core: pass bpf_outer_map_fd to sd-executor only if RestrictFileSystems was set

[bluca]

It causes SELinux denials to be raised, so restrict it only where needed

Follow-up for beb4ae8

There are no tests for this feature, so no idea if this works or not, completely speculative.

[github-actions]

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

[mrc0mmand]

I'll look into adding some tests for the bpf stuff.

[mrc0mmand]

I just accidentally noticed that the BPF stuff has one other side effect:

# systemd-run -q --service-type notify -p FileDescriptorStoreMax=7 --wait --pipe bash -xec 'ls -l /proc/self/fd/; systemd-notify --fd=4 4</dev/null; systemd-notify --ready'
+ ls -l /proc/self/fd/
total 0
lrwx------ 1 root root 64 Nov 25 23:58 0 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 25 23:58 1 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 25 23:58 145 -> anon_inode:bpf-map
lrwx------ 1 root root 64 Nov 25 23:58 2 -> /dev/pts/1
lr-x------ 1 root root 64 Nov 25 23:58 3 -> /proc/925/fd
+ systemd-notify --fd=4
Warning: 1 more file descriptors passed than referenced with --fd=.
+ systemd-notify --ready

(notice the extra bpf-map fd)

With this PR applied the issue seems to be gone:

# systemd-run -q --service-type notify -p FileDescriptorStoreMax=7 --wait --pipe bash -xec 'ls -l /proc/self/fd/; systemd-notify --fd=4 4</dev/null; systemd-notify --ready'
+ ls -l /proc/self/fd/
total 0
lrwx------ 1 root root 64 Nov 25 23:59 0 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 25 23:59 1 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 25 23:59 2 -> /dev/pts/1
lr-x------ 1 root root 64 Nov 25 23:59 3 -> /proc/1294/fd
+ systemd-notify --fd=4
+ systemd-notify --ready

[mrc0mmand]

And just to add to the previous comment - the "issue" is still there if RestrictFileSystems= is used (as expected):

# systemd-run -q --service-type notify -p RestrictFileSystems=~ext4 -p FileDescriptorStoreMax=7 --wait --pipe bash -xec 'ls -l /proc/self/fd/; systemd-notify --fd=4 4</dev/null; systemd-notify --ready'
+ ls -l /proc/self/fd/
total 0
lrwx------ 1 root root 64 Nov 27 14:10 0 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 27 14:10 1 -> /dev/pts/1
lrwx------ 1 root root 64 Nov 27 14:10 2 -> /dev/pts/1
lr-x------ 1 root root 64 Nov 27 14:10 3 -> /proc/1923/fd
lrwx------ 1 root root 64 Nov 27 14:10 82 -> anon_inode:bpf-map
+ systemd-notify --fd=4
Warning: 1 more file descriptors passed than referenced with --fd=.
+ systemd-notify --ready

Not sure if there are any "real" consequences of the extra FD, though.

[poettering]

lgtm