|
|
b7dd4d |
From eaad892c513806801e3d2055788fa202372b3f15 Mon Sep 17 00:00:00 2001
|
|
|
b7dd4d |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
b7dd4d |
Date: Fri, 21 Aug 2020 17:21:04 +0200
|
|
|
b7dd4d |
Subject: [PATCH] shared/seccomp-util: added functionality to make list of
|
|
|
b7dd4d |
filtred syscalls
|
|
|
b7dd4d |
|
|
|
b7dd4d |
While at it, start removing the "seccomp_" prefix from our
|
|
|
b7dd4d |
own functions. It is used by libseccomp.
|
|
|
b7dd4d |
|
|
|
b7dd4d |
(cherry picked from commit 000c05207d68658b76af9e1caf9aa3a4e3fa697b)
|
|
|
b7dd4d |
|
|
|
b7dd4d |
Related: #2040247
|
|
|
b7dd4d |
---
|
|
|
b7dd4d |
src/nspawn/nspawn-seccomp.c | 9 +++++++--
|
|
|
b7dd4d |
src/shared/seccomp-util.c | 39 ++++++++++++++++++++++++++++++-------
|
|
|
b7dd4d |
src/shared/seccomp-util.h | 8 +++++++-
|
|
|
b7dd4d |
3 files changed, 46 insertions(+), 10 deletions(-)
|
|
|
b7dd4d |
|
|
|
b7dd4d |
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
|
|
|
b7dd4d |
index 17abfcec26..2b4a65e875 100644
|
|
|
b7dd4d |
--- a/src/nspawn/nspawn-seccomp.c
|
|
|
b7dd4d |
+++ b/src/nspawn/nspawn-seccomp.c
|
|
|
b7dd4d |
@@ -148,13 +148,18 @@ static int seccomp_add_default_syscall_filter(
|
|
|
b7dd4d |
if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
|
|
|
b7dd4d |
continue;
|
|
|
b7dd4d |
|
|
|
b7dd4d |
- r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
|
|
|
b7dd4d |
+ r = seccomp_add_syscall_filter_item(ctx,
|
|
|
b7dd4d |
+ whitelist[i].name,
|
|
|
b7dd4d |
+ SCMP_ACT_ALLOW,
|
|
|
b7dd4d |
+ syscall_blacklist,
|
|
|
b7dd4d |
+ false,
|
|
|
b7dd4d |
+ NULL);
|
|
|
b7dd4d |
if (r < 0)
|
|
|
b7dd4d |
return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
|
|
|
b7dd4d |
STRV_FOREACH(p, syscall_whitelist) {
|
|
|
b7dd4d |
- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
|
|
|
b7dd4d |
+ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL);
|
|
|
b7dd4d |
if (r < 0)
|
|
|
b7dd4d |
log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
|
|
|
b7dd4d |
*p, seccomp_arch_to_string(arch));
|
|
|
b7dd4d |
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
|
|
|
b7dd4d |
index 710a734715..56075d92e0 100644
|
|
|
b7dd4d |
--- a/src/shared/seccomp-util.c
|
|
|
b7dd4d |
+++ b/src/shared/seccomp-util.c
|
|
|
b7dd4d |
@@ -874,15 +874,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
|
|
b7dd4d |
return NULL;
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
|
|
|
b7dd4d |
-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
|
|
|
b7dd4d |
+static int add_syscall_filter_set(
|
|
|
b7dd4d |
+ scmp_filter_ctx seccomp,
|
|
|
b7dd4d |
+ const SyscallFilterSet *set,
|
|
|
b7dd4d |
+ uint32_t action,
|
|
|
b7dd4d |
+ char **exclude,
|
|
|
b7dd4d |
+ bool log_missing,
|
|
|
b7dd4d |
+ char ***added);
|
|
|
b7dd4d |
+
|
|
|
b7dd4d |
+int seccomp_add_syscall_filter_item(
|
|
|
b7dd4d |
+ scmp_filter_ctx *seccomp,
|
|
|
b7dd4d |
+ const char *name,
|
|
|
b7dd4d |
+ uint32_t action,
|
|
|
b7dd4d |
+ char **exclude,
|
|
|
b7dd4d |
+ bool log_missing,
|
|
|
b7dd4d |
+ char ***added) {
|
|
|
b7dd4d |
|
|
|
b7dd4d |
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
|
|
|
b7dd4d |
assert(seccomp);
|
|
|
b7dd4d |
assert(name);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
if (strv_contains(exclude, name))
|
|
|
b7dd4d |
return 0;
|
|
|
b7dd4d |
|
|
|
b7dd4d |
+ /* Any syscalls that are handled are added to the *added strv. The pointer
|
|
|
b7dd4d |
+ * must be either NULL or point to a valid pre-initialized possibly-empty strv. */
|
|
|
b7dd4d |
+
|
|
|
b7dd4d |
if (name[0] == '@') {
|
|
|
b7dd4d |
const SyscallFilterSet *other;
|
|
|
b7dd4d |
|
|
|
b7dd4d |
@@ -892,7 +908,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
|
|
b7dd4d |
return -EINVAL;
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
|
|
|
b7dd4d |
- return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
|
|
|
b7dd4d |
+ return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
} else {
|
|
|
b7dd4d |
int id, r;
|
|
|
b7dd4d |
@@ -916,25 +932,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
|
|
b7dd4d |
return r;
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
|
|
|
b7dd4d |
+ if (added) {
|
|
|
b7dd4d |
+ r = strv_extend(added, name);
|
|
|
b7dd4d |
+ if (r < 0)
|
|
|
b7dd4d |
+ return r;
|
|
|
b7dd4d |
+ }
|
|
|
b7dd4d |
+
|
|
|
b7dd4d |
return 0;
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
|
|
|
b7dd4d |
-static int seccomp_add_syscall_filter_set(
|
|
|
b7dd4d |
+static int add_syscall_filter_set(
|
|
|
b7dd4d |
scmp_filter_ctx seccomp,
|
|
|
b7dd4d |
const SyscallFilterSet *set,
|
|
|
b7dd4d |
uint32_t action,
|
|
|
b7dd4d |
char **exclude,
|
|
|
b7dd4d |
- bool log_missing) {
|
|
|
b7dd4d |
+ bool log_missing,
|
|
|
b7dd4d |
+ char ***added) {
|
|
|
b7dd4d |
|
|
|
b7dd4d |
const char *sys;
|
|
|
b7dd4d |
int r;
|
|
|
b7dd4d |
|
|
|
b7dd4d |
+ /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
|
|
|
b7dd4d |
+
|
|
|
b7dd4d |
assert(seccomp);
|
|
|
b7dd4d |
assert(set);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
NULSTR_FOREACH(sys, set->value) {
|
|
|
b7dd4d |
- r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
|
|
|
b7dd4d |
+ r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
|
|
|
b7dd4d |
if (r < 0)
|
|
|
b7dd4d |
return r;
|
|
|
b7dd4d |
}
|
|
|
b7dd4d |
@@ -960,7 +985,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
|
|
b7dd4d |
if (r < 0)
|
|
|
b7dd4d |
return r;
|
|
|
b7dd4d |
|
|
|
b7dd4d |
- r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
|
|
|
b7dd4d |
+ r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
|
|
|
b7dd4d |
if (r < 0)
|
|
|
b7dd4d |
return log_debug_errno(r, "Failed to add filter set: %m");
|
|
|
b7dd4d |
|
|
|
b7dd4d |
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
|
|
|
b7dd4d |
index 541ba1e067..291b2bffe0 100644
|
|
|
b7dd4d |
--- a/src/shared/seccomp-util.h
|
|
|
b7dd4d |
+++ b/src/shared/seccomp-util.h
|
|
|
b7dd4d |
@@ -59,7 +59,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
|
|
|
b7dd4d |
+int seccomp_add_syscall_filter_item(
|
|
|
b7dd4d |
+ scmp_filter_ctx *ctx,
|
|
|
b7dd4d |
+ const char *name,
|
|
|
b7dd4d |
+ uint32_t action,
|
|
|
b7dd4d |
+ char **exclude,
|
|
|
b7dd4d |
+ bool log_missing,
|
|
|
b7dd4d |
+ char ***added);
|
|
|
b7dd4d |
|
|
|
b7dd4d |
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
|
|
|
b7dd4d |
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
|