core: add RestrictFileSystems= fragment parser

It takes an allow or deny list of filesystems services should have access to.
author: Iago López Galeiras <iagol@microsoft.com> 2021-02-11 16:59:30 +0100
committer: Iago Lopez Galeiras <iagol@microsoft.com> 2021-10-06 10:52:14 +0200
commit: e59ccd035c94a8448d9b99bb0b8056ed3d3a339c (patch)
tree: 594049fe756c6a7fcaa6d439b1e81aa9f7369614 /src/core/bpf-lsm.h
parent: b1994387d3cb50b212fc4815941a8ff40d60cd85 (diff)
download: systemd-e59ccd035c94a8448d9b99bb0b8056ed3d3a339c.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/src/core/bpf-lsm.h b/src/core/bpf-lsm.h
index 625fb32b50..8bd58a29e5 100644
--- a/src/core/bpf-lsm.h
+++ b/src/core/bpf-lsm.h
@@ -3,6 +3,12 @@
 
 #include "hashmap.h"
 
+typedef enum FilesystemParseFlags {
+        FILESYSTEM_PARSE_INVERT     = 1 << 0,
+        FILESYSTEM_PARSE_ALLOW_LIST = 1 << 1,
+        FILESYSTEM_PARSE_LOG        = 1 << 2,
+} FilesystemParseFlags;
+
 typedef struct Unit Unit;
 typedef struct Manager Manager;
 
@@ -14,3 +20,9 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo
 int lsm_bpf_cleanup(const Unit *u);
 int lsm_bpf_map_restrict_fs_fd(Unit *u);
 void lsm_bpf_destroy(struct restrict_fs_bpf *prog);
+int lsm_bpf_parse_filesystem(const char *name,
+                             Set **filesystems,
+                             FilesystemParseFlags flags,
+                             const char *unit,
+                             const char *filename,
+                             unsigned line);
author	Iago López Galeiras <iagol@microsoft.com>	2021-02-11 16:59:30 +0100
committer	Iago Lopez Galeiras <iagol@microsoft.com>	2021-10-06 10:52:14 +0200
commit	e59ccd035c94a8448d9b99bb0b8056ed3d3a339c (patch)
tree	594049fe756c6a7fcaa6d439b1e81aa9f7369614 /src/core/bpf-lsm.h
parent	b1994387d3cb50b212fc4815941a8ff40d60cd85 (diff)
download	systemd-e59ccd035c94a8448d9b99bb0b8056ed3d3a339c.tar.gz