14554080340

Committed 19 Apr 2025 11:46AM UTC coverage: 72.101% (-0.03%) from 72.13%

Build # 14554080340

Build Type

push

github

Committed by

web-flow

Commit Message

Add two new paragraphs to coding style about header files (#37188)

Coverage Stats

296880 of 411754 relevant lines covered (72.1%)

687547.52 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

12.77

/src/core/ipe-setup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "conf-files.h"
#include "copy.h"
#include "fd-util.h"
#include "fileio.h"
#include "ipe-setup.h"
#include "log.h"
#include "nulstr-util.h"
#include "path-util.h"

#define IPE_SECFS_DIR "/sys/kernel/security/ipe"
#define IPE_SECFS_NEW_POLICY IPE_SECFS_DIR "/new_policy"
#define IPE_SECFS_POLICIES IPE_SECFS_DIR "/policies/"

int ipe_setup(void) {
#if ENABLE_IPE
        _cleanup_strv_free_ char **policies = NULL;
        int r;

        /* Very quick smoke tests first: this is in the citical, sequential boot path, and in most cases it
         * is unlikely this will be configured, so do the fastest existence checks first and immediately
         * return if there's nothing to do. */

        if (access(IPE_SECFS_DIR, F_OK) < 0) {
                log_debug_errno(errno, "IPE support is disabled in the kernel, ignoring: %m");
                return 0;
        }

        r = conf_files_list_nulstr(
                        &policies,
                        ".p7b",
                        /* root= */ NULL,
                        CONF_FILES_REGULAR|CONF_FILES_FILTER_MASKED,
                        CONF_PATHS_NULSTR("ipe"));
        if (r < 0)
                return log_error_errno(r, "Failed to assemble list of IPE policies: %m");

        STRV_FOREACH(policy, policies) {
                _cleanup_free_ char *policy_name = NULL, *file_name = NULL, *output_path = NULL, *activate_path = NULL;
                _cleanup_close_ int input = -EBADF, output = -EBADF;
                const char *suffix;

                r = path_extract_filename(*policy, &file_name);
                if (r < 0)
                        return log_error_errno(r, "Failed to extract filename from IPE policy path %s: %m", *policy);

                /* Filtered by conf_files_list_nulstr() */
                suffix = ASSERT_PTR(endswith(file_name, ".p7b"));

                policy_name = strndup(file_name, suffix - file_name);
                if (!policy_name)
                        return log_oom();

                if (!filename_is_valid(policy_name))
                        return log_error_errno(
                                        SYNTHETIC_ERRNO(EINVAL),
                                        "Invalid IPE policy name %s",
                                        policy_name);

                input = open(*policy, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
                if (input < 0)
                        return log_error_errno(
                                        errno,
                                        "Failed to open the IPE policy file %s: %m",
                                        *policy);

                /* If policy is already installed, try to update it */
                output_path = path_join(IPE_SECFS_POLICIES, policy_name, "update");
                if (!output_path)
                        return log_oom();

                output = open(output_path, O_WRONLY|O_CLOEXEC);
                if (output < 0 && errno == ENOENT)
                        /* Policy is not installed, install it and activate it */
                        output = open(IPE_SECFS_NEW_POLICY, O_WRONLY|O_CLOEXEC);
                if (output < 0)
                        return log_error_errno(
                                        errno,
                                        "Failed to open the IPE policy handle for writing: %m");

                /* The policy is inline signed in binary format, so it has to be copied in one go, otherwise the
                 * kernel will reject partial inputs with -EBADMSG. */
                r = copy_bytes(input, output, UINT64_MAX, /* copy_flags= */ 0);
                if (r < 0)
                        return log_error_errno(
                                        r,
                                        "Failed to copy the IPE policy %s to %s: %m",
                                        *policy,
                                        output_path);

                output = safe_close(output);

                activate_path = path_join(IPE_SECFS_POLICIES, policy_name, "active");
                if (!activate_path)
                        return log_oom();

                r = write_string_file(activate_path, "1", WRITE_STRING_FILE_DISABLE_BUFFER);
                if (r == -ESTALE) {
                        log_debug_errno(r,
                                        "IPE policy %s is already loaded with a version that is equal or higher, skipping.",
                                        policy_name);
                        continue;
                }
                if (r < 0)
                        return log_error_errno(r, "Failed to activate the IPE policy %s: %m", policy_name);

                log_info("Successfully loaded and activated the IPE policy %s.", policy_name);
        }

#endif /* ENABLE_IPE */
        return 0;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include "conf-files.h"
4	#include "copy.h"
5	#include "fd-util.h"
6	#include "fileio.h"
7	#include "ipe-setup.h"
8	#include "log.h"
9	#include "nulstr-util.h"
10	#include "path-util.h"
11
12	#define IPE_SECFS_DIR "/sys/kernel/security/ipe"
13	#define IPE_SECFS_NEW_POLICY IPE_SECFS_DIR "/new_policy"
14	#define IPE_SECFS_POLICIES IPE_SECFS_DIR "/policies/"
15
16	int ipe_setup(void) {	15✔
17	#if ENABLE_IPE
18	_cleanup_strv_free_ char **policies = NULL;	15✔
19	int r;	15✔
20
21	/* Very quick smoke tests first: this is in the citical, sequential boot path, and in most cases it
22	* is unlikely this will be configured, so do the fastest existence checks first and immediately
23	* return if there's nothing to do. */
24
25	if (access(IPE_SECFS_DIR, F_OK) < 0) {	15✔
26	log_debug_errno(errno, "IPE support is disabled in the kernel, ignoring: %m");	15✔
27	return 0;	15✔
28	}
29
30	r = conf_files_list_nulstr(	×
31	&policies,
32	".p7b",
33	/* root= */ NULL,
34	CONF_FILES_REGULAR\|CONF_FILES_FILTER_MASKED,
35	CONF_PATHS_NULSTR("ipe"));
36	if (r < 0)	×
37	return log_error_errno(r, "Failed to assemble list of IPE policies: %m");	×
38
39	STRV_FOREACH(policy, policies) {	×
40	_cleanup_free_ char policy_name = NULL, file_name = NULL, output_path = NULL, activate_path = NULL;	×
41	_cleanup_close_ int input = -EBADF, output = -EBADF;	×
42	const char *suffix;	×
43
44	r = path_extract_filename(*policy, &file_name);	×
45	if (r < 0)	×
46	return log_error_errno(r, "Failed to extract filename from IPE policy path %s: %m", *policy);	×
47
48	/* Filtered by conf_files_list_nulstr() */
49	suffix = ASSERT_PTR(endswith(file_name, ".p7b"));	×
50
51	policy_name = strndup(file_name, suffix - file_name);	×
52	if (!policy_name)	×
53	return log_oom();	×
54
55	if (!filename_is_valid(policy_name))	×
56	return log_error_errno(	×
57	SYNTHETIC_ERRNO(EINVAL),
58	"Invalid IPE policy name %s",
59	policy_name);
60
61	input = open(*policy, O_RDONLY\|O_NOFOLLOW\|O_CLOEXEC);	×
62	if (input < 0)	×
63	return log_error_errno(	×
64	errno,
65	"Failed to open the IPE policy file %s: %m",
66	*policy);
67
68	/* If policy is already installed, try to update it */
69	output_path = path_join(IPE_SECFS_POLICIES, policy_name, "update");	×
70	if (!output_path)	×
71	return log_oom();	×
72
73	output = open(output_path, O_WRONLY\|O_CLOEXEC);	×
74	if (output < 0 && errno == ENOENT)	×
75	/* Policy is not installed, install it and activate it */
76	output = open(IPE_SECFS_NEW_POLICY, O_WRONLY\|O_CLOEXEC);	×
77	if (output < 0)	×
78	return log_error_errno(	×
79	errno,
80	"Failed to open the IPE policy handle for writing: %m");
81
82	/* The policy is inline signed in binary format, so it has to be copied in one go, otherwise the
83	* kernel will reject partial inputs with -EBADMSG. */
84	r = copy_bytes(input, output, UINT64_MAX, /* copy_flags= */ 0);	×
85	if (r < 0)	×
86	return log_error_errno(	×
87	r,
88	"Failed to copy the IPE policy %s to %s: %m",
89	*policy,
90	output_path);
91
92	output = safe_close(output);	×
93
94	activate_path = path_join(IPE_SECFS_POLICIES, policy_name, "active");	×
95	if (!activate_path)	×
96	return log_oom();	×
97
98	r = write_string_file(activate_path, "1", WRITE_STRING_FILE_DISABLE_BUFFER);	×
99	if (r == -ESTALE) {	×
100	log_debug_errno(r,	×
101	"IPE policy %s is already loaded with a version that is equal or higher, skipping.",
102	policy_name);
103	continue;	×
104	}
105	if (r < 0)	×
106	return log_error_errno(r, "Failed to activate the IPE policy %s: %m", policy_name);	×
107
108	log_info("Successfully loaded and activated the IPE policy %s.", policy_name);	×
109	}
110
111	#endif /* ENABLE_IPE */
112	return 0;
113	}

systemd / systemd / 14554080340

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous