diff options
| author | Iago Lopez Galeiras <iagol@microsoft.com> | 2021-10-05 13:18:49 +0200 |
|---|---|---|
| committer | Iago Lopez Galeiras <iagol@microsoft.com> | 2021-10-06 10:52:14 +0200 |
| commit | b1994387d3cb50b212fc4815941a8ff40d60cd85 (patch) | |
| tree | fef8dae9681c45cd38c86a33d88499bf43875814 /src/core/cgroup.c | |
| parent | core: add BPF LSM functions (diff) | |
| download | systemd-b1994387d3cb50b212fc4815941a8ff40d60cd85.tar.xz systemd-b1994387d3cb50b212fc4815941a8ff40d60cd85.zip | |
core: use LSM BPF functions to implement RestrictFileSystems=
It attaches the LSM BPF program when the system manager starts up.
It populates the hash of maps BPF map when services that have
RestrictFileSystems= set start.
It cleans up the hash of maps when the unit cgroup is pruned.
To pass the file descriptor of the BPF map we add it to the keep_fds
array.
Diffstat (limited to 'src/core/cgroup.c')
| -rw-r--r-- | src/core/cgroup.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 1559259622..2b15310191 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -37,6 +37,12 @@ #include "string-util.h" #include "virt.h" +#if BPF_FRAMEWORK +#include "bpf-dlopen.h" +#include "bpf-link.h" +#include "bpf/restrict_fs/restrict-fs-skel.h" +#endif + #define CGROUP_CPU_QUOTA_DEFAULT_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC) /* Returns the log level to use when cgroup attribute writes fail. When an attribute is missing or we have access @@ -2736,6 +2742,10 @@ void unit_prune_cgroup(Unit *u) { (void) unit_get_cpu_usage(u, NULL); /* Cache the last CPU usage value before we destroy the cgroup */ +#if BPF_FRAMEWORK + (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */ +#endif + is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE); r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice); |