mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 05:18:17 +03:00
Merge pull request #6952 from poettering/seccomp-getrlimit
a seccomp fix regarding ugetrlimit/prlimit64
This commit is contained in:
commit
be03929503
@ -136,7 +136,6 @@ static int seccomp_add_default_syscall_filter(
|
||||
{ 0, "syncfs" },
|
||||
{ 0, "sysinfo" },
|
||||
{ 0, "tee" },
|
||||
{ 0, "ugetrlimit" },
|
||||
{ 0, "umask" },
|
||||
{ 0, "uname" },
|
||||
{ 0, "userfaultfd" },
|
||||
|
@ -306,6 +306,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"membarrier\0"
|
||||
"nanosleep\0"
|
||||
"pause\0"
|
||||
"prlimit64\0"
|
||||
"restart_syscall\0"
|
||||
"rt_sigreturn\0"
|
||||
"sched_yield\0"
|
||||
@ -314,6 +315,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"set_tid_address\0"
|
||||
"sigreturn\0"
|
||||
"time\0"
|
||||
"ugetrlimit\0"
|
||||
},
|
||||
[SYSCALL_FILTER_SET_BASIC_IO] = {
|
||||
.name = "@basic-io",
|
||||
@ -693,7 +695,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||
"migrate_pages\0"
|
||||
"move_pages\0"
|
||||
"nice\0"
|
||||
"prlimit64\0"
|
||||
"sched_setaffinity\0"
|
||||
"sched_setattr\0"
|
||||
"sched_setparam\0"
|
||||
@ -806,8 +807,8 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
||||
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known!", name);
|
||||
return -EINVAL; /* Not known at all? Then that's a real error */
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = seccomp_rule_add_exact(seccomp, action, id, 0);
|
||||
@ -1186,7 +1187,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
|
||||
if (r < 0)
|
||||
break;
|
||||
}
|
||||
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
|
||||
continue;
|
||||
@ -1211,7 +1211,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
|
||||
if (r < 0)
|
||||
break;
|
||||
}
|
||||
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
|
||||
continue;
|
||||
@ -1452,7 +1451,13 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (IN_SET(r, -EPERM, -EACCES))
|
||||
return r;
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int parse_syscall_archs(char **l, Set **archs) {
|
||||
@ -1500,7 +1505,6 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
|
||||
if (!more)
|
||||
return -ENXIO;
|
||||
|
||||
|
||||
r = seccomp_filter_set_add(filter, add, more);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -1508,8 +1512,10 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
|
||||
int id;
|
||||
|
||||
id = seccomp_syscall_resolve_name(i);
|
||||
if (id == __NR_SCMP_ERROR)
|
||||
return -ENXIO;
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("Couldn't resolve system call, ignoring: %s", i);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (add) {
|
||||
r = set_put(filter, INT_TO_PTR(id + 1));
|
||||
@ -1543,8 +1549,10 @@ int seccomp_lock_personality(unsigned long personality) {
|
||||
SCMP_SYS(personality),
|
||||
1,
|
||||
SCMP_A0(SCMP_CMP_NE, personality));
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
|
||||
continue;
|
||||
}
|
||||
|
||||
r = seccomp_load(seccomp);
|
||||
if (IN_SET(r, -EPERM, -EACCES))
|
||||
|
Loading…
Reference in New Issue
Block a user