shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-20 18:04:03 +03:00
Code

core: rename "bpf-lsm.[ch]" → "bpf-restrict-fs.[ch]"

Browse Source 
This file is a bit misnamed. What it actually implements is one specific
BPF LSM module, that restricts file systems. As such it really should be
named after that, and not primarily by the mechanism it uses for that.

With this our glue code is now named the same way as the actual bpf code
files in src/core/bpf/, thus things become a bit more symmetric.

This is particular relevant as we'll soon have another BPF LSM in our
tree, see #26826, and we should be able to distinguish them by name.

This commit just renames the files and does some dumb search/replace of
the string. A follow-up commit will name some functions more expressively
inside the files.
This commit is contained in:
Lennart Poettering 2024-01-25 13:41:46 +01:00
parent 677e6c14b1
commit 169b56758b
9 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/core/bpf-lsm.c → src/core/bpf-restrict-fs.c
View File

@ -10,7 +10,7 @@
#include <unistd.h>
#include "alloc-util.h"
#include "bpf-lsm.h"
#include "bpf-restrict-fs.h"
#include "cgroup-util.h"
#include "fd-util.h"
#include "fileio.h"
@ -63,29 +63,29 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
obj = restrict_fs_bpf__open();
if (!obj)
return log_error_errno(errno, "bpf-lsm: Failed to open BPF object: %m");
return log_error_errno(errno, "bpf-restrict-fs: Failed to open BPF object: %m");
/* TODO Maybe choose a number based on runtime information? */
r = sym_bpf_map__set_max_entries(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX);
assert(r <= 0);
if (r < 0)
return log_error_errno(r, "bpf-lsm: Failed to resize BPF map '%s': %m",
return log_error_errno(r, "bpf-restrict-fs: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.cgroup_hash));
/* Dummy map to satisfy the verifier */
inner_map_fd = compat_bpf_map_create(BPF_MAP_TYPE_HASH, NULL, sizeof(uint32_t), sizeof(uint32_t), 128U, NULL);
if (inner_map_fd < 0)
return log_error_errno(errno, "bpf-lsm: Failed to create BPF map: %m");
return log_error_errno(errno, "bpf-restrict-fs: Failed to create BPF map: %m");
r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd);
assert(r <= 0);
if (r < 0)
return log_error_errno(r, "bpf-lsm: Failed to set inner map fd: %m");
return log_error_errno(r, "bpf-restrict-fs: Failed to set inner map fd: %m");
r = restrict_fs_bpf__load(obj);
assert(r <= 0);
if (r < 0)
return log_error_errno(r, "bpf-lsm: Failed to load BPF object: %m");
return log_error_errno(r, "bpf-restrict-fs: Failed to load BPF object: %m");
*ret_obj = TAKE_PTR(obj);
@ -107,12 +107,12 @@ bool lsm_bpf_supported(bool initialize) {
r = lsm_supported("bpf");
if (r < 0) {
log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
"bpf-restrict-fs: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
return (supported = false);
}
@ -122,7 +122,7 @@ bool lsm_bpf_supported(bool initialize) {
if (!bpf_can_link_lsm_program(obj->progs.restrict_filesystems)) {
log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"bpf-lsm: Failed to link program; assuming BPF LSM is not available");
"bpf-restrict-fs: Failed to link program; assuming BPF LSM is not available");
return (supported = false);
}
@ -143,10 +143,10 @@ int lsm_bpf_setup(Manager *m) {
link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems);
r = sym_libbpf_get_error(link);
if (r != 0)
return log_error_errno(r, "bpf-lsm: Failed to link '%s' LSM BPF program: %m",
return log_error_errno(r, "bpf-restrict-fs: Failed to link '%s' LSM BPF program: %m",
sym_bpf_program__name(obj->progs.restrict_filesystems));
log_info("bpf-lsm: LSM BPF program attached");
log_info("bpf-restrict-fs: LSM BPF program attached");
obj->links.restrict_filesystems = TAKE_PTR(link);
m->restrict_fs = TAKE_PTR(obj);
@ -171,35 +171,35 @@ int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int
128U, /* Should be enough for all filesystem types */
NULL);
if (inner_map_fd < 0)
return log_error_errno(errno, "bpf-lsm: Failed to create inner BPF map: %m");
return log_error_errno(errno, "bpf-restrict-fs: Failed to create inner BPF map: %m");
if (sym_bpf_map_update_elem(outer_map_fd, &cgroup_id, &inner_map_fd, BPF_ANY) != 0)
return log_error_errno(errno, "bpf-lsm: Error populating BPF map: %m");
return log_error_errno(errno, "bpf-restrict-fs: Error populating BPF map: %m");
uint32_t allow = allow_list;
/* Use key 0 to store whether this is an allow list or a deny list */
if (sym_bpf_map_update_elem(inner_map_fd, &zero, &allow, BPF_ANY) != 0)
return log_error_errno(errno, "bpf-lsm: Error initializing map: %m");
return log_error_errno(errno, "bpf-restrict-fs: Error initializing map: %m");
SET_FOREACH(fs, filesystems) {
r = fs_type_from_string(fs, &magic);
if (r < 0) {
log_warning("bpf-lsm: Invalid filesystem name '%s', ignoring.", fs);
log_warning("bpf-restrict-fs: Invalid filesystem name '%s', ignoring.", fs);
continue;
}
log_debug("bpf-lsm: Restricting filesystem access to '%s'", fs);
log_debug("bpf-restrict-fs: Restricting filesystem access to '%s'", fs);
for (int i = 0; i < FILESYSTEM_MAGIC_MAX; i++) {
if (magic[i] == 0)
break;
if (sym_bpf_map_update_elem(inner_map_fd, &magic[i], &dummy_value, BPF_ANY) != 0) {
r = log_error_errno(errno, "bpf-lsm: Failed to update BPF map: %m");
r = log_error_errno(errno, "bpf-restrict-fs: Failed to update BPF map: %m");
if (sym_bpf_map_delete_elem(outer_map_fd, &cgroup_id) != 0)
log_debug_errno(errno, "bpf-lsm: Failed to delete cgroup entry from BPF map: %m");
log_debug_errno(errno, "bpf-restrict-fs: Failed to delete cgroup entry from BPF map: %m");
return r;
}
@ -225,10 +225,10 @@ int lsm_bpf_cleanup(const Unit *u) {
int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (fd < 0)
return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
return log_unit_error_errno(u, errno, "bpf-restrict-fs: Failed to get BPF map fd: %m");
if (sym_bpf_map_delete_elem(fd, &u->cgroup_id) != 0 && errno != ENOENT)
return log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from LSM BPF map: %m");
return log_unit_debug_errno(u, errno, "bpf-restrict-fs: Failed to delete cgroup entry from LSM BPF map: %m");
return 0;
}
@ -252,11 +252,11 @@ bool lsm_bpf_supported(bool initialize) {
}
int lsm_bpf_setup(Manager *m) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to set up LSM BPF: %m");
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to set up LSM BPF: %m");
}
int lsm_bpf_restrict_filesystems(const Set *filesystems, uint64_t cgroup_id, int outer_map_fd, const bool allow_list) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to restrict filesystems using LSM BPF: %m");
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-restrict-fs: Failed to restrict filesystems using LSM BPF: %m");
}
int lsm_bpf_cleanup(const Unit *u) {
@ -290,7 +290,7 @@ int lsm_bpf_parse_filesystem(
set = filesystem_set_find(name);
if (!set) {
log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
"bpf-lsm: Unknown filesystem group, ignoring: %s", name);
"bpf-restrict-fs: Unknown filesystem group, ignoring: %s", name);
return 0;
}

0
src/core/bpf-lsm.h → src/core/bpf-restrict-fs.h
View File

2
src/core/cgroup.h
View File

@ -3,7 +3,7 @@
#include <stdbool.h>
#include "bpf-lsm.h"
#include "bpf-restrict-fs.h"
#include "cgroup-util.h"
#include "cpu-set-util.h"
#include "firewall-util.h"

2
src/core/exec-invoke.c
View File

@ -22,7 +22,7 @@
#include "argv-util.h"
#include "barrier.h"
#include "bpf-dlopen.h"
#include "bpf-lsm.h"
#include "bpf-restrict-fs.h"
#include "btrfs-util.h"
#include "capability-util.h"
#include "cgroup-setup.h"

2
src/core/load-fragment.c
View File

@ -16,8 +16,8 @@
#include "all-units.h"
#include "alloc-util.h"
#include "bpf-firewall.h"
#include "bpf-lsm.h"
#include "bpf-program.h"
#include "bpf-restrict-fs.h"
#include "bpf-socket-bind.h"
#include "bus-error.h"
#include "bus-internal.h"

2
src/core/main.c
View File

@ -21,7 +21,7 @@
#include "architecture.h"
#include "argv-util.h"
#if HAVE_LIBBPF
#include "bpf-lsm.h"
#include "bpf-restrict-fs.h"
#endif
#include "build.h"
#include "bus-error.h"

2
src/core/meson.build
View File

@ -7,7 +7,7 @@ libcore_sources = files(
'bpf-devices.c',
'bpf-firewall.c',
'bpf-foreign.c',
'bpf-lsm.c',
'bpf-restrict-fs.c',
'bpf-socket-bind.c',
'cgroup.c',
'core-varlink.c',

2
src/test/meson.build
View File

@ -478,7 +478,7 @@ executables += [
'sources' : files('test-bpf-foreign-programs.c'),
},
core_test_template + {
'sources' : files('test-bpf-lsm.c'),
'sources' : files('test-bpf-restrict-fs.c'),
'dependencies' : common_test_dependencies,
},
core_test_template + {

2
src/test/test-bpf-lsm.c → src/test/test-bpf-restrict-fs.c
View File

@ -1,6 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "bpf-lsm.h"
#include "bpf-restrict-fs.h"
#include "load-fragment.h"
#include "manager.h"
#include "process-util.h"