mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-12 09:17:44 +03:00
seccomp: reduce logging about failure to add syscall to seccomp
Our logs are full of: Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldstat() / -10037, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call get_thread_area() / -10076, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call set_thread_area() / -10079, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldfstat() / -10034, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldolduname() / -10036, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call oldlstat() / -10035, ignoring: Numerical argument out of domain Sep 19 09:22:10 autopkgtest systemd[690]: Failed to add rule for system call waitpid() / -10073, ignoring: Numerical argument out of domain ... This is pointless and makes debug logs hard to read. Let's keep the logs in test code, but disable it in nspawn and pid1. This is done through a function parameter because those functions operate recursively and it's not possible to make the caller to log meaningfully. There should be no functional change, except the skipped debug logs.
This commit is contained in:
parent
f09da7ccbc
commit
b54f36c604
@ -1432,7 +1432,7 @@ static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_
|
||||
return r;
|
||||
}
|
||||
|
||||
return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
|
||||
return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
|
||||
}
|
||||
|
||||
static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
|
||||
@ -1515,7 +1515,7 @@ static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
|
||||
if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
|
||||
return 0;
|
||||
|
||||
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
|
||||
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
|
||||
}
|
||||
|
||||
static int apply_private_devices(const Unit *u, const ExecContext *c) {
|
||||
@ -1530,7 +1530,7 @@ static int apply_private_devices(const Unit *u, const ExecContext *c) {
|
||||
if (skip_seccomp_unavailable(u, "PrivateDevices="))
|
||||
return 0;
|
||||
|
||||
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
|
||||
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
|
||||
}
|
||||
|
||||
static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
|
||||
|
@ -148,7 +148,7 @@ static int seccomp_add_default_syscall_filter(
|
||||
if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
|
||||
continue;
|
||||
|
||||
r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist);
|
||||
r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
|
||||
if (r < 0)
|
||||
/* If the system call is not known on this architecture, then that's fine, let's ignore it */
|
||||
log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
|
||||
@ -157,7 +157,7 @@ static int seccomp_add_default_syscall_filter(
|
||||
}
|
||||
|
||||
STRV_FOREACH(p, syscall_whitelist) {
|
||||
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist);
|
||||
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
|
||||
else
|
||||
|
@ -858,11 +858,9 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude);
|
||||
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude) {
|
||||
int r;
|
||||
static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
|
||||
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
|
||||
assert(seccomp);
|
||||
assert(name);
|
||||
|
||||
@ -878,32 +876,36 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
r = seccomp_add_syscall_filter_set(seccomp, other, action, exclude);
|
||||
if (r < 0)
|
||||
return r;
|
||||
return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
|
||||
|
||||
} else {
|
||||
int id;
|
||||
int id, r;
|
||||
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
if (log_missing)
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = seccomp_rule_add_exact(seccomp, action, id, 0);
|
||||
if (r < 0)
|
||||
if (r < 0) {
|
||||
/* If the system call is not known on this architecture, then that's fine, let's ignore it */
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", name, id);
|
||||
}
|
||||
if (log_missing)
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
|
||||
name, id);
|
||||
}
|
||||
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static int seccomp_add_syscall_filter_set(
|
||||
scmp_filter_ctx seccomp,
|
||||
const SyscallFilterSet *set,
|
||||
uint32_t action,
|
||||
char **exclude) {
|
||||
char **exclude,
|
||||
bool log_missing) {
|
||||
|
||||
const char *sys;
|
||||
int r;
|
||||
@ -912,7 +914,7 @@ static int seccomp_add_syscall_filter_set(
|
||||
assert(set);
|
||||
|
||||
NULSTR_FOREACH(sys, set->value) {
|
||||
r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude);
|
||||
r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -920,7 +922,7 @@ static int seccomp_add_syscall_filter_set(
|
||||
return 0;
|
||||
}
|
||||
|
||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
|
||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
@ -938,7 +940,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL);
|
||||
r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to add filter set, ignoring: %m");
|
||||
continue;
|
||||
@ -954,7 +956,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
return 0;
|
||||
}
|
||||
|
||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action) {
|
||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
@ -967,7 +969,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
Iterator i;
|
||||
void *id, *val;
|
||||
void *syscall_id, *val;
|
||||
|
||||
log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
|
||||
|
||||
@ -975,20 +977,23 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
HASHMAP_FOREACH_KEY(val, id, set, i) {
|
||||
HASHMAP_FOREACH_KEY(val, syscall_id, set, i) {
|
||||
uint32_t a = action;
|
||||
int e = PTR_TO_INT(val);
|
||||
int id = PTR_TO_INT(syscall_id) - 1;
|
||||
int error = PTR_TO_INT(val);
|
||||
|
||||
if (action != SCMP_ACT_ALLOW && e >= 0)
|
||||
a = SCMP_ACT_ERRNO(e);
|
||||
if (action != SCMP_ACT_ALLOW && error >= 0)
|
||||
a = SCMP_ACT_ERRNO(error);
|
||||
|
||||
r = seccomp_rule_add_exact(seccomp, a, PTR_TO_INT(id) - 1, 0);
|
||||
r = seccomp_rule_add_exact(seccomp, a, id, 0);
|
||||
if (r < 0) {
|
||||
/* If the system call is not known on this architecture, then that's fine, let's ignore it */
|
||||
_cleanup_free_ char *n = NULL;
|
||||
|
||||
n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", strna(n), PTR_TO_INT(id) - 1);
|
||||
n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id);
|
||||
if (log_missing)
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
|
||||
strna(n), id);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -58,10 +58,10 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
||||
|
||||
int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
|
||||
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude);
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
|
||||
|
||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
|
||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
|
||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
|
||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
|
||||
|
||||
typedef enum SeccompParseFlags {
|
||||
SECCOMP_PARSE_INVERT = 1 << 0,
|
||||
|
@ -117,11 +117,11 @@ static void test_filter_sets(void) {
|
||||
if (pid == 0) { /* Child? */
|
||||
int fd;
|
||||
|
||||
/* if we look at the default set (or one that includes it), whitelist instead of blacklist */
|
||||
/* If we look at the default set (or one that includes it), whitelist instead of blacklist */
|
||||
if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE))
|
||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW);
|
||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
|
||||
else
|
||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN));
|
||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
|
||||
if (r < 0)
|
||||
_exit(EXIT_FAILURE);
|
||||
|
||||
@ -614,7 +614,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(access("/", F_OK) >= 0);
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL, true) >= 0);
|
||||
assert_se(access("/", F_OK) >= 0);
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
@ -625,7 +625,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EUCLEAN);
|
||||
@ -641,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
@ -657,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
@ -674,7 +674,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
|
Loading…
Reference in New Issue
Block a user