mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
Merge pull request #12198 from keszybz/seccomp-parsing-logging
Seccomp parsing logging cleanup
This commit is contained in:
commit
b3e8032bb4
@ -1231,16 +1231,34 @@ int log_syntax_internal(
|
|||||||
if (unit)
|
if (unit)
|
||||||
unit_fmt = getpid_cached() == 1 ? "UNIT=%s" : "USER_UNIT=%s";
|
unit_fmt = getpid_cached() == 1 ? "UNIT=%s" : "USER_UNIT=%s";
|
||||||
|
|
||||||
return log_struct_internal(
|
if (config_file)
|
||||||
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
|
return log_struct_internal(
|
||||||
error,
|
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
|
||||||
file, line, func,
|
error,
|
||||||
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
|
file, line, func,
|
||||||
"CONFIG_FILE=%s", config_file,
|
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
|
||||||
"CONFIG_LINE=%u", config_line,
|
"CONFIG_FILE=%s", config_file,
|
||||||
LOG_MESSAGE("%s:%u: %s", config_file, config_line, buffer),
|
"CONFIG_LINE=%u", config_line,
|
||||||
unit_fmt, unit,
|
LOG_MESSAGE("%s:%u: %s", config_file, config_line, buffer),
|
||||||
NULL);
|
unit_fmt, unit,
|
||||||
|
NULL);
|
||||||
|
else if (unit)
|
||||||
|
return log_struct_internal(
|
||||||
|
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
|
||||||
|
error,
|
||||||
|
file, line, func,
|
||||||
|
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
|
||||||
|
LOG_MESSAGE("%s: %s", unit, buffer),
|
||||||
|
unit_fmt, unit,
|
||||||
|
NULL);
|
||||||
|
else
|
||||||
|
return log_struct_internal(
|
||||||
|
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
|
||||||
|
error,
|
||||||
|
file, line, func,
|
||||||
|
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
|
||||||
|
LOG_MESSAGE("%s", buffer),
|
||||||
|
NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
int log_syntax_invalid_utf8_internal(
|
int log_syntax_invalid_utf8_internal(
|
||||||
|
@ -1395,7 +1395,7 @@ int bus_exec_context_set_transient_property(
|
|||||||
|
|
||||||
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
||||||
_cleanup_free_ char *joined = NULL;
|
_cleanup_free_ char *joined = NULL;
|
||||||
bool invert = !whitelist;
|
SeccompParseFlags invert_flag = whitelist ? 0 : SECCOMP_PARSE_INVERT;
|
||||||
char **s;
|
char **s;
|
||||||
|
|
||||||
if (strv_isempty(l)) {
|
if (strv_isempty(l)) {
|
||||||
@ -1414,7 +1414,12 @@ int bus_exec_context_set_transient_property(
|
|||||||
c->syscall_whitelist = whitelist;
|
c->syscall_whitelist = whitelist;
|
||||||
|
|
||||||
if (c->syscall_whitelist) {
|
if (c->syscall_whitelist) {
|
||||||
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST | (invert ? SECCOMP_PARSE_INVERT : 0));
|
r = seccomp_parse_syscall_filter("@default",
|
||||||
|
-1,
|
||||||
|
c->syscall_filter,
|
||||||
|
SECCOMP_PARSE_WHITELIST | invert_flag,
|
||||||
|
u->id,
|
||||||
|
NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -1428,7 +1433,12 @@ int bus_exec_context_set_transient_property(
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, (invert ? SECCOMP_PARSE_INVERT : 0) | (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0));
|
r = seccomp_parse_syscall_filter(n,
|
||||||
|
e,
|
||||||
|
c->syscall_filter,
|
||||||
|
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
|
||||||
|
u->id,
|
||||||
|
NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -1506,7 +1516,6 @@ int bus_exec_context_set_transient_property(
|
|||||||
|
|
||||||
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
||||||
_cleanup_free_ char *joined = NULL;
|
_cleanup_free_ char *joined = NULL;
|
||||||
bool invert = !whitelist;
|
|
||||||
char **s;
|
char **s;
|
||||||
|
|
||||||
if (strv_isempty(l)) {
|
if (strv_isempty(l)) {
|
||||||
@ -1532,7 +1541,7 @@ int bus_exec_context_set_transient_property(
|
|||||||
if (af < 0)
|
if (af < 0)
|
||||||
return af;
|
return af;
|
||||||
|
|
||||||
if (!invert == c->address_families_whitelist) {
|
if (whitelist == c->address_families_whitelist) {
|
||||||
r = set_put(c->address_families, INT_TO_PTR(af));
|
r = set_put(c->address_families, INT_TO_PTR(af));
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
@ -2735,7 +2735,9 @@ int config_parse_syscall_filter(
|
|||||||
/* Accept default syscalls if we are on a whitelist */
|
/* Accept default syscalls if we are on a whitelist */
|
||||||
r = seccomp_parse_syscall_filter(
|
r = seccomp_parse_syscall_filter(
|
||||||
"@default", -1, c->syscall_filter,
|
"@default", -1, c->syscall_filter,
|
||||||
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
|
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST,
|
||||||
|
unit,
|
||||||
|
NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -2762,7 +2764,7 @@ int config_parse_syscall_filter(
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = seccomp_parse_syscall_filter_full(
|
r = seccomp_parse_syscall_filter(
|
||||||
name, num, c->syscall_filter,
|
name, num, c->syscall_filter,
|
||||||
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
|
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
|
||||||
(invert ? SECCOMP_PARSE_INVERT : 0)|
|
(invert ? SECCOMP_PARSE_INVERT : 0)|
|
||||||
|
@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int seccomp_parse_syscall_filter_full(
|
int seccomp_parse_syscall_filter(
|
||||||
const char *name,
|
const char *name,
|
||||||
int errno_num,
|
int errno_num,
|
||||||
Hashmap *filter,
|
Hashmap *filter,
|
||||||
@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full(
|
|||||||
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
|
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
|
||||||
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
|
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
|
||||||
* about them. */
|
* about them. */
|
||||||
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
|
r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
@ -70,13 +70,13 @@ typedef enum SeccompParseFlags {
|
|||||||
SECCOMP_PARSE_PERMISSIVE = 1 << 3,
|
SECCOMP_PARSE_PERMISSIVE = 1 << 3,
|
||||||
} SeccompParseFlags;
|
} SeccompParseFlags;
|
||||||
|
|
||||||
int seccomp_parse_syscall_filter_full(
|
int seccomp_parse_syscall_filter(
|
||||||
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
|
const char *name,
|
||||||
const char *unit, const char *filename, unsigned line);
|
int errno_num,
|
||||||
|
Hashmap *filter,
|
||||||
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
|
SeccompParseFlags flags,
|
||||||
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
|
const char *unit,
|
||||||
}
|
const char *filename, unsigned line);
|
||||||
|
|
||||||
int seccomp_restrict_archs(Set *archs);
|
int seccomp_restrict_archs(Set *archs);
|
||||||
int seccomp_restrict_namespaces(unsigned long retain);
|
int seccomp_restrict_namespaces(unsigned long retain);
|
||||||
|
@ -4,8 +4,8 @@
|
|||||||
set -ex
|
set -ex
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
systemd-analyze set-log-level debug
|
systemd-analyze log-level debug
|
||||||
systemd-analyze set-log-target console
|
systemd-analyze log-target console
|
||||||
|
|
||||||
test `systemctl show -p MainPID --value testsuite.service` -eq $$
|
test `systemctl show -p MainPID --value testsuite.service` -eq $$
|
||||||
|
|
||||||
@ -134,7 +134,7 @@ chmod 755 /dev/shm/mainpid3.sh
|
|||||||
# Test that this failed due to timeout, and not some other error
|
# Test that this failed due to timeout, and not some other error
|
||||||
test `systemctl show -p Result --value mainpidsh3.service` = timeout
|
test `systemctl show -p Result --value mainpidsh3.service` = timeout
|
||||||
|
|
||||||
systemd-analyze set-log-level info
|
systemd-analyze log-level info
|
||||||
|
|
||||||
echo OK > /testok
|
echo OK > /testok
|
||||||
|
|
||||||
|
@ -4,8 +4,8 @@
|
|||||||
set -ex
|
set -ex
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
systemd-analyze set-log-level debug
|
systemd-analyze log-level debug
|
||||||
systemd-analyze set-log-target console
|
systemd-analyze log-target console
|
||||||
|
|
||||||
# Create a binary for which execve() will fail
|
# Create a binary for which execve() will fail
|
||||||
touch /tmp/brokenbinary
|
touch /tmp/brokenbinary
|
||||||
@ -21,7 +21,7 @@ systemd-run --unit=four -p Type=exec /bin/sleep infinity
|
|||||||
! systemd-run --unit=five -p Type=exec -p User=idontexist /bin/sleep infinity
|
! systemd-run --unit=five -p Type=exec -p User=idontexist /bin/sleep infinity
|
||||||
! systemd-run --unit=six -p Type=exec /tmp/brokenbinary
|
! systemd-run --unit=six -p Type=exec /tmp/brokenbinary
|
||||||
|
|
||||||
systemd-analyze set-log-level info
|
systemd-analyze log-level info
|
||||||
|
|
||||||
echo OK > /testok
|
echo OK > /testok
|
||||||
|
|
||||||
|
@ -4,8 +4,8 @@
|
|||||||
set -ex
|
set -ex
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
systemd-analyze set-log-level debug
|
systemd-analyze log-level debug
|
||||||
systemd-analyze set-log-target console
|
systemd-analyze log-target console
|
||||||
|
|
||||||
systemd-run --wait --unit=one -p StandardOutput=file:/tmp/stdout -p StandardError=file:/tmp/stderr -p Type=exec sh -c 'echo x ; echo y >&2'
|
systemd-run --wait --unit=one -p StandardOutput=file:/tmp/stdout -p StandardError=file:/tmp/stderr -p Type=exec sh -c 'echo x ; echo y >&2'
|
||||||
cmp /tmp/stdout <<EOF
|
cmp /tmp/stdout <<EOF
|
||||||
@ -33,7 +33,7 @@ a
|
|||||||
c
|
c
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
systemd-analyze set-log-level info
|
systemd-analyze log-level info
|
||||||
|
|
||||||
echo OK > /testok
|
echo OK > /testok
|
||||||
|
|
||||||
|
@ -4,8 +4,8 @@
|
|||||||
set -ex
|
set -ex
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
systemd-analyze set-log-level debug
|
systemd-analyze log-level debug
|
||||||
systemd-analyze set-log-target console
|
systemd-analyze log-target console
|
||||||
|
|
||||||
systemctl disable --now systemd-timesyncd.service
|
systemctl disable --now systemd-timesyncd.service
|
||||||
|
|
||||||
@ -26,7 +26,7 @@ timedatectl set-time 2018-1-1
|
|||||||
|
|
||||||
while ! test -f /tmp/clock-changed ; do sleep .5 ; done
|
while ! test -f /tmp/clock-changed ; do sleep .5 ; done
|
||||||
|
|
||||||
systemd-analyze set-log-level info
|
systemd-analyze log-level info
|
||||||
|
|
||||||
echo OK > /testok
|
echo OK > /testok
|
||||||
|
|
||||||
|
@ -283,11 +283,11 @@ class ClientTestBase(NetworkdTestingUtilities):
|
|||||||
klass.orig_log_level = subprocess.check_output(
|
klass.orig_log_level = subprocess.check_output(
|
||||||
['systemctl', 'show', '--value', '--property', 'LogLevel'],
|
['systemctl', 'show', '--value', '--property', 'LogLevel'],
|
||||||
universal_newlines=True).strip()
|
universal_newlines=True).strip()
|
||||||
subprocess.check_call(['systemd-analyze', 'set-log-level', 'debug'])
|
subprocess.check_call(['systemd-analyze', 'log-level', 'debug'])
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def tearDownClass(klass):
|
def tearDownClass(klass):
|
||||||
subprocess.check_call(['systemd-analyze', 'set-log-level', klass.orig_log_level])
|
subprocess.check_call(['systemd-analyze', 'log-level', klass.orig_log_level])
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
self.iface = 'test_eth42'
|
self.iface = 'test_eth42'
|
||||||
|
Loading…
Reference in New Issue
Block a user