diff options
| author | Julia Kartseva <hex@fb.com> | 2022-01-05 16:34:56 -0800 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-01-07 16:25:45 +0900 |
| commit | 299d9417238e0727a48ebaabb5a9de0c908ec5c8 (patch) | |
| tree | 20fafaa6d05456aac0e41aa9d0fd63e40ee222e2 /src/core/bpf-lsm.c | |
| parent | 2bdd2e7ac9dd9db98c534e57c4bcbf41900c91e9 (diff) | |
| download | systemd-299d9417238e0727a48ebaabb5a9de0c908ec5c8.tar.gz | |
bpf: do not freeze if bpf lsm fails to set up
BPF LSM is cgroup unaware and it's set up is happening in core manager.
It occures that the current implementation is too restrictive and causes
pid 1 to freeze.
Instead:
* in bpf_lsm_setup set manager->restrict_fs pointer last,
so it is an indicator that the set up was successful
* check for manager->restrict_fs before applying unit options
Diffstat (limited to 'src/core/bpf-lsm.c')
| -rw-r--r-- | src/core/bpf-lsm.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c index 79d17b0751..e0333963c5 100644 --- a/src/core/bpf-lsm.c +++ b/src/core/bpf-lsm.c @@ -176,7 +176,7 @@ int lsm_bpf_supported(void) { } int lsm_bpf_setup(Manager *m) { - struct restrict_fs_bpf *obj; + _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL; _cleanup_(bpf_link_freep) struct bpf_link *link = NULL; int r; @@ -186,17 +186,16 @@ int lsm_bpf_setup(Manager *m) { if (r < 0) return r; - m->restrict_fs = obj; - - link = sym_bpf_program__attach_lsm(m->restrict_fs->progs.restrict_filesystems); + link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems); r = sym_libbpf_get_error(link); if (r != 0) return log_error_errno(r, "Failed to link '%s' LSM BPF program: %m", - sym_bpf_program__name(m->restrict_fs->progs.restrict_filesystems)); + sym_bpf_program__name(obj->progs.restrict_filesystems)); log_info("LSM BPF program attached"); - m->restrict_fs->links.restrict_filesystems = TAKE_PTR(link); + obj->links.restrict_filesystems = TAKE_PTR(link); + m->restrict_fs = TAKE_PTR(obj); return 0; } @@ -210,6 +209,10 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo assert(filesystems); assert(u); + if (!u->manager->restrict_fs) + return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL), + "Restrict filesystems BPF object is not set, BPF LSM setup has failed?"); + int inner_map_fd = sym_bpf_create_map( BPF_MAP_TYPE_HASH, sizeof(uint32_t), |