mirror of
https://github.com/systemd/systemd.git
synced 2025-01-12 13:18:14 +03:00
pid1: pass unit name to seccomp parser when we have no file location
Building on previous commit, let's pass the unit name when parsing dbus message or builtin whitelist, which is better than nothing. seccomp_parse_syscall_filter() is not needed anymore, so it is removed, and seccomp_parse_syscall_filter_full() is renamed to take its place.
This commit is contained in:
parent
6bfb1daff1
commit
58f6ab4454
@ -1417,7 +1417,9 @@ int bus_exec_context_set_transient_property(
|
||||
r = seccomp_parse_syscall_filter("@default",
|
||||
-1,
|
||||
c->syscall_filter,
|
||||
SECCOMP_PARSE_WHITELIST | invert_flag);
|
||||
SECCOMP_PARSE_WHITELIST | invert_flag,
|
||||
u->id,
|
||||
NULL, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -1434,7 +1436,9 @@ int bus_exec_context_set_transient_property(
|
||||
r = seccomp_parse_syscall_filter(n,
|
||||
e,
|
||||
c->syscall_filter,
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag);
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
|
||||
u->id,
|
||||
NULL, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
@ -2735,7 +2735,9 @@ int config_parse_syscall_filter(
|
||||
/* Accept default syscalls if we are on a whitelist */
|
||||
r = seccomp_parse_syscall_filter(
|
||||
"@default", -1, c->syscall_filter,
|
||||
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
|
||||
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST,
|
||||
unit,
|
||||
NULL, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -2762,7 +2764,7 @@ int config_parse_syscall_filter(
|
||||
continue;
|
||||
}
|
||||
|
||||
r = seccomp_parse_syscall_filter_full(
|
||||
r = seccomp_parse_syscall_filter(
|
||||
name, num, c->syscall_filter,
|
||||
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
|
||||
(invert ? SECCOMP_PARSE_INVERT : 0)|
|
||||
|
@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
|
||||
return 0;
|
||||
}
|
||||
|
||||
int seccomp_parse_syscall_filter_full(
|
||||
int seccomp_parse_syscall_filter(
|
||||
const char *name,
|
||||
int errno_num,
|
||||
Hashmap *filter,
|
||||
@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full(
|
||||
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
|
||||
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
|
||||
* about them. */
|
||||
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
|
||||
r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
@ -70,13 +70,13 @@ typedef enum SeccompParseFlags {
|
||||
SECCOMP_PARSE_PERMISSIVE = 1 << 3,
|
||||
} SeccompParseFlags;
|
||||
|
||||
int seccomp_parse_syscall_filter_full(
|
||||
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
|
||||
const char *unit, const char *filename, unsigned line);
|
||||
|
||||
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
|
||||
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
|
||||
}
|
||||
int seccomp_parse_syscall_filter(
|
||||
const char *name,
|
||||
int errno_num,
|
||||
Hashmap *filter,
|
||||
SeccompParseFlags flags,
|
||||
const char *unit,
|
||||
const char *filename, unsigned line);
|
||||
|
||||
int seccomp_restrict_archs(Set *archs);
|
||||
int seccomp_restrict_namespaces(unsigned long retain);
|
||||
|
Loading…
Reference in New Issue
Block a user