diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-03-16 17:56:23 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2023-04-18 08:22:21 +0200 |
| commit | b3a062cb80bfa4ca96a321aa4736fe4f939ff7cd (patch) | |
| tree | 61e334c0835fca70683a8768fff6f9fcd9776ed1 /src/core | |
| parent | 25d9c6cdaf82d3f627db92b69f3be3e2a68e06fa (diff) | |
| download | systemd-b3a062cb80bfa4ca96a321aa4736fe4f939ff7cd.tar.gz | |
lsm-util: move detection of support of LSMs into a new lsm-util.[ch] helper
This makes the bpf LSM check generic, so that we can use it elsewhere.
it also drops the caching inside it, given that bpf-lsm code in PID1
will cache it a second time a stack frame further up when it checks for
various other bpf functionality.
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/bpf-lsm.c | 39 |
1 files changed, 2 insertions, 37 deletions
diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c index 0be250af5c..5f614ead04 100644 --- a/src/core/bpf-lsm.c +++ b/src/core/bpf-lsm.c @@ -16,6 +16,7 @@ #include "fileio.h" #include "filesystems.h" #include "log.h" +#include "lsm-util.h" #include "manager.h" #include "mkdir.h" #include "nulstr-util.h" @@ -91,41 +92,6 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) { return 0; } -static int mac_bpf_use(void) { - _cleanup_free_ char *lsm_list = NULL; - static int cached_use = -1; - int r; - - if (cached_use >= 0) - return cached_use; - - cached_use = 0; - - r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list); - if (r < 0) { - if (r != -ENOENT) - log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); - return 0; - } - - for (const char *p = lsm_list;;) { - _cleanup_free_ char *word = NULL; - - r = extract_first_word(&p, &word, ",", 0); - if (r == 0) - return 0; - if (r == -ENOMEM) - return log_oom(); - if (r < 0) { - log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); - return 0; - } - - if (streq(word, "bpf")) - return cached_use = 1; - } -} - bool lsm_bpf_supported(bool initialize) { _cleanup_(restrict_fs_bpf_freep) struct restrict_fs_bpf *obj = NULL; static int supported = -1; @@ -139,12 +105,11 @@ bool lsm_bpf_supported(bool initialize) { if (!cgroup_bpf_supported()) return (supported = false); - r = mac_bpf_use(); + r = lsm_supported("bpf"); if (r < 0) { log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m"); return (supported = false); } - if (r == 0) { log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported"); |