diff options
| author | Lennart Poettering <lennart@poettering.net> | 2025-01-13 22:48:26 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2025-01-14 10:53:56 +0100 |
| commit | 5e35b6a5f7c0e6972a749966138ad42c326fd443 (patch) | |
| tree | 435d90b21555930d23724482d3ba4fc512c3450e | |
| parent | test: Only move journal file if we didn't just unlink it (diff) | |
| download | systemd-5e35b6a5f7c0e6972a749966138ad42c326fd443.tar.xz systemd-5e35b6a5f7c0e6972a749966138ad42c326fd443.zip | |
lsm: improve logging about absence of lsm-bpf
In containers securityfs is typically not mounted. Our lsm-bpf code
so far detected this situation and claimed the kernel was lacking
lsm-bpf support. Which isn't quite true though, it might very well
support it. This made boots of systemd in systemd-nspawn a bit ugly,
because of the misleading log message at boot.
Let's improve things, and make clearer what is going on.
| -rw-r--r-- | src/core/bpf-restrict-fs.c | 4 | ||||
| -rw-r--r-- | src/nsresourced/userns-restrict.c | 5 | ||||
| -rw-r--r-- | src/shared/lsm-util.c | 13 |
3 files changed, 20 insertions, 2 deletions
diff --git a/src/core/bpf-restrict-fs.c b/src/core/bpf-restrict-fs.c index d36bfb5d5e..c6c6dffed4 100644 --- a/src/core/bpf-restrict-fs.c +++ b/src/core/bpf-restrict-fs.c @@ -106,6 +106,10 @@ bool bpf_restrict_fs_supported(bool initialize) { return (supported = false); r = lsm_supported("bpf"); + if (r == -ENOPKG) { + log_info_errno(r, "bpf-restrict-fs: securityfs not mounted, BPF LSM support not available."); + return (supported = false); + } if (r < 0) { log_warning_errno(r, "bpf-restrict-fs: Can't determine whether the BPF LSM module is used: %m"); return (supported = false); diff --git a/src/nsresourced/userns-restrict.c b/src/nsresourced/userns-restrict.c index aed2e135cb..d57061e8fb 100644 --- a/src/nsresourced/userns-restrict.c +++ b/src/nsresourced/userns-restrict.c @@ -54,8 +54,11 @@ int userns_restrict_install( int r; r = lsm_supported("bpf"); + if (r == -ENOPKG) + /* We propagate this as EOPNOTSUPP! */ + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm support not available, as securityfs is not mounted."); if (r < 0) - return r; + return log_error_errno(r, "Failed to check if bpf-lsm support is available: %m"); if (r == 0) return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm not supported, can't lock down user namespace."); diff --git a/src/shared/lsm-util.c b/src/shared/lsm-util.c index 7b6d419ce1..0a50acf59b 100644 --- a/src/shared/lsm-util.c +++ b/src/shared/lsm-util.c @@ -4,6 +4,7 @@ #include "extract-word.h" #include "fileio.h" #include "lsm-util.h" +#include "mountpoint-util.h" #include "string-util.h" int lsm_supported(const char *name) { @@ -13,8 +14,18 @@ int lsm_supported(const char *name) { assert(name); r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list); - if (r == -ENOENT) /* LSM support not available at all? */ + if (r == -ENOENT) { /* LSM support not available at all? */ + /* If securityfs is not mounted, then propagate this as ENOPKG, to indicate that LSM might be + * available we just can't determine it */ + + r = path_is_mount_point("/sys/kernel/security"); + if (r < 0 && r != -ENOENT) + return log_debug_errno(r, "Failed to check if /sys/kernel/security is a mount point: %m"); + if (r == 0) + return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "/sys/kernel/security is not mounted, can't determine LSM status."); + return false; + } if (r < 0) return log_debug_errno(r, "Failed to read /sys/kernel/security/lsm: %m"); |