mirror of
https://github.com/systemd/systemd.git
synced 2025-03-08 08:58:27 +03:00
Merge pull request #26960 from poettering/syscall-catchup
syscall filter group updates
This commit is contained in:
Yu Watanabe
GitHub
commit
363ed18730
@ -2350,6 +2350,10 @@ RestrictNamespaces=~cgroup net</programlisting>
|
||||
<entry>@obsolete</entry>
|
||||
<entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@pkey</entry>
|
||||
<entry>System calls that deal with memory protection keys (<citerefentry project='man-pages'><refentrytitle>pkeys</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@privileged</entry>
|
||||
<entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
@ -2370,6 +2374,10 @@ RestrictNamespaces=~cgroup net</programlisting>
|
||||
<entry>@resources</entry>
|
||||
<entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@sandbox</entry>
|
||||
<entry>System calls for sandboxing programs (<citerefentry project='man-pages'><refentrytitle>seccomp</refentrytitle><manvolnum>2</manvolnum></citerefentry>, Landlock system calls, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@setuid</entry>
|
||||
<entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
|
||||
@ -58,15 +58,35 @@ static int load_kernel_syscalls(Set **ret) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int syscall_set_add(Set **s, const SyscallFilterSet *set) {
|
||||
int r;
|
||||
|
||||
assert(s);
|
||||
|
||||
if (!set)
|
||||
return 0;
|
||||
|
||||
NULSTR_FOREACH(sc, set->value) {
|
||||
if (sc[0] == '@')
|
||||
continue;
|
||||
|
||||
r = set_put_strdup(s, sc);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void syscall_set_remove(Set *s, const SyscallFilterSet *set) {
|
||||
if (!set)
|
||||
return;
|
||||
|
||||
NULSTR_FOREACH(syscall, set->value) {
|
||||
if (syscall[0] == '@')
|
||||
NULSTR_FOREACH(sc, set->value) {
|
||||
if (sc[0] == '@')
|
||||
continue;
|
||||
|
||||
free(set_remove(s, syscall));
|
||||
free(set_remove(s, sc));
|
||||
}
|
||||
}
|
||||
|
||||
@ -84,6 +104,7 @@ static void dump_syscall_filter(const SyscallFilterSet *set) {
|
||||
|
||||
int verb_syscall_filters(int argc, char *argv[], void *userdata) {
|
||||
bool first = true;
|
||||
int r;
|
||||
|
||||
pager_open(arg_pager_flags);
|
||||
|
||||
@ -91,9 +112,9 @@ int verb_syscall_filters(int argc, char *argv[], void *userdata) {
|
||||
_cleanup_set_free_ Set *kernel = NULL, *known = NULL;
|
||||
int k = 0; /* explicit initialization to appease gcc */
|
||||
|
||||
NULSTR_FOREACH(sys, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value)
|
||||
if (set_put_strdup(&known, sys) < 0)
|
||||
return log_oom();
|
||||
r = syscall_set_add(&known, syscall_filter_sets + SYSCALL_FILTER_SET_KNOWN);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to prepare set of known system calls: %m");
|
||||
|
||||
if (!arg_quiet)
|
||||
k = load_kernel_syscalls(&kernel);
|
||||
|
||||
@ -322,6 +322,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"exit_group\0"
|
||||
"futex\0"
|
||||
"futex_time64\0"
|
||||
"futex_waitv\0"
|
||||
"get_robust_list\0"
|
||||
"get_thread_area\0"
|
||||
"getegid\0"
|
||||
@ -719,6 +720,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"open_by_handle_at\0"
|
||||
"pivot_root\0"
|
||||
"quotactl\0"
|
||||
"quotactl_fd\0"
|
||||
"setdomainname\0"
|
||||
"setfsuid\0"
|
||||
"setfsuid32\0"
|
||||
@ -797,9 +799,19 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"sched_setparam\0"
|
||||
"sched_setscheduler\0"
|
||||
"set_mempolicy\0"
|
||||
"set_mempolicy_home_node\0"
|
||||
"setpriority\0"
|
||||
"setrlimit\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SANDBOX] = {
|
||||
.name = "@sandbox",
|
||||
.help = "Sandbox functionality",
|
||||
.value =
|
||||
"landlock_add_rule\0"
|
||||
"landlock_create_ruleset\0"
|
||||
"landlock_restrict_self\0"
|
||||
"seccomp\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_SETUID] = {
|
||||
.name = "@setuid",
|
||||
.help = "Operations for changing user/group credentials",
|
||||
|
||||
@ -49,6 +49,7 @@ enum {
|
||||
SYSCALL_FILTER_SET_RAW_IO,
|
||||
SYSCALL_FILTER_SET_REBOOT,
|
||||
SYSCALL_FILTER_SET_RESOURCES,
|
||||
SYSCALL_FILTER_SET_SANDBOX,
|
||||
SYSCALL_FILTER_SET_SETUID,
|
||||
SYSCALL_FILTER_SET_SIGNAL,
|
||||
SYSCALL_FILTER_SET_SWAP,
|
||||
@ -56,9 +57,12 @@ enum {
|
||||
SYSCALL_FILTER_SET_SYSTEM_SERVICE,
|
||||
SYSCALL_FILTER_SET_TIMER,
|
||||
SYSCALL_FILTER_SET_KNOWN,
|
||||
_SYSCALL_FILTER_SET_MAX
|
||||
_SYSCALL_FILTER_SET_MAX,
|
||||
};
|
||||
|
||||
assert_cc(SYSCALL_FILTER_SET_DEFAULT == 0);
|
||||
assert_cc(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX-1);
|
||||
|
||||
extern const SyscallFilterSet syscall_filter_sets[];
|
||||
|
||||
const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user