shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-02 19:21:53 +03:00
Code

seccomp: rework seccomp_lock_personality() to apply filter to all archs

Browse Source
This commit is contained in:
Lennart Poettering 2017-08-09 20:43:35 +02:00
parent e8132d63fe
commit 72eafe7159
2 changed files with 26 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/shared/seccomp-util.c
View File

@ -1405,19 +1405,34 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
} }
int seccomp_lock_personality(unsigned long personality) { int seccomp_lock_personality(unsigned long personality) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; uint32_t arch;
int r; int r;
seccomp = seccomp_init(SCMP_ACT_ALLOW); if (personality >= PERSONALITY_INVALID)
if (!seccomp) return -EINVAL;
return -ENOMEM;
r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), SECCOMP_FOREACH_LOCAL_ARCH(arch) {
SCMP_SYS(personality), _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
1,
SCMP_A0(SCMP_CMP_NE, personality));
if (r < 0)
return r;
return seccomp_load(seccomp); r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
if (r < 0)
return r;
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(personality),
1,
SCMP_A0(SCMP_CMP_NE, personality));
if (r < 0)
return r;
r = seccomp_load(seccomp);
if (IN_SET(r, -EPERM, -EACCES))
return r;
if (r < 0)
log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
return 0;
} }

1
src/test/test-seccomp.c
View File

@ -48,7 +48,6 @@
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
#endif #endif
static void test_seccomp_arch_to_string(void) { static void test_seccomp_arch_to_string(void) {
uint32_t a, b; uint32_t a, b;
const char *name; const char *name;