core: add RestrictFileSystems= fragment parser

It takes an allow or deny list of filesystems services should have access to.
author: Iago López Galeiras <iagol@microsoft.com> 2021-02-11 16:59:30 +0100
committer: Iago Lopez Galeiras <iagol@microsoft.com> 2021-10-06 10:52:14 +0200
commit: e59ccd035c94a8448d9b99bb0b8056ed3d3a339c (patch)
tree: 594049fe756c6a7fcaa6d439b1e81aa9f7369614 /src/core/bpf-lsm.c
parent: b1994387d3cb50b212fc4815941a8ff40d60cd85 (diff)
download: systemd-e59ccd035c94a8448d9b99bb0b8056ed3d3a339c.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c
index 3e480c6257..46c2446849 100644
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-lsm.c
@@ -325,3 +325,57 @@ void lsm_bpf_destroy(struct restrict_fs_bpf *prog) {
         return;
 }
 #endif
+
+int lsm_bpf_parse_filesystem(
+                const char *name,
+                Set **filesystems,
+                FilesystemParseFlags flags,
+                const char *unit,
+                const char *filename,
+                unsigned line) {
+        int r;
+
+        assert(name);
+        assert(filesystems);
+
+        if (name[0] == '@') {
+                const FilesystemSet *set;
+                const char *i;
+
+                set = filesystem_set_find(name);
+                if (!set) {
+                        log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
+                                   "Unknown filesystem group, ignoring: %s", name);
+                        return 0;
+                }
+
+                NULSTR_FOREACH(i, set->value) {
+                        /* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take
+                         * away the FILESYSTEM_PARSE_LOG flag) since any issues in the group table are our own problem,
+                         * not a problem in user configuration data and we shouldn't pretend otherwise by complaining
+                         * about them. */
+                        r = lsm_bpf_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line);
+                        if (r < 0)
+                                return r;
+                }
+        } else {
+                /* If we previously wanted to forbid access to a filesystem and now
+                 * we want to allow it, then remove it from the list. */
+                if (!(flags & FILESYSTEM_PARSE_INVERT) == !!(flags & FILESYSTEM_PARSE_ALLOW_LIST)) {
+                        r = set_put_strdup(filesystems, name);
+                        if (r < 0)
+                                switch (r) {
+                                case -ENOMEM:
+                                        return flags & FILESYSTEM_PARSE_LOG ? log_oom() : -ENOMEM;
+                                case -EEXIST:
+                                        /* Alredy in set, ignore */
+                                        break;
+                                default:
+                                        return r;
+                                }
+                } else
+                        free(set_remove(*filesystems, name));
+        }
+
+        return 0;
+}
author	Iago López Galeiras <iagol@microsoft.com>	2021-02-11 16:59:30 +0100
committer	Iago Lopez Galeiras <iagol@microsoft.com>	2021-10-06 10:52:14 +0200
commit	e59ccd035c94a8448d9b99bb0b8056ed3d3a339c (patch)
tree	594049fe756c6a7fcaa6d439b1e81aa9f7369614 /src/core/bpf-lsm.c
parent	b1994387d3cb50b212fc4815941a8ff40d60cd85 (diff)
download	systemd-e59ccd035c94a8448d9b99bb0b8056ed3d3a339c.tar.gz