diff options
Diffstat (limited to 'src/core/bpf-lsm.c')
-rw-r--r-- | src/core/bpf-lsm.c | 66 |
1 files changed, 26 insertions, 40 deletions
diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c index 8af2da0288..79d17b0751 100644 --- a/src/core/bpf-lsm.c +++ b/src/core/bpf-lsm.c @@ -64,10 +64,10 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) { /* TODO Maybe choose a number based on runtime information? */ r = sym_bpf_map__resize(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX); - if (r != 0) - return log_error_errno(r, - "Failed to resize BPF map '%s': %m", - sym_bpf_map__name(obj->maps.cgroup_hash)); + assert(r <= 0); + if (r < 0) + return log_error_errno(r, "Failed to resize BPF map '%s': %m", + sym_bpf_map__name(obj->maps.cgroup_hash)); /* Dummy map to satisfy the verifier */ inner_map_fd = sym_bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint32_t), 128, 0); @@ -75,11 +75,13 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) { return log_error_errno(errno, "Failed to create BPF map: %m"); r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd); + assert(r <= 0); if (r < 0) return log_error_errno(r, "Failed to set inner map fd: %m"); r = restrict_fs_bpf__load(obj); - if (r) + assert(r <= 0); + if (r < 0) return log_error_errno(r, "Failed to load BPF object"); *ret_obj = TAKE_PTR(obj); @@ -99,34 +101,27 @@ static int mac_bpf_use(void) { r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list); if (r < 0) { - if (errno != ENOENT) - log_debug_errno(r, "Failed to read /sys/kernel/security/lsm, ignoring: %m"); - + if (r != -ENOENT) + log_notice_errno(r, "Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); return 0; } - const char *p = lsm_list; - - for (;;) { + for (const char *p = lsm_list;;) { _cleanup_free_ char *word = NULL; r = extract_first_word(&p, &word, ",", 0); if (r == 0) - break; + return 0; if (r == -ENOMEM) return log_oom(); if (r < 0) { - log_debug_errno(r, "Failed to parse /sys/kernel/security/lsm, ignoring: %m"); + log_notice_errno(r, "Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m"); return 0; } - if (streq(word, "bpf")) { - cached_use = 1; - break; - } + if (streq(word, "bpf")) + return cached_use = 1; } - - return cached_use; } int lsm_bpf_supported(void) { @@ -181,7 +176,7 @@ int lsm_bpf_supported(void) { } int lsm_bpf_setup(Manager *m) { - struct restrict_fs_bpf *obj = NULL; + struct restrict_fs_bpf *obj; _cleanup_(bpf_link_freep) struct bpf_link *link = NULL; int r; @@ -207,7 +202,6 @@ int lsm_bpf_setup(Manager *m) { } int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allow_list) { - int inner_map_fd = -1, outer_map_fd = -1; uint32_t dummy_value = 1, zero = 0; const char *fs; const statfs_f_type_t *magic; @@ -216,7 +210,7 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo assert(filesystems); assert(u); - inner_map_fd = sym_bpf_create_map( + int inner_map_fd = sym_bpf_create_map( BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint32_t), @@ -225,7 +219,7 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo if (inner_map_fd < 0) return log_unit_error_errno(u, errno, "Failed to create inner LSM map: %m"); - outer_map_fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash); + int outer_map_fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash); if (outer_map_fd < 0) return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m"); @@ -266,8 +260,6 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo } int lsm_bpf_cleanup(const Unit *u) { - int fd = -1; - assert(u); assert(u->manager); @@ -277,7 +269,7 @@ int lsm_bpf_cleanup(const Unit *u) { if (!u->manager->restrict_fs) return 0; - fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash); + int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash); if (fd < 0) return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m"); @@ -350,10 +342,10 @@ int lsm_bpf_parse_filesystem( } NULSTR_FOREACH(i, set->value) { - /* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take - * away the FILESYSTEM_PARSE_LOG flag) since any issues in the group table are our own problem, - * not a problem in user configuration data and we shouldn't pretend otherwise by complaining - * about them. */ + /* Call ourselves again, for the group to parse. Note that we downgrade logging here + * (i.e. take away the FILESYSTEM_PARSE_LOG flag) since any issues in the group table + * are our own problem, not a problem in user configuration data and we shouldn't + * pretend otherwise by complaining about them. */ r = lsm_bpf_parse_filesystem(i, filesystems, flags &~ FILESYSTEM_PARSE_LOG, unit, filename, line); if (r < 0) return r; @@ -363,16 +355,10 @@ int lsm_bpf_parse_filesystem( * we want to allow it, then remove it from the list. */ if (!(flags & FILESYSTEM_PARSE_INVERT) == !!(flags & FILESYSTEM_PARSE_ALLOW_LIST)) { r = set_put_strdup(filesystems, name); - if (r < 0) - switch (r) { - case -ENOMEM: - return flags & FILESYSTEM_PARSE_LOG ? log_oom() : -ENOMEM; - case -EEXIST: - /* Already in set, ignore */ - break; - default: - return r; - } + if (r == -ENOMEM) + return flags & FILESYSTEM_PARSE_LOG ? log_oom() : -ENOMEM; + if (r < 0 && r != -EEXIST) /* When already in set, ignore */ + return r; } else free(set_remove(*filesystems, name)); } |