shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-31 05:47:30 +03:00
Code

nsflags: replace namespace_flag_map with general namespace_info introduced earlier

Browse Source
This commit is contained in:
Christian Brauner 2022-09-30 15:02:18 +02:00 committed by Christian Brauner (Microsoft)
parent c3b9c418c0
commit 241b15779b
No known key found for this signature in database
GPG Key ID: 91C61BC06578DCA2
3 changed files with 15 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/shared/nsflags.c
View File

@ -4,22 +4,10 @@
#include "alloc-util.h"
#include "extract-word.h"
#include "namespace-util.h"
#include "nsflags.h"
#include "string-util.h"
const struct namespace_flag_map namespace_flag_map[] = {
{ CLONE_NEWCGROUP, "cgroup" },
{ CLONE_NEWIPC, "ipc" },
{ CLONE_NEWNET, "net" },
/* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more
* explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
{ CLONE_NEWNS, "mnt" },
{ CLONE_NEWPID, "pid" },
{ CLONE_NEWUSER, "user" },
{ CLONE_NEWUTS, "uts" },
{}
};
int namespace_flags_from_string(const char *name, unsigned long *ret) {
unsigned long flags = 0;
int r;
@ -37,9 +25,9 @@ int namespace_flags_from_string(const char *name, unsigned long *ret) {
if (r == 0)
break;
for (i = 0; namespace_flag_map[i].name; i++)
if (streq(word, namespace_flag_map[i].name)) {
f = namespace_flag_map[i].flag;
for (i = 0; namespace_info[i].proc_name; i++)
if (streq(word, namespace_info[i].proc_name)) {
f = namespace_info[i].clone_flag;
break;
}
@ -57,11 +45,11 @@ int namespace_flags_to_string(unsigned long flags, char **ret) {
_cleanup_free_ char *s = NULL;
unsigned i;
for (i = 0; namespace_flag_map[i].name; i++) {
if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag)
for (i = 0; namespace_info[i].proc_name; i++) {
if ((flags & namespace_info[i].clone_flag) != namespace_info[i].clone_flag)
continue;
if (!strextend_with_separator(&s, " ", namespace_flag_map[i].name))
if (!strextend_with_separator(&s, " ", namespace_info[i].proc_name))
return -ENOMEM;
}
@ -71,9 +59,9 @@ int namespace_flags_to_string(unsigned long flags, char **ret) {
}
const char *namespace_single_flag_to_string(unsigned long flag) {
for (unsigned i = 0; namespace_flag_map[i].name; i++)
if (namespace_flag_map[i].flag == flag)
return namespace_flag_map[i].name;
for (unsigned i = 0; namespace_info[i].proc_name; i++)
if (namespace_info[i].clone_flag == flag)
return namespace_info[i].proc_name;
return NULL;
}

7
src/shared/nsflags.h
View File

@ -21,10 +21,3 @@
int namespace_flags_from_string(const char *name, unsigned long *ret);
int namespace_flags_to_string(unsigned long flags, char **ret);
const char *namespace_single_flag_to_string(unsigned long flag);
struct namespace_flag_map {
unsigned long flag;
const char *name;
};
extern const struct namespace_flag_map namespace_flag_map[];

9
src/shared/seccomp-util.c
View File

@ -18,6 +18,7 @@
#include "env-util.h"
#include "errno-list.h"
#include "macro.h"
#include "namespace-util.h"
#include "nsflags.h"
#include "nulstr-util.h"
#include "process-util.h"
@ -1289,16 +1290,16 @@ int seccomp_restrict_namespaces(unsigned long retain) {
continue;
}
for (unsigned i = 0; namespace_flag_map[i].name; i++) {
for (unsigned i = 0; namespace_info[i].proc_name; i++) {
unsigned long f;
f = namespace_flag_map[i].flag;
f = namespace_info[i].clone_flag;
if (FLAGS_SET(retain, f)) {
log_debug("Permitting %s.", namespace_flag_map[i].name);
log_debug("Permitting %s.", namespace_info[i].proc_name);
continue;
}
log_debug("Blocking %s.", namespace_flag_map[i].name);
log_debug("Blocking %s.", namespace_info[i].proc_name);
r = seccomp_rule_add_exact(
seccomp,