shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-08 02:57:16 +03:00
Code

seccomp: factor out seccomp_rule_add_exact to a helper function

Browse Source
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-05-04 23:10:30 -04:00
parent 2a65bd94e4
commit 6dc666886a
1 changed files with 36 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
src/shared/seccomp-util.c
View File

@ -1192,6 +1192,27 @@ int seccomp_restrict_realtime(void) {
return 0; return 0;
} }
static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
uint32_t arch,
int nr,
unsigned int arg_cnt,
const struct scmp_arg_cmp arg) {
int r;
r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), nr, arg_cnt, arg);
if (r < 0) {
_cleanup_free_ char *n = NULL;
n = seccomp_syscall_resolve_num_arch(arch, nr);
log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
strna(n),
seccomp_arch_to_string(arch));
}
return r;
}
int seccomp_memory_deny_write_execute(void) { int seccomp_memory_deny_write_execute(void) {
uint32_t arch; uint32_t arch;
@ -1235,64 +1256,31 @@ int seccomp_memory_deny_write_execute(void) {
if (r < 0) if (r < 0)
return r; return r;
if (filter_syscall != 0) { r = add_seccomp_syscall_filter(seccomp, arch, filter_syscall,
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EPERM),
filter_syscall,
1, 1,
SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE)); SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
if (r < 0) { if (r < 0)
_cleanup_free_ char *n = NULL;
n = seccomp_syscall_resolve_num_arch(arch, filter_syscall);
log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
strna(n),
seccomp_arch_to_string(arch));
continue; continue;
}
}
if (block_syscall != 0) { if (block_syscall != 0) {
r = seccomp_rule_add_exact( r = add_seccomp_syscall_filter(seccomp, arch, block_syscall, 0, (const struct scmp_arg_cmp){} );
seccomp, if (r < 0)
SCMP_ACT_ERRNO(EPERM),
block_syscall,
0);
if (r < 0) {
_cleanup_free_ char *n = NULL;
n = seccomp_syscall_resolve_num_arch(arch, block_syscall);
log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
strna(n),
seccomp_arch_to_string(arch));
continue; continue;
} }
}
r = seccomp_rule_add_exact( r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect),
seccomp,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(mprotect),
1, 1,
SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
if (r < 0) { if (r < 0)
log_debug_errno(r, "Failed to add mprotect() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue; continue;
}
if (shmat_syscall != 0) { if (shmat_syscall != 0) {
r = seccomp_rule_add_exact( r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
seccomp,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(shmat),
1, 1,
SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC)); SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
if (r < 0) { if (r < 0)
log_debug_errno(r, "Failed to add shmat() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue; continue;
} }
}
r = seccomp_load(seccomp); r = seccomp_load(seccomp);
if (IN_SET(r, -EPERM, -EACCES)) if (IN_SET(r, -EPERM, -EACCES))