seccomp: add new helper call seccomp_load_filter_set()

This allows us to unify most of the code in apply_protect_kernel_modules() and apply_private_devices().
2024-11-01 17:51:22 +03:00 · 2016-10-21 21:18:46 +02:00 · 2016-10-21 21:18:46 +02:00 · a3be2849b2
commit a3be2849b2
parent 60f547cf68
3 changed files with 28 additions and 32 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -1502,9 +1502,6 @@ finish:
 }

 static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
-        scmp_filter_ctx seccomp;
-        int r;
-
        assert(c);

        /* Turn off module syscalls on ProtectKernelModules=yes */
@ -1512,25 +1509,10 @@ static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
        if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
                return 0;

-        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
-        if (r < 0)
-                return r;
-
-        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
-        if (r < 0)
-                goto finish;
-
-        r = seccomp_load(seccomp);
-
-finish:
-        seccomp_release(seccomp);
-        return r;
+        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
 }

 static int apply_private_devices(Unit *u, const ExecContext *c) {
-        scmp_filter_ctx seccomp;
-        int r;
-
        assert(c);

        /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
@ -1538,19 +1520,7 @@ static int apply_private_devices(Unit *u, const ExecContext *c) {
        if (skip_seccomp_unavailable(u, "PrivateDevices="))
                return 0;

-        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
-        if (r < 0)
-                return r;
-
-        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
-        if (r < 0)
-                goto finish;
-
-        r = seccomp_load(seccomp);
-
-finish:
-        seccomp_release(seccomp);
-        return r;
+        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
 }

 #endif
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -452,3 +452,27 @@ int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterS

        return 0;
 }
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
+        scmp_filter_ctx seccomp;
+        int r;
+
+        assert(set);
+
+        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */
+
+        r = seccomp_init_conservative(&seccomp, default_action);
+        if (r < 0)
+                return r;
+
+        r = seccomp_add_syscall_filter_set(seccomp, set, action);
+        if (r < 0)
+                goto finish;
+
+        r = seccomp_load(seccomp);
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+
+}
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -59,3 +59,5 @@ extern const SyscallFilterSet syscall_filter_sets[];
 const SyscallFilterSet *syscall_filter_set_find(const char *name);

 int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);