mirror of
https://github.com/systemd/systemd.git
synced 2024-10-29 21:55:36 +03:00
lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper
This makes the bpf LSM check generic, so that we can use it elsewhere. it also drops the caching inside it, given that bpf-lsm code in PID1 will cache it a second time a stack frame further up when it checks for various other bpf functionality.
This commit is contained in:
parent
25d9c6cdaf
commit
b3a062cb80
@ -16,6 +16,7 @@
|
||||
#include "fileio.h"
|
||||
#include "filesystems.h"
|
||||
#include "log.h"
|
||||
#include "lsm-util.h"
|
||||
#include "manager.h"
|
||||
#include "mkdir.h"
|
||||
#include "nulstr-util.h"
|
||||
@ -91,41 +92,6 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int mac_bpf_use(void) {
|
||||
_cleanup_free_ char *lsm_list = NULL;
|
||||
static int cached_use = -1;
|
||||
int r;
|
||||
|
||||
if (cached_use >= 0)
|
||||
return cached_use;
|
||||
|
||||
cached_use = 0;
|
||||
|
||||
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
|
||||
if (r < 0) {
|
||||
if (r != -ENOENT)
|
||||
log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
|
||||
return 0;
|
||||
}
|
||||
|
||||
for (const char *p = lsm_list;;) {
|
||||
_cleanup_free_ char *word = NULL;
|
||||
|
||||
r = extract_first_word(&p, &word, ",", 0);
|
||||
if (r == 0)
|
||||
return 0;
|
||||
if (r == -ENOMEM)
|
||||
return log_oom();
|
||||
if (r < 0) {
|
||||
log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (streq(word, "bpf"))
|
||||
return cached_use = 1;
|
||||
}
|
||||
}
|
||||
|
||||
bool lsm_bpf_supported(bool initialize) {
|
||||
_cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
|
||||
static int supported = -1;
|
||||
@ -139,12 +105,11 @@ bool lsm_bpf_supported(bool initialize) {
|
||||
if (!cgroup_bpf_supported())
|
||||
return (supported = false);
|
||||
|
||||
r = mac_bpf_use();
|
||||
r = lsm_supported("bpf");
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
|
||||
return (supported = false);
|
||||
}
|
||||
|
||||
if (r == 0) {
|
||||
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
|
||||
|
33
src/shared/lsm-util.c
Normal file
33
src/shared/lsm-util.c
Normal file
@ -0,0 +1,33 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "extract-word.h"
|
||||
#include "fileio.h"
|
||||
#include "lsm-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
int lsm_supported(const char *name) {
|
||||
_cleanup_free_ char *lsm_list = NULL;
|
||||
int r;
|
||||
|
||||
assert(name);
|
||||
|
||||
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
|
||||
if (r == -ENOENT) /* LSM support not available at all? */
|
||||
return false;
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m");
|
||||
|
||||
for (const char *p = lsm_list;;) {
|
||||
_cleanup_free_ char *word = NULL;
|
||||
|
||||
r = extract_first_word(&p, &word, ",", 0);
|
||||
if (r == 0)
|
||||
return false;
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to parse /sys/kernel/security/lsm: %m");
|
||||
|
||||
if (streq(word, name))
|
||||
return true;
|
||||
}
|
||||
}
|
4
src/shared/lsm-util.h
Normal file
4
src/shared/lsm-util.h
Normal file
@ -0,0 +1,4 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
int lsm_supported(const char *name);
|
@ -105,6 +105,7 @@ shared_sources = files(
|
||||
'logs-show.c',
|
||||
'loop-util.c',
|
||||
'loopback-setup.c',
|
||||
'lsm-util.c',
|
||||
'machine-id-setup.c',
|
||||
'machine-pool.c',
|
||||
'macvlan-util.c',
|
||||
|
Loading…
Reference in New Issue
Block a user