1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00

lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper

This makes the bpf LSM check generic, so that we can use it elsewhere.
it also drops the caching inside it, given that bpf-lsm code in PID1
will cache it a second time a stack frame further up when it checks for
various other bpf functionality.
This commit is contained in:
Lennart Poettering 2023-03-16 17:56:23 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent 25d9c6cdaf
commit b3a062cb80
4 changed files with 40 additions and 37 deletions

View File

@ -16,6 +16,7 @@
#include "fileio.h"
#include "filesystems.h"
#include "log.h"
#include "lsm-util.h"
#include "manager.h"
#include "mkdir.h"
#include "nulstr-util.h"
@ -91,41 +92,6 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
return 0;
}
static int mac_bpf_use(void) {
_cleanup_free_ char *lsm_list = NULL;
static int cached_use = -1;
int r;
if (cached_use >= 0)
return cached_use;
cached_use = 0;
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
if (r < 0) {
if (r != -ENOENT)
log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
for (const char *p = lsm_list;;) {
_cleanup_free_ char *word = NULL;
r = extract_first_word(&p, &word, ",", 0);
if (r == 0)
return 0;
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
if (streq(word, "bpf"))
return cached_use = 1;
}
}
bool lsm_bpf_supported(bool initialize) {
_cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL;
static int supported = -1;
@ -139,12 +105,11 @@ bool lsm_bpf_supported(bool initialize) {
if (!cgroup_bpf_supported())
return (supported = false);
r = mac_bpf_use();
r = lsm_supported("bpf");
if (r < 0) {
log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");

33
src/shared/lsm-util.c Normal file
View File

@ -0,0 +1,33 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "alloc-util.h"
#include "extract-word.h"
#include "fileio.h"
#include "lsm-util.h"
#include "string-util.h"
int lsm_supported(const char *name) {
_cleanup_free_ char *lsm_list = NULL;
int r;
assert(name);
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
if (r == -ENOENT) /* LSM support not available at all? */
return false;
if (r < 0)
return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m");
for (const char *p = lsm_list;;) {
_cleanup_free_ char *word = NULL;
r = extract_first_word(&p, &word, ",", 0);
if (r == 0)
return false;
if (r < 0)
return log_debug_errno(r, "Failed to parse /sys/kernel/security/lsm: %m");
if (streq(word, name))
return true;
}
}

4
src/shared/lsm-util.h Normal file
View File

@ -0,0 +1,4 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
int lsm_supported(const char *name);

View File

@ -105,6 +105,7 @@ shared_sources = files(
'logs-show.c',
'loop-util.c',
'loopback-setup.c',
'lsm-util.c',
'machine-id-setup.c',
'machine-pool.c',
'macvlan-util.c',