diff options
| author | Iago Lopez Galeiras <iagol@microsoft.com> | 2021-07-13 09:51:06 +0200 |
|---|---|---|
| committer | Iago Lopez Galeiras <iagol@microsoft.com> | 2021-10-06 10:52:14 +0200 |
| commit | 184b4f78cfbded54a6e06bbe1152256c204a7a73 (patch) | |
| tree | c2ba69bab7524fe384aece04684a2cec64e13d7f /src/core/manager.h | |
| parent | 510cdbeb5ba841c9e9d9fa62303ecb2673b77b9e (diff) | |
| download | systemd-184b4f78cfbded54a6e06bbe1152256c204a7a73.tar.gz | |
core: add BPF LSM functions
This adds 6 functions to implement RestrictFileSystems=
* lsm_bpf_supported() checks if LSM BPF is supported. It checks that
cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF
LSM program which makes sure BTF and hash of maps are supported, and
BPF LSM programs can be loaded.
* lsm_bpf_setup() loads and attaches the LSM BPF program.
* lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the
cgroupID and the set of allowed or denied filesystems.
* lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps.
* lsm_bpf_map_restrict_fs_fd() is a helper function to get the file
descriptor of the BPF map.
* lsm_bpf_destroy() is a wrapper around the destroy function of the BPF
skeleton file.
Diffstat (limited to 'src/core/manager.h')
| -rw-r--r-- | src/core/manager.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/core/manager.h b/src/core/manager.h index 97c12ce48f..29ce812121 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -450,6 +450,9 @@ struct Manager { * we're a user manager, this object manages the client connection from the user manager to * systemd-oomd to report changes in ManagedOOM settings (systemd client - oomd server). */ Varlink *managed_oom_varlink; + + /* Reference to RestrictFileSystems= BPF program */ + struct restrict_fs_bpf *restrict_fs; }; static inline usec_t manager_default_timeout_abort_usec(Manager *m) { |