl. systemd-journald.service and systemd-udevd.service.
Since unit->manager->restrict_fs will be set if and only if we can use it,
we can just check for that and remove the other checks.
Follow-up for 299d9417238e0727a48ebaabb5a9de0c908ec5c8.

(cherry picked from commit 46004616a12dcdaf11020b8d58f956a006c9d9cf)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2022-01-07 19:24:49 +01:00
parent 76e23c1cbe
commit 8ec64d0778

View File

@ -1731,21 +1731,6 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
#endif
#if HAVE_LIBBPF
static bool skip_lsm_bpf_unsupported(const Unit* u, const char* msg) {
assert(u);
assert(u->manager);
if (lsm_bpf_supported())
return false;
/* lsm_bpf_setup succeeded */
if (u->manager->restrict_fs)
return false;
log_unit_debug(u, "LSM BPF not supported, skipping %s", msg);
return true;
}
static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
assert(u);
assert(c);
@ -1753,8 +1738,11 @@ static int apply_restrict_filesystems(Unit *u, const ExecContext *c) {
if (!exec_context_restrict_filesystems_set(c))
return 0;
if (skip_lsm_bpf_unsupported(u, "RestrictFileSystems="))
if (!u->manager->restrict_fs) {
/* LSM BPF is unsupported or lsm_bpf_setup failed */
log_unit_debug(u, "LSM BPF not supported, skipping RestrictFileSystems=");
return 0;
}
return lsm_bpf_unit_restrict_filesystems(u, c->restrict_filesystems, c->restrict_filesystems_allow_list);
}
@ -3975,13 +3963,11 @@ static int exec_child(
}
#if HAVE_LIBBPF
if (MANAGER_IS_SYSTEM(unit->manager) && lsm_bpf_supported()) {
int bpf_map_fd = -1;
bpf_map_fd = lsm_bpf_map_restrict_fs_fd(unit);
if (unit->manager->restrict_fs) {
int bpf_map_fd = lsm_bpf_map_restrict_fs_fd(unit);
if (bpf_map_fd < 0) {
*exit_status = EXIT_FDS;
return log_unit_error_errno(unit, r, "Failed to get restrict filesystems BPF map fd: %m");
return log_unit_error_errno(unit, bpf_map_fd, "Failed to get restrict filesystems BPF map fd: %m");
}
r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, bpf_map_fd, &bpf_map_fd);