IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- drop unused _NONE type,
- rename IPv6Token::prefix -> IPv6Token::address,
- clear unused part of IPv6Token::address,
- use Set, instead of OrderedSet.
In other files, we usually (but not always) place functions in the following order:
- network_adjust_xxx(), which applies default or updates settings
specified in .network files,
- link_xxx_enabled(), which checks if the functionality is enabled,
- xxx_new() and xxx_free(), allocator and deallocator for sections,
- functions which apply/update/remove configs
- validators of section,
- conf parsers.
This does not change each function, but just changes the order.
It attaches the LSM BPF program when the system manager starts up.
It populates the hash of maps BPF map when services that have
RestrictFileSystems= set start.
It cleans up the hash of maps when the unit cgroup is pruned.
To pass the file descriptor of the BPF map we add it to the keep_fds
array.
This adds 6 functions to implement RestrictFileSystems=
* lsm_bpf_supported() checks if LSM BPF is supported. It checks that
cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF
LSM program which makes sure BTF and hash of maps are supported, and
BPF LSM programs can be loaded.
* lsm_bpf_setup() loads and attaches the LSM BPF program.
* lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the
cgroupID and the set of allowed or denied filesystems.
* lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps.
* lsm_bpf_map_restrict_fs_fd() is a helper function to get the file
descriptor of the BPF map.
* lsm_bpf_destroy() is a wrapper around the destroy function of the BPF
skeleton file.
It hooks into the file_open LSM hook and allows only when the filesystem
where the open will take place is present in a BPF map for a particular
cgroup.
The BPF map used is a hash of maps with the following structure:
cgroupID -> (s_magic -> uint32)
The inner map is effectively a set.
The entry at key 0 in the inner map encodes whether the program behaves
as an allow list or a deny list: if its value is 0 it is a deny list,
otherwise it is an allow list.
When the cgroupID is present in the map, the program checks the inner
map for the magic number of the filesystem associated with the file
that's being opened. When the program behaves as an allow list, if that
magic number is present it allows the open to succeed, when the program
behaves as a deny list, it only allows access if the that magic number
is NOT present. When access is denied the program returns -EPERM.
The BPF program uses CO-RE (Compile-Once Run-Everywhere) to access
internal kernel structures without needing kernel headers present at
runtime.
