1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-12 13:18:14 +03:00

pid1: pass unit name to seccomp parser when we have no file location

Building on previous commit, let's pass the unit name when parsing
dbus message or builtin whitelist, which is better than nothing.

seccomp_parse_syscall_filter() is not needed anymore, so it is removed,
and seccomp_parse_syscall_filter_full() is renamed to take its place.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-04-03 09:17:42 +02:00
parent 6bfb1daff1
commit 58f6ab4454
4 changed files with 19 additions and 13 deletions

View File

@ -1417,7 +1417,9 @@ int bus_exec_context_set_transient_property(
r = seccomp_parse_syscall_filter("@default",
-1,
c->syscall_filter,
SECCOMP_PARSE_WHITELIST | invert_flag);
SECCOMP_PARSE_WHITELIST | invert_flag,
u->id,
NULL, 0);
if (r < 0)
return r;
}
@ -1434,7 +1436,9 @@ int bus_exec_context_set_transient_property(
r = seccomp_parse_syscall_filter(n,
e,
c->syscall_filter,
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag);
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
u->id,
NULL, 0);
if (r < 0)
return r;
}

View File

@ -2735,7 +2735,9 @@ int config_parse_syscall_filter(
/* Accept default syscalls if we are on a whitelist */
r = seccomp_parse_syscall_filter(
"@default", -1, c->syscall_filter,
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST,
unit,
NULL, 0);
if (r < 0)
return r;
}
@ -2762,7 +2764,7 @@ int config_parse_syscall_filter(
continue;
}
r = seccomp_parse_syscall_filter_full(
r = seccomp_parse_syscall_filter(
name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
(invert ? SECCOMP_PARSE_INVERT : 0)|

View File

@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
return 0;
}
int seccomp_parse_syscall_filter_full(
int seccomp_parse_syscall_filter(
const char *name,
int errno_num,
Hashmap *filter,
@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full(
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
* about them. */
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
if (r < 0)
return r;
}

View File

@ -70,13 +70,13 @@ typedef enum SeccompParseFlags {
SECCOMP_PARSE_PERMISSIVE = 1 << 3,
} SeccompParseFlags;
int seccomp_parse_syscall_filter_full(
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
const char *unit, const char *filename, unsigned line);
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
}
int seccomp_parse_syscall_filter(
const char *name,
int errno_num,
Hashmap *filter,
SeccompParseFlags flags,
const char *unit,
const char *filename, unsigned line);
int seccomp_restrict_archs(Set *archs);
int seccomp_restrict_namespaces(unsigned long retain);