14939761809

Committed 09 May 2025 06:22PM UTC coverage: 72.251% (-0.001%) from 72.252%

Build # 14939761809

Build Type

push

github

Committed by

web-flow

Commit Message

mount-tool: honor arg_canonicalize for ACTION_UMOUNT path_is_absolute() check too (#37398)

Split out from #36337

Coverage Stats

4 of 4 new or added lines in 2 files covered. (100.0%)

3591 existing lines in 114 files now uncovered.

297546 of 411820 relevant lines covered (72.25%)

704170.35 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

12.77

/src/core/ipe-setup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <unistd.h>

#include "alloc-util.h"
#include "conf-files.h"
#include "copy.h"
#include "fd-util.h"
#include "fileio.h"
#include "ipe-setup.h"
#include "log.h"
#include "nulstr-util.h"
#include "path-util.h"
#include "string-util.h"
#include "strv.h"

#define IPE_SECFS_DIR "/sys/kernel/security/ipe"
#define IPE_SECFS_NEW_POLICY IPE_SECFS_DIR "/new_policy"
#define IPE_SECFS_POLICIES IPE_SECFS_DIR "/policies/"

int ipe_setup(void) {
#if ENABLE_IPE
        _cleanup_strv_free_ char **policies = NULL;
        int r;

        /* Very quick smoke tests first: this is in the citical, sequential boot path, and in most cases it
         * is unlikely this will be configured, so do the fastest existence checks first and immediately
         * return if there's nothing to do. */

        if (access(IPE_SECFS_DIR, F_OK) < 0) {
                log_debug_errno(errno, "IPE support is disabled in the kernel, ignoring: %m");
                return 0;
        }

        r = conf_files_list_nulstr(
                        &policies,
                        ".p7b",
                        /* root= */ NULL,
                        CONF_FILES_REGULAR|CONF_FILES_FILTER_MASKED,
                        CONF_PATHS_NULSTR("ipe"));
        if (r < 0)
                return log_error_errno(r, "Failed to assemble list of IPE policies: %m");

        STRV_FOREACH(policy, policies) {
                _cleanup_free_ char *policy_name = NULL, *file_name = NULL, *output_path = NULL, *activate_path = NULL;
                _cleanup_close_ int input = -EBADF, output = -EBADF;
                const char *suffix;

                r = path_extract_filename(*policy, &file_name);
                if (r < 0)
                        return log_error_errno(r, "Failed to extract filename from IPE policy path %s: %m", *policy);

                /* Filtered by conf_files_list_nulstr() */
                suffix = ASSERT_PTR(endswith(file_name, ".p7b"));

                policy_name = strndup(file_name, suffix - file_name);
                if (!policy_name)
                        return log_oom();

                if (!filename_is_valid(policy_name))
                        return log_error_errno(
                                        SYNTHETIC_ERRNO(EINVAL),
                                        "Invalid IPE policy name %s",
                                        policy_name);

                input = open(*policy, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
                if (input < 0)
                        return log_error_errno(
                                        errno,
                                        "Failed to open the IPE policy file %s: %m",
                                        *policy);

                /* If policy is already installed, try to update it */
                output_path = path_join(IPE_SECFS_POLICIES, policy_name, "update");
                if (!output_path)
                        return log_oom();

                output = open(output_path, O_WRONLY|O_CLOEXEC);
                if (output < 0 && errno == ENOENT)
                        /* Policy is not installed, install it and activate it */
                        output = open(IPE_SECFS_NEW_POLICY, O_WRONLY|O_CLOEXEC);
                if (output < 0)
                        return log_error_errno(
                                        errno,
                                        "Failed to open the IPE policy handle for writing: %m");

                /* The policy is inline signed in binary format, so it has to be copied in one go, otherwise the
                 * kernel will reject partial inputs with -EBADMSG. */
                r = copy_bytes(input, output, UINT64_MAX, /* copy_flags= */ 0);
                if (r < 0)
                        return log_error_errno(
                                        r,
                                        "Failed to copy the IPE policy %s to %s: %m",
                                        *policy,
                                        output_path);

                output = safe_close(output);

                activate_path = path_join(IPE_SECFS_POLICIES, policy_name, "active");
                if (!activate_path)
                        return log_oom();

                r = write_string_file(activate_path, "1", WRITE_STRING_FILE_DISABLE_BUFFER);
                if (r == -ESTALE) {
                        log_debug_errno(r,
                                        "IPE policy %s is already loaded with a version that is equal or higher, skipping.",
                                        policy_name);
                        continue;
                }
                if (r < 0)
                        return log_error_errno(r, "Failed to activate the IPE policy %s: %m", policy_name);

                log_info("Successfully loaded and activated the IPE policy %s.", policy_name);
        }

#endif /* ENABLE_IPE */
        return 0;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <unistd.h>
4
5	#include "alloc-util.h"
6	#include "conf-files.h"
7	#include "copy.h"
8	#include "fd-util.h"
9	#include "fileio.h"
10	#include "ipe-setup.h"
11	#include "log.h"
12	#include "nulstr-util.h"
13	#include "path-util.h"
14	#include "string-util.h"
15	#include "strv.h"
16
17	#define IPE_SECFS_DIR "/sys/kernel/security/ipe"
18	#define IPE_SECFS_NEW_POLICY IPE_SECFS_DIR "/new_policy"
19	#define IPE_SECFS_POLICIES IPE_SECFS_DIR "/policies/"
20
21	int ipe_setup(void) {	15✔
22	#if ENABLE_IPE
23	_cleanup_strv_free_ char **policies = NULL;	15✔
24	int r;	15✔
25
26	/* Very quick smoke tests first: this is in the citical, sequential boot path, and in most cases it
27	* is unlikely this will be configured, so do the fastest existence checks first and immediately
28	* return if there's nothing to do. */
29
30	if (access(IPE_SECFS_DIR, F_OK) < 0) {	15✔
31	log_debug_errno(errno, "IPE support is disabled in the kernel, ignoring: %m");	15✔
32	return 0;	15✔
33	}
34
UNCOV 35	r = conf_files_list_nulstr(	×
36	&policies,
37	".p7b",
38	/* root= */ NULL,
39	CONF_FILES_REGULAR\|CONF_FILES_FILTER_MASKED,
40	CONF_PATHS_NULSTR("ipe"));
UNCOV 41	if (r < 0)	×
42	return log_error_errno(r, "Failed to assemble list of IPE policies: %m");	×
43
44	STRV_FOREACH(policy, policies) {	×
45	_cleanup_free_ char policy_name = NULL, file_name = NULL, output_path = NULL, activate_path = NULL;	×
UNCOV 46	_cleanup_close_ int input = -EBADF, output = -EBADF;	×
47	const char *suffix;	×
48
49	r = path_extract_filename(*policy, &file_name);	×
UNCOV 50	if (r < 0)	×
UNCOV 51	return log_error_errno(r, "Failed to extract filename from IPE policy path %s: %m", *policy);	×
52
53	/* Filtered by conf_files_list_nulstr() */
54	suffix = ASSERT_PTR(endswith(file_name, ".p7b"));	×
55
56	policy_name = strndup(file_name, suffix - file_name);	×
UNCOV 57	if (!policy_name)	×
58	return log_oom();	×
59
UNCOV 60	if (!filename_is_valid(policy_name))	×
UNCOV 61	return log_error_errno(	×
62	SYNTHETIC_ERRNO(EINVAL),
63	"Invalid IPE policy name %s",
64	policy_name);
65
66	input = open(*policy, O_RDONLY\|O_NOFOLLOW\|O_CLOEXEC);	×
UNCOV 67	if (input < 0)	×
UNCOV 68	return log_error_errno(	×
69	errno,
70	"Failed to open the IPE policy file %s: %m",
71	*policy);
72
73	/* If policy is already installed, try to update it */
74	output_path = path_join(IPE_SECFS_POLICIES, policy_name, "update");	×
UNCOV 75	if (!output_path)	×
76	return log_oom();	×
77
UNCOV 78	output = open(output_path, O_WRONLY\|O_CLOEXEC);	×
79	if (output < 0 && errno == ENOENT)	×
80	/* Policy is not installed, install it and activate it */
81	output = open(IPE_SECFS_NEW_POLICY, O_WRONLY\|O_CLOEXEC);	×
UNCOV 82	if (output < 0)	×
UNCOV 83	return log_error_errno(	×
84	errno,
85	"Failed to open the IPE policy handle for writing: %m");
86
87	/* The policy is inline signed in binary format, so it has to be copied in one go, otherwise the
88	* kernel will reject partial inputs with -EBADMSG. */
89	r = copy_bytes(input, output, UINT64_MAX, /* copy_flags= */ 0);	×
UNCOV 90	if (r < 0)	×
UNCOV 91	return log_error_errno(	×
92	r,
93	"Failed to copy the IPE policy %s to %s: %m",
94	*policy,
95	output_path);
96
97	output = safe_close(output);	×
98
99	activate_path = path_join(IPE_SECFS_POLICIES, policy_name, "active");	×
UNCOV 100	if (!activate_path)	×
101	return log_oom();	×
102
103	r = write_string_file(activate_path, "1", WRITE_STRING_FILE_DISABLE_BUFFER);	×
UNCOV 104	if (r == -ESTALE) {	×
UNCOV 105	log_debug_errno(r,	×
106	"IPE policy %s is already loaded with a version that is equal or higher, skipping.",
107	policy_name);
108	continue;	×
109	}
UNCOV 110	if (r < 0)	×
111	return log_error_errno(r, "Failed to activate the IPE policy %s: %m", policy_name);	×
112
UNCOV 113	log_info("Successfully loaded and activated the IPE policy %s.", policy_name);	×
114	}
115
116	#endif /* ENABLE_IPE */
117	return 0;
118	}

systemd / systemd / 14939761809

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous