seccomp: factor out seccomp_rule_add_exact to a helper function

2024-11-07 18:27:04 +03:00 · 2017-05-04 23:10:30 -04:00 · 2017-05-04 23:10:30 -04:00 · 6dc666886a
commit 6dc666886a
parent 2a65bd94e4
1 changed files with 36 additions and 48 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1192,6 +1192,27 @@ int seccomp_restrict_realtime(void) {
        return 0;
 }
 static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
                                      uint32_t arch,
                                      int nr,
                                      unsigned int arg_cnt,
                                      const struct scmp_arg_cmp arg) {
        int r;
        r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), nr, arg_cnt, arg);
        if (r < 0) {
                _cleanup_free_ char *n = NULL;
                n = seccomp_syscall_resolve_num_arch(arch, nr);
                log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
                                strna(n),
                                seccomp_arch_to_string(arch));
        }
        return r;
 }
 int seccomp_memory_deny_write_execute(void) {
        uint32_t arch;
@ -1235,63 +1256,30 @@ int seccomp_memory_deny_write_execute(void) {
                if (r < 0)
                        return r;
-                if (filter_syscall != 0)  {
+                r = add_seccomp_syscall_filter(seccomp, arch, filter_syscall,
-                        r = seccomp_rule_add_exact(
+                                               1,
-                                        seccomp,
+                                               SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
-                                        SCMP_ACT_ERRNO(EPERM),
+                if (r < 0)
-                                        filter_syscall,
+                        continue;
                                        1,
                                        SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
                        if (r < 0) {
                                _cleanup_free_ char *n = NULL;
                                n = seccomp_syscall_resolve_num_arch(arch, filter_syscall);
                                log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
                                                strna(n),
                                                seccomp_arch_to_string(arch));
                                continue;
                        }
                }
                if (block_syscall != 0) {
-                        r = seccomp_rule_add_exact(
+                        r = add_seccomp_syscall_filter(seccomp, arch, block_syscall, 0, (const struct scmp_arg_cmp){} );
-                                        seccomp,
+                        if (r < 0)
                                        SCMP_ACT_ERRNO(EPERM),
                                        block_syscall,
                                        0);
                        if (r < 0) {
                                _cleanup_free_ char *n = NULL;
                                n = seccomp_syscall_resolve_num_arch(arch, block_syscall);
                                log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
                                                strna(n),
                                                seccomp_arch_to_string(arch));
                                continue;
                        }
                }
-                r = seccomp_rule_add_exact(
+                r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect),
-                                seccomp,
+                                               1,
-                                SCMP_ACT_ERRNO(EPERM),
+                                               SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
-                                SCMP_SYS(mprotect),
+                if (r < 0)
                                1,
                                SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
                if (r < 0) {
                        log_debug_errno(r, "Failed to add mprotect() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
                        continue;
                }
                if (shmat_syscall != 0) {
-                        r = seccomp_rule_add_exact(
+                        r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat),
-                                        seccomp,
+                                                       1,
-                                        SCMP_ACT_ERRNO(EPERM),
+                                                       SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
-                                        SCMP_SYS(shmat),
+                        if (r < 0)
                                        1,
                                        SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
                        if (r < 0) {
                                log_debug_errno(r, "Failed to add shmat() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
                                continue;
                        }
                }
                r = seccomp_load(seccomp);