From 184b4f78cfbded54a6e06bbe1152256c204a7a73 Mon Sep 17 00:00:00 2001 From: Iago Lopez Galeiras Date: Tue, 13 Jul 2021 09:51:06 +0200 Subject: core: add BPF LSM functions This adds 6 functions to implement RestrictFileSystems= * lsm_bpf_supported() checks if LSM BPF is supported. It checks that cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF LSM program which makes sure BTF and hash of maps are supported, and BPF LSM programs can be loaded. * lsm_bpf_setup() loads and attaches the LSM BPF program. * lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the cgroupID and the set of allowed or denied filesystems. * lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps. * lsm_bpf_map_restrict_fs_fd() is a helper function to get the file descriptor of the BPF map. * lsm_bpf_destroy() is a wrapper around the destroy function of the BPF skeleton file. --- src/core/manager.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/core/manager.h') diff --git a/src/core/manager.h b/src/core/manager.h index 97c12ce48f..29ce812121 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -450,6 +450,9 @@ struct Manager { * we're a user manager, this object manages the client connection from the user manager to * systemd-oomd to report changes in ManagedOOM settings (systemd client - oomd server). */ Varlink *managed_oom_varlink; + + /* Reference to RestrictFileSystems= BPF program */ + struct restrict_fs_bpf *restrict_fs; }; static inline usec_t manager_default_timeout_abort_usec(Manager *m) { -- cgit v1.2.1