1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

Merge pull request #4087 from fsateler/detect-seccomp-filter

seccomp: also detect if seccomp filtering is available
This commit is contained in:
Evgeny Vereshchagin 2016-09-07 06:44:06 +03:00 committed by GitHub
commit c5d5fc91eb
4 changed files with 22 additions and 10 deletions

1
README
View File

@ -79,6 +79,7 @@ REQUIREMENTS:
CONFIG_TMPFS_XATTR
CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL
CONFIG_SECCOMP
CONFIG_SECCOMP_FILTER (required for seccomp support)
CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
Required for CPUShares= in resource control unit settings

View File

@ -1077,7 +1077,7 @@ static void rename_process_from_path(const char *path) {
static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
if (!is_seccomp_available()) {
log_open();
log_unit_debug(u, "SECCOMP not detected in the kernel, skipping %s", msg);
log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
log_close();
return true;
}

View File

@ -130,6 +130,11 @@ int setup_seccomp(uint64_t cap_list_retain) {
scmp_filter_ctx seccomp;
int r;
if (!is_seccomp_available()) {
log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter");
return 0;
}
seccomp = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp)
return log_oom();
@ -173,11 +178,6 @@ int setup_seccomp(uint64_t cap_list_retain) {
}
r = seccomp_load(seccomp);
if (r == -EINVAL) {
log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
r = 0;
goto finish;
}
if (r < 0) {
log_error_errno(r, "Failed to install seccomp audit filter: %m");
goto finish;

View File

@ -20,9 +20,9 @@
#include <errno.h>
#include <seccomp.h>
#include <stddef.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include "alloc-util.h"
#include "fileio.h"
#include "macro.h"
#include "seccomp-util.h"
#include "string-util.h"
@ -91,11 +91,22 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
}
static bool is_basic_seccomp_available(void) {
int r;
r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
return r >= 0;
}
static bool is_seccomp_filter_available(void) {
int r;
r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
return r < 0 && errno == EFAULT;
}
bool is_seccomp_available(void) {
_cleanup_free_ char* field = NULL;
static int cached_enabled = -1;
if (cached_enabled < 0)
cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
return cached_enabled;
}