naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
b7dd4d
From eaad892c513806801e3d2055788fa202372b3f15 Mon Sep 17 00:00:00 2001
b7dd4d
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
b7dd4d
Date: Fri, 21 Aug 2020 17:21:04 +0200
b7dd4d
Subject: [PATCH] shared/seccomp-util: added functionality to make list of
b7dd4d
 filtred syscalls
b7dd4d
b7dd4d
While at it, start removing the "seccomp_" prefix from our
b7dd4d
own functions. It is used by libseccomp.
b7dd4d
b7dd4d
(cherry picked from commit 000c05207d68658b76af9e1caf9aa3a4e3fa697b)
b7dd4d
b7dd4d
Related: #2040247
b7dd4d
---
b7dd4d
 src/nspawn/nspawn-seccomp.c |  9 +++++++--
b7dd4d
 src/shared/seccomp-util.c   | 39 ++++++++++++++++++++++++++++++-------
b7dd4d
 src/shared/seccomp-util.h   |  8 +++++++-
b7dd4d
 3 files changed, 46 insertions(+), 10 deletions(-)
b7dd4d
b7dd4d
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
b7dd4d
index 17abfcec26..2b4a65e875 100644
b7dd4d
--- a/src/nspawn/nspawn-seccomp.c
b7dd4d
+++ b/src/nspawn/nspawn-seccomp.c
b7dd4d
@@ -148,13 +148,18 @@ static int seccomp_add_default_syscall_filter(
b7dd4d
                 if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
b7dd4d
                         continue;
b7dd4d
 
b7dd4d
-                r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
b7dd4d
+                r = seccomp_add_syscall_filter_item(ctx,
b7dd4d
+                                                    whitelist[i].name,
b7dd4d
+                                                    SCMP_ACT_ALLOW,
b7dd4d
+                                                    syscall_blacklist,
b7dd4d
+                                                    false,
b7dd4d
+                                                    NULL);
b7dd4d
                 if (r < 0)
b7dd4d
                         return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
b7dd4d
         }
b7dd4d
 
b7dd4d
         STRV_FOREACH(p, syscall_whitelist) {
b7dd4d
-                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
b7dd4d
+                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL);
b7dd4d
                 if (r < 0)
b7dd4d
                         log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
b7dd4d
                                           *p, seccomp_arch_to_string(arch));
b7dd4d
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
b7dd4d
index 710a734715..56075d92e0 100644
b7dd4d
--- a/src/shared/seccomp-util.c
b7dd4d
+++ b/src/shared/seccomp-util.c
b7dd4d
@@ -874,15 +874,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
b7dd4d
         return NULL;
b7dd4d
 }
b7dd4d
 
b7dd4d
-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
b7dd4d
+static int add_syscall_filter_set(
b7dd4d
+                scmp_filter_ctx seccomp,
b7dd4d
+                const SyscallFilterSet *set,
b7dd4d
+                uint32_t action,
b7dd4d
+                char **exclude,
b7dd4d
+                bool log_missing,
b7dd4d
+                char ***added);
b7dd4d
+
b7dd4d
+int seccomp_add_syscall_filter_item(
b7dd4d
+                scmp_filter_ctx *seccomp,
b7dd4d
+                const char *name,
b7dd4d
+                uint32_t action,
b7dd4d
+                char **exclude,
b7dd4d
+                bool log_missing,
b7dd4d
+                char ***added) {
b7dd4d
 
b7dd4d
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
b7dd4d
         assert(seccomp);
b7dd4d
         assert(name);
b7dd4d
 
b7dd4d
         if (strv_contains(exclude, name))
b7dd4d
                 return 0;
b7dd4d
 
b7dd4d
+        /* Any syscalls that are handled are added to the *added strv. The pointer
b7dd4d
+         * must be either NULL or point to a valid pre-initialized possibly-empty strv. */
b7dd4d
+
b7dd4d
         if (name[0] == '@') {
b7dd4d
                 const SyscallFilterSet *other;
b7dd4d
 
b7dd4d
@@ -892,7 +908,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
b7dd4d
                         return -EINVAL;
b7dd4d
                 }
b7dd4d
 
b7dd4d
-                return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
b7dd4d
+                return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
b7dd4d
 
b7dd4d
         } else {
b7dd4d
                 int id, r;
b7dd4d
@@ -916,25 +932,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
b7dd4d
                                 return r;
b7dd4d
                 }
b7dd4d
 
b7dd4d
+                if (added) {
b7dd4d
+                        r = strv_extend(added, name);
b7dd4d
+                        if (r < 0)
b7dd4d
+                                return r;
b7dd4d
+                }
b7dd4d
+
b7dd4d
                 return 0;
b7dd4d
         }
b7dd4d
 }
b7dd4d
 
b7dd4d
-static int seccomp_add_syscall_filter_set(
b7dd4d
+static int add_syscall_filter_set(
b7dd4d
                 scmp_filter_ctx seccomp,
b7dd4d
                 const SyscallFilterSet *set,
b7dd4d
                 uint32_t action,
b7dd4d
                 char **exclude,
b7dd4d
-                bool log_missing) {
b7dd4d
+                bool log_missing,
b7dd4d
+                char ***added) {
b7dd4d
 
b7dd4d
         const char *sys;
b7dd4d
         int r;
b7dd4d
 
b7dd4d
+        /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
b7dd4d
+
b7dd4d
         assert(seccomp);
b7dd4d
         assert(set);
b7dd4d
 
b7dd4d
         NULSTR_FOREACH(sys, set->value) {
b7dd4d
-                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
b7dd4d
+                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
b7dd4d
                 if (r < 0)
b7dd4d
                         return r;
b7dd4d
         }
b7dd4d
@@ -960,7 +985,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
b7dd4d
                 if (r < 0)
b7dd4d
                         return r;
b7dd4d
 
b7dd4d
-                r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
b7dd4d
+                r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
b7dd4d
                 if (r < 0)
b7dd4d
                         return log_debug_errno(r, "Failed to add filter set: %m");
b7dd4d
 
b7dd4d
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
b7dd4d
index 541ba1e067..291b2bffe0 100644
b7dd4d
--- a/src/shared/seccomp-util.h
b7dd4d
+++ b/src/shared/seccomp-util.h
b7dd4d
@@ -59,7 +59,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
b7dd4d
 
b7dd4d
 int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
b7dd4d
 
b7dd4d
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
b7dd4d
+int seccomp_add_syscall_filter_item(
b7dd4d
+                scmp_filter_ctx *ctx,
b7dd4d
+                const char *name,
b7dd4d
+                uint32_t action,
b7dd4d
+                char **exclude,
b7dd4d
+                bool log_missing,
b7dd4d
+                char ***added);
b7dd4d
 
b7dd4d
 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
b7dd4d
 int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);