mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
Merge pull request #4087 from fsateler/detect-seccomp-filter
seccomp: also detect if seccomp filtering is available
This commit is contained in:
commit
c5d5fc91eb
1
README
1
README
@ -79,6 +79,7 @@ REQUIREMENTS:
|
||||
CONFIG_TMPFS_XATTR
|
||||
CONFIG_{TMPFS,EXT4,XFS,BTRFS_FS,...}_POSIX_ACL
|
||||
CONFIG_SECCOMP
|
||||
CONFIG_SECCOMP_FILTER (required for seccomp support)
|
||||
CONFIG_CHECKPOINT_RESTORE (for the kcmp() syscall)
|
||||
|
||||
Required for CPUShares= in resource control unit settings
|
||||
|
@ -1077,7 +1077,7 @@ static void rename_process_from_path(const char *path) {
|
||||
static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
|
||||
if (!is_seccomp_available()) {
|
||||
log_open();
|
||||
log_unit_debug(u, "SECCOMP not detected in the kernel, skipping %s", msg);
|
||||
log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
|
||||
log_close();
|
||||
return true;
|
||||
}
|
||||
|
@ -130,6 +130,11 @@ int setup_seccomp(uint64_t cap_list_retain) {
|
||||
scmp_filter_ctx seccomp;
|
||||
int r;
|
||||
|
||||
if (!is_seccomp_available()) {
|
||||
log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter");
|
||||
return 0;
|
||||
}
|
||||
|
||||
seccomp = seccomp_init(SCMP_ACT_ALLOW);
|
||||
if (!seccomp)
|
||||
return log_oom();
|
||||
@ -173,11 +178,6 @@ int setup_seccomp(uint64_t cap_list_retain) {
|
||||
}
|
||||
|
||||
r = seccomp_load(seccomp);
|
||||
if (r == -EINVAL) {
|
||||
log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
|
||||
r = 0;
|
||||
goto finish;
|
||||
}
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Failed to install seccomp audit filter: %m");
|
||||
goto finish;
|
||||
|
@ -20,9 +20,9 @@
|
||||
#include <errno.h>
|
||||
#include <seccomp.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <linux/seccomp.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "fileio.h"
|
||||
#include "macro.h"
|
||||
#include "seccomp-util.h"
|
||||
#include "string-util.h"
|
||||
@ -91,11 +91,22 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
|
||||
|
||||
}
|
||||
|
||||
static bool is_basic_seccomp_available(void) {
|
||||
int r;
|
||||
r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
|
||||
return r >= 0;
|
||||
}
|
||||
|
||||
static bool is_seccomp_filter_available(void) {
|
||||
int r;
|
||||
r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
|
||||
return r < 0 && errno == EFAULT;
|
||||
}
|
||||
|
||||
bool is_seccomp_available(void) {
|
||||
_cleanup_free_ char* field = NULL;
|
||||
static int cached_enabled = -1;
|
||||
if (cached_enabled < 0)
|
||||
cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
|
||||
cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
|
||||
return cached_enabled;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user