mirror of
https://github.com/systemd/systemd
synced 2026-04-24 16:04:51 +02:00
Compare commits
No commits in common. "3b6288f6becf0e55da6de9ff55e824c2ada93f2c" and "2c4263f987030a3a5c6a64799c40a8ff6e33b0d2" have entirely different histories.
3b6288f6be
...
2c4263f987
@ -1147,7 +1147,6 @@ libseccomp = dependency('libseccomp',
|
||||
version : '>= 2.3.1',
|
||||
required : get_option('seccomp'))
|
||||
conf.set10('HAVE_SECCOMP', libseccomp.found())
|
||||
libseccomp_cflags = libseccomp.partial_dependency(includes: true, compile_args: true)
|
||||
|
||||
libselinux = dependency('libselinux',
|
||||
version : '>= 2.1.9',
|
||||
|
||||
@ -37,7 +37,6 @@ Packages=
|
||||
btrfs-progs
|
||||
apt
|
||||
bind9-dnsutils
|
||||
bsdutils
|
||||
cryptsetup-bin
|
||||
dbus-broker
|
||||
dbus-user-session
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
[ -n "${BASH_VERSION:-}" ] || return 0
|
||||
|
||||
__systemd_osc_context_escape() {
|
||||
# Escape according to the OSC 3008 spec. Since this requires shelling out
|
||||
# Escape according to the OSC 8003 spec. Since this requires shelling out
|
||||
# to 'sed' we'll only do it where it's strictly necessary, and skip it when
|
||||
# processing strings we are pretty sure we won't need it for, such as
|
||||
# uuids, id128, hostnames, usernames, since they all come with syntax
|
||||
@ -33,11 +33,11 @@ __systemd_osc_context_precmdline() {
|
||||
# Close previous command
|
||||
if [ -n "${systemd_osc_context_cmd_id:-}" ]; then
|
||||
if [ "$systemd_exitstatus" -ge 127 ]; then
|
||||
printf "\033]3008;end=%s;exit=interrupt;signal=%s\033\\" "$systemd_osc_context_cmd_id" $((systemd_exitstatus-127))
|
||||
printf "\033]8003;end=%s;exit=interrupt;signal=%s\033\\" "$systemd_osc_context_cmd_id" $((systemd_exitstatus-127))
|
||||
elif [ "$systemd_exitstatus" -ne 0 ]; then
|
||||
printf "\033]3008;end=%s;exit=failure;status=%s\033\\" "$systemd_osc_context_cmd_id" $((systemd_exitstatus))
|
||||
printf "\033]8003;end=%s;exit=failure;status=%s\033\\" "$systemd_osc_context_cmd_id" $((systemd_exitstatus))
|
||||
else
|
||||
printf "\033]3008;end=%s;exit=success\033\\" "$systemd_osc_context_cmd_id"
|
||||
printf "\033]8003;end=%s;exit=success\033\\" "$systemd_osc_context_cmd_id"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -47,7 +47,7 @@ __systemd_osc_context_precmdline() {
|
||||
fi
|
||||
|
||||
# Create or update the shell session
|
||||
printf "\033]3008;start=%s%s;type=shell;cwd=%s\033\\" "$systemd_osc_context_shell_id" "$(__systemd_osc_context_common)" "$(__systemd_osc_context_escape "$PWD")"
|
||||
printf "\033]8003;start=%s%s;type=shell;cwd=%s\033\\" "$systemd_osc_context_shell_id" "$(__systemd_osc_context_common)" "$(__systemd_osc_context_escape "$PWD")"
|
||||
|
||||
# Prepare cmd id for next command
|
||||
read -r systemd_osc_context_cmd_id </proc/sys/kernel/random/uuid
|
||||
@ -58,5 +58,5 @@ if [[ -n "${BASH_VERSION:-}" ]] && [[ "${TERM:-}" != "dumb" ]]; then
|
||||
PROMPT_COMMAND+=(__systemd_osc_context_precmdline)
|
||||
|
||||
# PS0 is shown right after a prompt completed, but before the command is executed
|
||||
PS0='\033]3008;start=$systemd_osc_context_cmd_id$(__systemd_osc_context_common);type=command;cwd=$(__systemd_osc_context_escape "$PWD")\033\\'"${PS0:-}"
|
||||
PS0='\033]8003;start=$systemd_osc_context_cmd_id$(__systemd_osc_context_common);type=command;cwd=$(__systemd_osc_context_escape "$PWD")\033\\'"${PS0:-}"
|
||||
fi
|
||||
|
||||
@ -568,7 +568,7 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter
|
||||
}
|
||||
|
||||
/* Let's see if the system call actually exists on this platform, before complaining */
|
||||
if (sym_seccomp_syscall_resolve_name(syscall) < 0)
|
||||
if (seccomp_syscall_resolve_name(syscall) < 0)
|
||||
continue;
|
||||
|
||||
if (set_contains(s, syscall) == allow_list) {
|
||||
@ -602,13 +602,6 @@ static int assess_system_call_filter(
|
||||
uint64_t b;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0) {
|
||||
*ret_badness = UINT64_MAX;
|
||||
*ret_description = NULL;
|
||||
return r;
|
||||
}
|
||||
|
||||
if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) {
|
||||
r = strdup_to(&d, "Service does not filter system calls");
|
||||
b = 10;
|
||||
@ -2446,8 +2439,6 @@ static int analyze_security_one(sd_bus *bus,
|
||||
|
||||
/* Refactoring SecurityInfo so that it can make use of existing struct variables instead of reading from dbus */
|
||||
static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, SecurityInfo **ret_info) {
|
||||
int r;
|
||||
|
||||
assert(ret_info);
|
||||
|
||||
_cleanup_(security_info_freep) SecurityInfo *info = security_info_new();
|
||||
@ -2577,35 +2568,32 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
|
||||
info->_umask = c->umask;
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
r = dlopen_libseccomp();
|
||||
if (r >= 0) {
|
||||
SET_FOREACH(key, c->syscall_archs) {
|
||||
const char *name;
|
||||
SET_FOREACH(key, c->syscall_archs) {
|
||||
const char *name;
|
||||
|
||||
name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
|
||||
if (set_put_strdup(&info->system_call_architectures, name) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
if (set_put_strdup(&info->system_call_architectures, name) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
|
||||
info->system_call_filter_allow_list = c->syscall_allow_list;
|
||||
info->system_call_filter_allow_list = c->syscall_allow_list;
|
||||
|
||||
void *id, *num;
|
||||
HASHMAP_FOREACH_KEY(num, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
void *id, *num;
|
||||
HASHMAP_FOREACH_KEY(num, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
|
||||
if (info->system_call_filter_allow_list && PTR_TO_INT(num) >= 0)
|
||||
continue;
|
||||
if (info->system_call_filter_allow_list && PTR_TO_INT(num) >= 0)
|
||||
continue;
|
||||
|
||||
name = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
|
||||
if (set_ensure_consume(&info->system_call_filter, &string_hash_ops_free, TAKE_PTR(name)) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
if (set_ensure_consume(&info->system_call_filter, &string_hash_ops_free, TAKE_PTR(name)) < 0)
|
||||
return log_oom();
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -53,7 +53,7 @@ executables += [
|
||||
libcore,
|
||||
libshared,
|
||||
],
|
||||
'dependencies' : libseccomp_cflags,
|
||||
'dependencies' : libseccomp,
|
||||
'install' : conf.get('ENABLE_ANALYZE') == 1,
|
||||
},
|
||||
core_test_template + {
|
||||
|
||||
@ -1577,10 +1577,6 @@ static bool seccomp_allows_drop_privileges(const ExecContext *c) {
|
||||
|
||||
assert(c);
|
||||
|
||||
/* No libseccomp, all is fine */
|
||||
if (dlopen_libseccomp() < 0)
|
||||
return true;
|
||||
|
||||
/* No syscall filter, we are allowed to drop privileges */
|
||||
if (hashmap_isempty(c->syscall_filter))
|
||||
return true;
|
||||
@ -1588,7 +1584,7 @@ static bool seccomp_allows_drop_privileges(const ExecContext *c) {
|
||||
HASHMAP_FOREACH_KEY(val, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
|
||||
name = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
|
||||
if (streq(name, "capget"))
|
||||
have_capget = true;
|
||||
|
||||
@ -1489,29 +1489,27 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
|
||||
fputc('~', f);
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
if (dlopen_libseccomp() >= 0) {
|
||||
void *id, *val;
|
||||
bool first = true;
|
||||
HASHMAP_FOREACH_KEY(val, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
const char *errno_name = NULL;
|
||||
int num = PTR_TO_INT(val);
|
||||
void *id, *val;
|
||||
bool first = true;
|
||||
HASHMAP_FOREACH_KEY(val, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
const char *errno_name = NULL;
|
||||
int num = PTR_TO_INT(val);
|
||||
|
||||
if (first)
|
||||
first = false;
|
||||
if (first)
|
||||
first = false;
|
||||
else
|
||||
fputc(' ', f);
|
||||
|
||||
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
fputs(strna(name), f);
|
||||
|
||||
if (num >= 0) {
|
||||
errno_name = seccomp_errno_or_action_to_string(num);
|
||||
if (errno_name)
|
||||
fprintf(f, ":%s", errno_name);
|
||||
else
|
||||
fputc(' ', f);
|
||||
|
||||
name = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
fputs(strna(name), f);
|
||||
|
||||
if (num >= 0) {
|
||||
errno_name = seccomp_errno_or_action_to_string(num);
|
||||
if (errno_name)
|
||||
fprintf(f, ":%s", errno_name);
|
||||
else
|
||||
fprintf(f, ":%d", num);
|
||||
}
|
||||
fprintf(f, ":%d", num);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -1899,9 +1897,6 @@ char** exec_context_get_syscall_filter(const ExecContext *c) {
|
||||
assert(c);
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
if (dlopen_libseccomp() < 0)
|
||||
return strv_new(NULL);
|
||||
|
||||
void *id, *val;
|
||||
HASHMAP_FOREACH_KEY(val, id, c->syscall_filter) {
|
||||
_cleanup_free_ char *name = NULL;
|
||||
@ -1913,7 +1908,7 @@ char** exec_context_get_syscall_filter(const ExecContext *c) {
|
||||
/* syscall with num >= 0 in allow-list is denied. */
|
||||
continue;
|
||||
|
||||
name = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
|
||||
@ -1970,14 +1965,11 @@ char** exec_context_get_syscall_log(const ExecContext *c) {
|
||||
assert(c);
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
if (dlopen_libseccomp() < 0)
|
||||
return strv_new(NULL);
|
||||
|
||||
void *id, *val;
|
||||
HASHMAP_FOREACH_KEY(val, id, c->syscall_log) {
|
||||
char *name = NULL;
|
||||
|
||||
name = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
|
||||
if (!name)
|
||||
continue;
|
||||
|
||||
|
||||
@ -136,7 +136,7 @@ libcore_static = static_library(
|
||||
libm,
|
||||
libmount,
|
||||
librt,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
threads,
|
||||
userspace],
|
||||
@ -199,7 +199,7 @@ executables += [
|
||||
'dependencies' : [
|
||||
libapparmor_cflags,
|
||||
libkmod_cflags,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
],
|
||||
},
|
||||
@ -212,7 +212,7 @@ executables += [
|
||||
'dependencies' : [
|
||||
libapparmor_cflags,
|
||||
libpam_cflags,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
],
|
||||
},
|
||||
|
||||
@ -229,7 +229,7 @@ libsystemd_tests += [
|
||||
},
|
||||
{
|
||||
'sources' : files('sd-bus/test-bus-cleanup.c'),
|
||||
'dependencies' : [threads, libseccomp_cflags],
|
||||
'dependencies' : [threads, libseccomp],
|
||||
},
|
||||
{
|
||||
'sources' : files('sd-bus/test-bus-marshal.c'),
|
||||
@ -264,7 +264,7 @@ libsystemd_tests += [
|
||||
},
|
||||
{
|
||||
'sources' : files('sd-bus/test-bus-track.c'),
|
||||
'dependencies' : libseccomp_cflags,
|
||||
'dependencies' : libseccomp,
|
||||
},
|
||||
{
|
||||
'sources' : files('sd-bus/test-bus-watch-bind.c'),
|
||||
|
||||
@ -20,7 +20,6 @@
|
||||
#include "machine-dbus.h"
|
||||
#include "machined.h"
|
||||
#include "mount-util.h"
|
||||
#include "namespace-util.h"
|
||||
#include "operation.h"
|
||||
#include "path-util.h"
|
||||
#include "signal-util.h"
|
||||
@ -356,25 +355,6 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
|
||||
if (r < 0)
|
||||
return r;
|
||||
user = isempty(user) ? "root" : user;
|
||||
|
||||
/* Ensure only root can shell into the root namespace, unless it's specifically the host machine,
|
||||
* which is owned by uid 0 anyway and cannot be self-registered. This is to avoid unprivileged
|
||||
* users registering a process they own in the root user namespace, and then shelling in as root
|
||||
* or another user. Note that the shell operation is privileged and requires 'auth_admin', so we
|
||||
* do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
|
||||
* and the caller's do not match, authorization will be required. It's only the case where the
|
||||
* caller owns the machine that will be shortcut and needs to be checked here. */
|
||||
if (m->uid != 0 && m->class != MACHINE_HOST) {
|
||||
r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r != 0)
|
||||
return sd_bus_error_set(
|
||||
error,
|
||||
SD_BUS_ERROR_ACCESS_DENIED,
|
||||
"Only root may shell into the root user namespace");
|
||||
}
|
||||
|
||||
r = sd_bus_message_read_strv(message, &args_wire);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -30,7 +30,7 @@ generated_sources += nspawn_gperf_c
|
||||
nspawn_extract_sources += nspawn_gperf_c
|
||||
|
||||
nspawn_common_template = {
|
||||
'dependencies' : libseccomp_cflags,
|
||||
'dependencies' : libseccomp,
|
||||
'objects' : ['systemd-nspawn'],
|
||||
}
|
||||
nspawn_test_template = test_template + nspawn_common_template
|
||||
@ -47,7 +47,7 @@ executables += [
|
||||
],
|
||||
'extract' : nspawn_extract_sources,
|
||||
'dependencies' : [
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
],
|
||||
},
|
||||
|
||||
@ -1691,7 +1691,7 @@ static int oci_seccomp_archs(const char *name, sd_json_variant *v, sd_json_dispa
|
||||
if (r < 0)
|
||||
return json_log(e, flags, r, "Unknown architecture: %s", sd_json_variant_string(e));
|
||||
|
||||
r = sym_seccomp_arch_add(sc, a);
|
||||
r = seccomp_arch_add(sc, a);
|
||||
if (r == -EEXIST)
|
||||
continue;
|
||||
if (r < 0)
|
||||
@ -1810,13 +1810,13 @@ static int oci_seccomp_syscalls(const char *name, sd_json_variant *v, sd_json_di
|
||||
STRV_FOREACH(i, rule.names) {
|
||||
int nr;
|
||||
|
||||
nr = sym_seccomp_syscall_resolve_name(*i);
|
||||
nr = seccomp_syscall_resolve_name(*i);
|
||||
if (nr == __NR_SCMP_ERROR) {
|
||||
log_debug("Unknown syscall %s, skipping.", *i);
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_rule_add_array(sc, rule.action, nr, rule.n_arguments, rule.arguments);
|
||||
r = seccomp_rule_add_array(sc, rule.action, nr, rule.n_arguments, rule.arguments);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -1853,11 +1853,7 @@ static int oci_seccomp(const char *name, sd_json_variant *v, sd_json_dispatch_fl
|
||||
if (r < 0)
|
||||
return json_log(def, flags, r, "Unknown default action: %s", sd_json_variant_string(def));
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return json_log(def, flags, r, "No support for libseccomp: %m");
|
||||
|
||||
sc = sym_seccomp_init(d);
|
||||
sc = seccomp_init(d);
|
||||
if (!sc)
|
||||
return json_log(v, flags, SYNTHETIC_ERRNO(ENOMEM), "Couldn't allocate seccomp object.");
|
||||
|
||||
@ -1865,7 +1861,7 @@ static int oci_seccomp(const char *name, sd_json_variant *v, sd_json_dispatch_fl
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sym_seccomp_release(s->seccomp);
|
||||
seccomp_release(s->seccomp);
|
||||
s->seccomp = TAKE_PTR(sc);
|
||||
return 0;
|
||||
#else
|
||||
|
||||
@ -163,7 +163,7 @@ static int add_syscall_filters(
|
||||
|
||||
#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
|
||||
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
|
||||
r = sym_seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
|
||||
#endif
|
||||
@ -195,7 +195,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return log_error_errno(r, "Failed to install seccomp filter: %m");
|
||||
if (r < 0)
|
||||
@ -220,7 +220,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
|
||||
as indication that audit is disabled in the kernel.
|
||||
*/
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -232,7 +232,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return log_error_errno(r, "Failed to install seccomp audit filter: %m");
|
||||
if (r < 0)
|
||||
|
||||
@ -167,8 +167,7 @@ Settings* settings_free(Settings *s) {
|
||||
strv_free(s->sysctl);
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
if (s->seccomp)
|
||||
sym_seccomp_release(s->seccomp);
|
||||
seccomp_release(s->seccomp);
|
||||
#endif
|
||||
|
||||
return mfree(s);
|
||||
|
||||
@ -3507,7 +3507,7 @@ static int inner_child(
|
||||
if (arg_seccomp) {
|
||||
|
||||
if (is_seccomp_available()) {
|
||||
r = sym_seccomp_load(arg_seccomp);
|
||||
r = seccomp_load(arg_seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return log_error_errno(r, "Failed to install seccomp filter: %m");
|
||||
if (r < 0)
|
||||
@ -4835,7 +4835,7 @@ static int merge_settings(Settings *settings, const char *path) {
|
||||
if (!arg_settings_trusted)
|
||||
log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
|
||||
else {
|
||||
sym_seccomp_release(arg_seccomp);
|
||||
seccomp_release(arg_seccomp);
|
||||
arg_seccomp = TAKE_PTR(settings->seccomp);
|
||||
}
|
||||
}
|
||||
|
||||
@ -147,7 +147,7 @@ static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
|
||||
dns_search_domain_unref(c->search_domain);
|
||||
c->search_domain = dns_search_domain_ref(next);
|
||||
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int dns_query_candidate_add_transaction(
|
||||
|
||||
@ -640,8 +640,8 @@ static int verify_xbootldr_blkid(
|
||||
"%s: Partition has wrong PART_ENTRY_TYPE=%s for XBOOTLDR partition.", node, v);
|
||||
|
||||
r = blkid_probe_lookup_value_id128(b, "PART_ENTRY_UUID", &uuid);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "%s: Failed to probe PART_ENTRY_UUID: %m", node);
|
||||
if (r != 0)
|
||||
return log_error_errno(errno_or_else(EIO), "%s: Failed to probe PART_ENTRY_UUID: %m", node);
|
||||
|
||||
} else if (streq(type, "dos")) {
|
||||
|
||||
|
||||
@ -327,7 +327,7 @@ libshared_deps = [threads,
|
||||
libp11kit_cflags,
|
||||
libpam_cflags,
|
||||
librt,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
libxenctrl_cflags,
|
||||
libxz_cflags,
|
||||
|
||||
@ -32,46 +32,6 @@
|
||||
#include "strv.h"
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
static void *libseccomp_dl = NULL;
|
||||
|
||||
DLSYM_PROTOTYPE(seccomp_api_get) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_arch_add) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_arch_exist) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_arch_native) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_arch_remove) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_attr_set) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_init) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_load) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_release) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_rule_add_array) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_rule_add_exact) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_syscall_resolve_name) = NULL;
|
||||
DLSYM_PROTOTYPE(seccomp_syscall_resolve_num_arch) = NULL;
|
||||
|
||||
int dlopen_libseccomp(void) {
|
||||
ELF_NOTE_DLOPEN("seccomp",
|
||||
"Support for Seccomp Sandboxes",
|
||||
ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
|
||||
"libseccomp.so.2");
|
||||
|
||||
return dlopen_many_sym_or_warn(
|
||||
&libseccomp_dl,
|
||||
"libseccomp.so.2",
|
||||
LOG_DEBUG,
|
||||
DLSYM_ARG(seccomp_api_get),
|
||||
DLSYM_ARG(seccomp_arch_add),
|
||||
DLSYM_ARG(seccomp_arch_exist),
|
||||
DLSYM_ARG(seccomp_arch_native),
|
||||
DLSYM_ARG(seccomp_arch_remove),
|
||||
DLSYM_ARG(seccomp_attr_set),
|
||||
DLSYM_ARG(seccomp_init),
|
||||
DLSYM_ARG(seccomp_load),
|
||||
DLSYM_ARG(seccomp_release),
|
||||
DLSYM_ARG(seccomp_rule_add_array),
|
||||
DLSYM_ARG(seccomp_rule_add_exact),
|
||||
DLSYM_ARG(seccomp_syscall_resolve_name),
|
||||
DLSYM_ARG(seccomp_syscall_resolve_num_arch));
|
||||
}
|
||||
|
||||
/* This array will be modified at runtime as seccomp_restrict_archs is called. */
|
||||
uint32_t seccomp_local_archs[] = {
|
||||
@ -286,44 +246,40 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
|
||||
/* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
|
||||
* any others. Also, turns off the NNP fiddling. */
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
seccomp = sym_seccomp_init(default_action);
|
||||
seccomp = seccomp_init(default_action);
|
||||
if (!seccomp)
|
||||
return -ENOMEM;
|
||||
|
||||
if (arch != SCMP_ARCH_NATIVE &&
|
||||
arch != sym_seccomp_arch_native()) {
|
||||
arch != seccomp_arch_native()) {
|
||||
|
||||
r = sym_seccomp_arch_remove(seccomp, sym_seccomp_arch_native());
|
||||
r = seccomp_arch_remove(seccomp, seccomp_arch_native());
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_arch_add(seccomp, arch);
|
||||
r = seccomp_arch_add(seccomp, arch);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
assert(sym_seccomp_arch_exist(seccomp, arch) >= 0);
|
||||
assert(sym_seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
|
||||
assert(sym_seccomp_arch_exist(seccomp, sym_seccomp_arch_native()) == -EEXIST);
|
||||
assert(seccomp_arch_exist(seccomp, arch) >= 0);
|
||||
assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
|
||||
assert(seccomp_arch_exist(seccomp, seccomp_arch_native()) == -EEXIST);
|
||||
} else {
|
||||
assert(sym_seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) >= 0);
|
||||
assert(sym_seccomp_arch_exist(seccomp, sym_seccomp_arch_native()) >= 0);
|
||||
assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) >= 0);
|
||||
assert(seccomp_arch_exist(seccomp, seccomp_arch_native()) >= 0);
|
||||
}
|
||||
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
#if SCMP_VER_MAJOR >= 3 || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 4)
|
||||
if (getenv_bool("SYSTEMD_LOG_SECCOMP") > 0) {
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_LOG, 1);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_LOG, 1);
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to enable seccomp event logging: %m");
|
||||
}
|
||||
@ -346,10 +302,9 @@ bool is_seccomp_available(void) {
|
||||
static int cached_enabled = -1;
|
||||
|
||||
if (cached_enabled < 0) {
|
||||
if (dlopen_libseccomp() < 0)
|
||||
return (cached_enabled = false);
|
||||
int b;
|
||||
|
||||
int b = secure_getenv_bool("SYSTEMD_SECCOMP");
|
||||
b = secure_getenv_bool("SYSTEMD_SECCOMP");
|
||||
if (b != 0) {
|
||||
if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
|
||||
log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
|
||||
@ -1094,18 +1049,14 @@ int seccomp_add_syscall_filter_item(
|
||||
} else {
|
||||
int id, r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
id = sym_seccomp_syscall_resolve_name(name);
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
if (log_missing)
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = sym_seccomp_rule_add_exact(seccomp, action, id, 0);
|
||||
r = seccomp_rule_add_exact(seccomp, action, id, 0);
|
||||
if (r < 0) {
|
||||
/* If the system call is not known on this architecture, then that's fine, let's ignore it */
|
||||
bool ignore = r == -EDOM;
|
||||
@ -1176,10 +1127,6 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
/* The one-stop solution: allocate a seccomp object, add the specified filter to it, and apply it. Once for
|
||||
* each local arch. */
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
default_action_override = override_default_action(default_action);
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
@ -1200,7 +1147,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
NULSTR_FOREACH(name, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value) {
|
||||
int id;
|
||||
|
||||
id = sym_seccomp_syscall_resolve_name(name);
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id < 0)
|
||||
continue;
|
||||
|
||||
@ -1208,7 +1155,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
if (strv_contains(added, name))
|
||||
continue;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(seccomp, default_action, id, 0);
|
||||
r = seccomp_rule_add_exact(seccomp, default_action, id, 0);
|
||||
if (r < 0 && r != -EDOM) /* EDOM means that the syscall is not available for arch */
|
||||
return log_debug_errno(r, "Failed to add rule for system call %s() / %d: %m",
|
||||
name, id);
|
||||
@ -1216,12 +1163,12 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
||||
|
||||
#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
|
||||
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
|
||||
#endif
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1242,10 +1189,6 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
if (hashmap_isempty(filter) && default_action == SCMP_ACT_ALLOW)
|
||||
return 0;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
default_action_override = override_default_action(default_action);
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
@ -1272,14 +1215,14 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
else if (error >= 0)
|
||||
a = SCMP_ACT_ERRNO(error);
|
||||
|
||||
r = sym_seccomp_rule_add_exact(seccomp, a, id, 0);
|
||||
r = seccomp_rule_add_exact(seccomp, a, id, 0);
|
||||
if (r < 0) {
|
||||
/* If the system call is not known on this architecture, then that's
|
||||
* fine, let's ignore it */
|
||||
_cleanup_free_ char *n = NULL;
|
||||
bool ignore;
|
||||
|
||||
n = sym_seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id);
|
||||
n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id);
|
||||
ignore = r == -EDOM;
|
||||
if (!ignore || log_missing)
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m",
|
||||
@ -1293,7 +1236,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
NULSTR_FOREACH(name, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value) {
|
||||
int id;
|
||||
|
||||
id = sym_seccomp_syscall_resolve_name(name);
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id < 0)
|
||||
continue;
|
||||
|
||||
@ -1301,7 +1244,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
if (hashmap_contains(filter, INT_TO_PTR(id + 1)))
|
||||
continue;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(seccomp, default_action, id, 0);
|
||||
r = seccomp_rule_add_exact(seccomp, default_action, id, 0);
|
||||
if (r < 0 && r != -EDOM) /* EDOM means that the syscall is not available for arch */
|
||||
return log_debug_errno(r, "Failed to add rule for system call %s() / %d: %m",
|
||||
name, id);
|
||||
@ -1309,12 +1252,12 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
|
||||
#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
|
||||
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
|
||||
#endif
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1367,17 +1310,7 @@ int seccomp_parse_syscall_filter(
|
||||
} else {
|
||||
int id;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0) {
|
||||
if (!FLAGS_SET(flags, SECCOMP_PARSE_PERMISSIVE))
|
||||
return r;
|
||||
|
||||
log_syntax(unit, FLAGS_SET(flags, SECCOMP_PARSE_LOG) ? LOG_WARNING : LOG_DEBUG, filename, line, r,
|
||||
"System call %s cannot be resolved as libseccomp is not available, ignoring: %m", name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
id = sym_seccomp_syscall_resolve_name(name);
|
||||
id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
if (!FLAGS_SET(flags, SECCOMP_PARSE_PERMISSIVE))
|
||||
return -EINVAL;
|
||||
@ -1425,10 +1358,6 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
if (FLAGS_SET(retain, NAMESPACE_FLAGS_ALL))
|
||||
return 0;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -1445,7 +1374,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
* C.f. https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330,
|
||||
* https://github.com/moby/moby/issues/42680. */
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(ENOSYS),
|
||||
SCMP_SYS(clone3),
|
||||
@ -1457,7 +1386,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
if ((retain & NAMESPACE_FLAGS_ALL) == 0)
|
||||
/* If every single kind of namespace shall be prohibited, then let's block the whole
|
||||
* setns() syscall altogether. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(setns),
|
||||
@ -1465,7 +1394,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
else
|
||||
/* Otherwise, block only the invocations with the appropriate flags in the loop
|
||||
* below, but also the special invocation with a zero flags argument, right here. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(setns),
|
||||
@ -1488,7 +1417,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
|
||||
log_trace("Blocking %s.", namespace_info[i].proc_name);
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(unshare),
|
||||
@ -1502,14 +1431,14 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
|
||||
/* On s390/s390x the first two parameters to clone are switched */
|
||||
if (!IN_SET(arch, SCMP_ARCH_S390, SCMP_ARCH_S390X))
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(clone),
|
||||
1,
|
||||
SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
|
||||
else
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(clone),
|
||||
@ -1522,7 +1451,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
}
|
||||
|
||||
if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(setns),
|
||||
@ -1538,7 +1467,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
if (r < 0)
|
||||
continue;
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1553,10 +1482,6 @@ int seccomp_protect_sysctl(void) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -1579,7 +1504,7 @@ int seccomp_protect_sysctl(void) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(_sysctl),
|
||||
@ -1590,7 +1515,7 @@ int seccomp_protect_sysctl(void) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1605,10 +1530,6 @@ int seccomp_protect_syslog(void) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -1616,7 +1537,7 @@ int seccomp_protect_syslog(void) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(syslog),
|
||||
@ -1627,7 +1548,7 @@ int seccomp_protect_syslog(void) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1642,10 +1563,6 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
bool supported;
|
||||
@ -1725,7 +1642,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
if (first == 0) {
|
||||
|
||||
/* No entries in the valid range, block everything */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -1739,7 +1656,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
} else {
|
||||
|
||||
/* Block everything below the first entry */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -1752,7 +1669,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
}
|
||||
|
||||
/* Block everything above the last entry */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -1770,7 +1687,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
if (set_contains(address_families, INT_TO_PTR(af)))
|
||||
continue;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -1793,7 +1710,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
* then combined in OR checks. */
|
||||
|
||||
SET_FOREACH(af, address_families) {
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EAFNOSUPPORT),
|
||||
SCMP_SYS(socket),
|
||||
@ -1809,7 +1726,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
}
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1832,10 +1749,6 @@ int seccomp_restrict_realtime_full(int error_code) {
|
||||
|
||||
assert(error_code > 0);
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Determine the highest policy constant we want to allow */
|
||||
FOREACH_ELEMENT(policy, permitted_policies)
|
||||
if (*policy > max_policy)
|
||||
@ -1867,7 +1780,7 @@ int seccomp_restrict_realtime_full(int error_code) {
|
||||
continue;
|
||||
|
||||
/* Deny this policy */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(error_code),
|
||||
SCMP_SYS(sched_setscheduler),
|
||||
@ -1882,7 +1795,7 @@ int seccomp_restrict_realtime_full(int error_code) {
|
||||
|
||||
/* Deny-list all other policies, i.e. the ones with higher values. Note that all comparisons
|
||||
* are unsigned here, hence no need no check for < 0 values. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(error_code),
|
||||
SCMP_SYS(sched_setscheduler),
|
||||
@ -1894,7 +1807,7 @@ int seccomp_restrict_realtime_full(int error_code) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -1912,11 +1825,11 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
|
||||
const struct scmp_arg_cmp arg) {
|
||||
int r;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), nr, arg_cnt, arg);
|
||||
r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), nr, arg_cnt, arg);
|
||||
if (r < 0) {
|
||||
_cleanup_free_ char *n = NULL;
|
||||
|
||||
n = sym_seccomp_syscall_resolve_num_arch(arch, nr);
|
||||
n = seccomp_syscall_resolve_num_arch(arch, nr);
|
||||
log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
|
||||
strna(n),
|
||||
seccomp_arch_to_string(arch));
|
||||
@ -1935,15 +1848,10 @@ assert_cc(SCMP_SYS(shmdt) > 0);
|
||||
int seccomp_memory_deny_write_execute(void) {
|
||||
uint32_t arch;
|
||||
unsigned loaded = 0;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0;
|
||||
int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0, r;
|
||||
|
||||
log_trace("Operating on architecture: %s", seccomp_arch_to_string(arch));
|
||||
|
||||
@ -2037,7 +1945,7 @@ int seccomp_memory_deny_write_execute(void) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -2057,10 +1965,6 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
int r;
|
||||
bool blocked_new = false;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* This installs a filter with no rules, but that restricts the system call architectures to the specified
|
||||
* list.
|
||||
*
|
||||
@ -2071,7 +1975,7 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
/* Note libseccomp includes our "native" (current) architecture in the filter by default.
|
||||
* We do not remove it. For example, our callers expect to be able to call execve() afterwards
|
||||
* to run a program with the restrictions applied. */
|
||||
seccomp = sym_seccomp_init(SCMP_ACT_ALLOW);
|
||||
seccomp = seccomp_init(SCMP_ACT_ALLOW);
|
||||
if (!seccomp)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -2079,7 +1983,7 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
uint32_t arch = seccomp_local_archs[i];
|
||||
|
||||
/* See above comment, our "native" architecture is never blocked. */
|
||||
if (arch == sym_seccomp_arch_native())
|
||||
if (arch == seccomp_arch_native())
|
||||
continue;
|
||||
|
||||
/* That architecture might have already been blocked by a previous call to seccomp_restrict_archs. */
|
||||
@ -2092,14 +1996,14 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
* x32 syscalls should basically match x86-64 for everything except the pointer type.
|
||||
* The important thing is that you can block the old 32-bit x86 syscalls.
|
||||
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850047 */
|
||||
if (block && arch == SCMP_ARCH_X86_64 && sym_seccomp_arch_native() == SCMP_ARCH_X32)
|
||||
if (block && arch == SCMP_ARCH_X86_64 && seccomp_arch_native() == SCMP_ARCH_X32)
|
||||
block = !set_contains(archs, UINT32_TO_PTR(SCMP_ARCH_X32 + 1));
|
||||
|
||||
if (block) {
|
||||
seccomp_local_archs[i] = SECCOMP_LOCAL_ARCH_BLOCKED;
|
||||
blocked_new = true;
|
||||
} else {
|
||||
r = sym_seccomp_arch_add(seccomp, arch);
|
||||
r = seccomp_arch_add(seccomp, arch);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
return r;
|
||||
}
|
||||
@ -2110,11 +2014,11 @@ int seccomp_restrict_archs(Set *archs) {
|
||||
if (!blocked_new)
|
||||
return 0;
|
||||
|
||||
r = sym_seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -2145,15 +2049,9 @@ int parse_syscall_archs(char **l, Set **archs) {
|
||||
}
|
||||
|
||||
int seccomp_filter_set_add_by_name(Hashmap *filter, bool add, const char *name) {
|
||||
int r;
|
||||
|
||||
assert(filter);
|
||||
assert(name);
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (name[0] == '@') {
|
||||
const SyscallFilterSet *more;
|
||||
|
||||
@ -2164,7 +2062,7 @@ int seccomp_filter_set_add_by_name(Hashmap *filter, bool add, const char *name)
|
||||
return seccomp_filter_set_add(filter, add, more);
|
||||
}
|
||||
|
||||
int id = sym_seccomp_syscall_resolve_name(name);
|
||||
int id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
return 0;
|
||||
@ -2199,10 +2097,6 @@ int seccomp_lock_personality(unsigned long personality) {
|
||||
if (personality >= PERSONALITY_INVALID)
|
||||
return -EINVAL;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -2210,7 +2104,7 @@ int seccomp_lock_personality(unsigned long personality) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(personality),
|
||||
@ -2222,7 +2116,7 @@ int seccomp_lock_personality(unsigned long personality) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -2237,10 +2131,6 @@ int seccomp_protect_hostname(void) {
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -2248,7 +2138,7 @@ int seccomp_protect_hostname(void) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(sethostname),
|
||||
@ -2259,7 +2149,7 @@ int seccomp_protect_hostname(void) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(setdomainname),
|
||||
@ -2270,7 +2160,7 @@ int seccomp_protect_hostname(void) {
|
||||
continue;
|
||||
}
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -2294,7 +2184,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
int r;
|
||||
bool any = false;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(chmod),
|
||||
@ -2305,7 +2195,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(fchmod),
|
||||
@ -2316,7 +2206,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(fchmodat),
|
||||
@ -2328,7 +2218,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
any = true;
|
||||
|
||||
#if defined(__SNR_fchmodat2)
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(fchmodat2),
|
||||
@ -2338,7 +2228,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
/* It looks like this libseccomp does not know about fchmodat2().
|
||||
* Pretend the fchmodat2() system call is not supported at all,
|
||||
* regardless of the kernel version. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(ENOSYS),
|
||||
__NR_fchmodat2,
|
||||
@ -2349,7 +2239,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(mkdir),
|
||||
@ -2360,7 +2250,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(mkdirat),
|
||||
@ -2371,7 +2261,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(mknod),
|
||||
@ -2382,7 +2272,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(mknodat),
|
||||
@ -2393,7 +2283,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(open),
|
||||
@ -2405,7 +2295,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(openat),
|
||||
@ -2424,7 +2314,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
* compatible with kernels that are not absolutely recent. We would normally return EPERM for a
|
||||
* policy check, but this isn't strictly a policy check. Instead, we return ENOSYS to force programs
|
||||
* to call open() or openat() instead. We can properly enforce policy for those functions. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(ENOSYS),
|
||||
SCMP_SYS(openat2),
|
||||
@ -2435,7 +2325,7 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
|
||||
any = true;
|
||||
#endif
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EPERM),
|
||||
SCMP_SYS(creat),
|
||||
@ -2453,10 +2343,6 @@ int seccomp_restrict_suid_sgid(void) {
|
||||
uint32_t arch;
|
||||
int r, k;
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -2477,7 +2363,7 @@ int seccomp_restrict_suid_sgid(void) {
|
||||
if (r < 0 && k < 0)
|
||||
continue;
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
@ -2496,7 +2382,7 @@ uint32_t scmp_act_kill_process(void) {
|
||||
* for single-threaded apps does the right thing. */
|
||||
|
||||
#ifdef SCMP_ACT_KILL_PROCESS
|
||||
if (dlopen_libseccomp() >= 0 && sym_seccomp_api_get() >= 3)
|
||||
if (seccomp_api_get() >= 3)
|
||||
return SCMP_ACT_KILL_PROCESS;
|
||||
#endif
|
||||
|
||||
@ -2548,7 +2434,7 @@ static int block_open_flag(scmp_filter_ctx seccomp, int flag) {
|
||||
/* Blocks open() with the specified flag, where flag is O_SYNC or so. This makes these calls return
|
||||
* EINVAL, in the hope the client code will retry without O_SYNC then. */
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EINVAL),
|
||||
SCMP_SYS(open),
|
||||
@ -2559,7 +2445,7 @@ static int block_open_flag(scmp_filter_ctx seccomp, int flag) {
|
||||
else
|
||||
any = true;
|
||||
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(EINVAL),
|
||||
SCMP_SYS(openat),
|
||||
@ -2572,7 +2458,7 @@ static int block_open_flag(scmp_filter_ctx seccomp, int flag) {
|
||||
|
||||
#if defined(__SNR_openat2)
|
||||
/* The new openat2() system call can't be filtered sensibly, see above. */
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(ENOSYS),
|
||||
SCMP_SYS(openat2),
|
||||
@ -2595,10 +2481,6 @@ int seccomp_suppress_sync(void) {
|
||||
*
|
||||
* Additionally, O_SYNC/O_DSYNC are masked. */
|
||||
|
||||
r = dlopen_libseccomp();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
|
||||
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||
|
||||
@ -2609,14 +2491,14 @@ int seccomp_suppress_sync(void) {
|
||||
NULSTR_FOREACH(c, syscall_filter_sets[SYSCALL_FILTER_SET_SYNC].value) {
|
||||
int id;
|
||||
|
||||
id = sym_seccomp_syscall_resolve_name(c);
|
||||
id = seccomp_syscall_resolve_name(c);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known, ignoring.", c);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (STR_IN_SET(c, "fdatasync", "fsync", "sync_file_range", "sync_file_range2", "syncfs"))
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
|
||||
id,
|
||||
@ -2625,7 +2507,7 @@ int seccomp_suppress_sync(void) {
|
||||
* means non-negative fd matches the rule, and the negative
|
||||
* fd passed to the syscall (then it fails with EBADF). */
|
||||
else
|
||||
r = sym_seccomp_rule_add_exact(
|
||||
r = seccomp_rule_add_exact(
|
||||
seccomp,
|
||||
SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
|
||||
id,
|
||||
@ -2639,7 +2521,7 @@ int seccomp_suppress_sync(void) {
|
||||
(void) block_open_flag(seccomp, O_DSYNC);
|
||||
#endif
|
||||
|
||||
r = sym_seccomp_load(seccomp);
|
||||
r = seccomp_load(seccomp);
|
||||
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
|
||||
return r;
|
||||
if (r < 0)
|
||||
|
||||
@ -1,29 +1,14 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
#include <seccomp.h> /* IWYU pragma: export */
|
||||
#endif
|
||||
|
||||
#include "errno-util.h"
|
||||
#include "forward.h"
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
#include <seccomp.h> /* IWYU pragma: export */
|
||||
|
||||
#include "dlfcn-util.h"
|
||||
|
||||
extern DLSYM_PROTOTYPE(seccomp_api_get);
|
||||
extern DLSYM_PROTOTYPE(seccomp_arch_add);
|
||||
extern DLSYM_PROTOTYPE(seccomp_arch_exist);
|
||||
extern DLSYM_PROTOTYPE(seccomp_arch_native);
|
||||
extern DLSYM_PROTOTYPE(seccomp_arch_remove);
|
||||
extern DLSYM_PROTOTYPE(seccomp_attr_set);
|
||||
extern DLSYM_PROTOTYPE(seccomp_init);
|
||||
extern DLSYM_PROTOTYPE(seccomp_load);
|
||||
extern DLSYM_PROTOTYPE(seccomp_release);
|
||||
extern DLSYM_PROTOTYPE(seccomp_rule_add_array);
|
||||
extern DLSYM_PROTOTYPE(seccomp_rule_add_exact);
|
||||
extern DLSYM_PROTOTYPE(seccomp_syscall_resolve_name);
|
||||
extern DLSYM_PROTOTYPE(seccomp_syscall_resolve_num_arch);
|
||||
|
||||
int dlopen_libseccomp(void);
|
||||
|
||||
const char* seccomp_arch_to_string(uint32_t c);
|
||||
int seccomp_arch_from_string(const char *n, uint32_t *ret);
|
||||
@ -150,7 +135,7 @@ static inline bool ERRNO_IS_NEG_SECCOMP_FATAL(intmax_t r) {
|
||||
}
|
||||
_DEFINE_ABS_WRAPPER(SECCOMP_FATAL);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(scmp_filter_ctx, sym_seccomp_release, seccomp_releasep, NULL);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(scmp_filter_ctx, seccomp_release, NULL);
|
||||
|
||||
int parse_syscall_archs(char **l, Set **ret_archs);
|
||||
|
||||
@ -166,10 +151,6 @@ static inline bool is_seccomp_available(void) {
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline int dlopen_libseccomp(void) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
|
||||
|
||||
@ -217,7 +217,7 @@ simple_tests += files(
|
||||
common_test_dependencies = [
|
||||
libmount,
|
||||
librt,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
libselinux,
|
||||
threads,
|
||||
]
|
||||
@ -290,7 +290,6 @@ executables += [
|
||||
libblkid_cflags,
|
||||
libkmod_cflags,
|
||||
libp11kit_cflags,
|
||||
libseccomp_cflags,
|
||||
],
|
||||
},
|
||||
test_template + {
|
||||
@ -311,7 +310,7 @@ executables += [
|
||||
},
|
||||
test_template + {
|
||||
'sources' : files('test-fd-util.c'),
|
||||
'dependencies' : libseccomp_cflags,
|
||||
'dependencies' : libseccomp,
|
||||
},
|
||||
test_template + {
|
||||
'sources' : files(
|
||||
@ -379,7 +378,7 @@ executables += [
|
||||
'extract' : files('nss-test-util.c'),
|
||||
'dependencies' : [
|
||||
libdl,
|
||||
libseccomp_cflags,
|
||||
libseccomp,
|
||||
],
|
||||
'conditions' : ['ENABLE_NSS'],
|
||||
'timeout' : 120,
|
||||
@ -426,7 +425,7 @@ executables += [
|
||||
},
|
||||
test_template + {
|
||||
'sources' : files('test-seccomp.c'),
|
||||
'dependencies' : libseccomp_cflags,
|
||||
'dependencies' : libseccomp,
|
||||
'conditions' : ['HAVE_SECCOMP'],
|
||||
},
|
||||
test_template + {
|
||||
|
||||
@ -20,7 +20,6 @@
|
||||
#include "pcre2-util.h"
|
||||
#include "pkcs11-util.h"
|
||||
#include "qrcode-util.h"
|
||||
#include "seccomp-util.h"
|
||||
#include "tests.h"
|
||||
#include "tpm2-util.h"
|
||||
|
||||
@ -57,7 +56,6 @@ static int run(int argc, char **argv) {
|
||||
ASSERT_DLOPEN(dlopen_libpam, HAVE_PAM);
|
||||
ASSERT_DLOPEN(dlopen_libacl, HAVE_ACL);
|
||||
ASSERT_DLOPEN(dlopen_libblkid, HAVE_BLKID);
|
||||
ASSERT_DLOPEN(dlopen_libseccomp, HAVE_SECCOMP);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1569,7 +1569,7 @@ TEST(run_tests_without_unshare) {
|
||||
if (prepare_ns("(test-execute-without-unshare)") == 0) {
|
||||
_cleanup_hashmap_free_ Hashmap *s = NULL;
|
||||
|
||||
r = sym_seccomp_syscall_resolve_name("unshare");
|
||||
r = seccomp_syscall_resolve_name("unshare");
|
||||
ASSERT_NE(r, __NR_SCMP_ERROR);
|
||||
ASSERT_OK(hashmap_ensure_put(&s, NULL, UINT32_TO_PTR(r + 1), INT_TO_PTR(-1)));
|
||||
ASSERT_OK(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EOPNOTSUPP), true));
|
||||
|
||||
@ -54,8 +54,6 @@ TEST(parse_syscall_and_errno) {
|
||||
_cleanup_free_ char *n = NULL;
|
||||
int e;
|
||||
|
||||
CHECK_SECCOMP(/* refuse_container= */ false);
|
||||
|
||||
assert_se(parse_syscall_and_errno("uname:EILSEQ", &n, &e) >= 0);
|
||||
ASSERT_STREQ(n, "uname");
|
||||
assert_se(e == errno_from_name("EILSEQ") && e >= 0);
|
||||
@ -114,9 +112,7 @@ TEST(seccomp_arch_to_string) {
|
||||
uint32_t a, b;
|
||||
const char *name;
|
||||
|
||||
CHECK_SECCOMP(/* refuse_container= */ false);
|
||||
|
||||
a = sym_seccomp_arch_native();
|
||||
a = seccomp_arch_native();
|
||||
assert_se(a > 0);
|
||||
name = seccomp_arch_to_string(a);
|
||||
assert_se(name);
|
||||
|
||||
@ -69,22 +69,4 @@ machinectl terminate zurps
|
||||
"$(systemctl show -p MainPID --value systemd-logind.service)" \
|
||||
"$PWD")
|
||||
|
||||
run0 -u testuser \
|
||||
busctl call \
|
||||
org.freedesktop.machine1 \
|
||||
/org/freedesktop/machine1 \
|
||||
org.freedesktop.machine1.Manager \
|
||||
RegisterMachine \
|
||||
'sayssus' \
|
||||
shouldnotwork2 \
|
||||
16 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 \
|
||||
"" \
|
||||
container \
|
||||
"$(systemctl show -p MainPID --value user@4711.service)" \
|
||||
"$PWD"
|
||||
(! run0 -u testuser machinectl shell shouldnotwork2 /usr/bin/id -u)
|
||||
(! run0 -u testuser machinectl shell root@shouldnotwork2 /usr/bin/id -u)
|
||||
(! run0 -u testuser machinectl shell 0@shouldnotwork2 /usr/bin/id -u)
|
||||
(! run0 -u testuser machinectl shell testuser@shouldnotwork2 /usr/bin/id -u)
|
||||
|
||||
loginctl disable-linger testuser
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user