seccomp: add new helper call seccomp_load_filter_set()

This allows us to unify most of the code in apply_protect_kernel_modules() and
apply_private_devices().

diff --git a/src/core/execute.c b/src/core/execute.c
index 668504c..5e7d7c2 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1502,9 +1502,6 @@ finish:
 }
 
 static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
-        scmp_filter_ctx seccomp;
-        int r;
-
         assert(c);
 
         /* Turn off module syscalls on ProtectKernelModules=yes */
@@ -1512,25 +1509,10 @@ static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
         if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
                 return 0;
 
-        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
-        if (r < 0)
-                return r;
-
-        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
-        if (r < 0)
-                goto finish;
-
-        r = seccomp_load(seccomp);
-
-finish:
-        seccomp_release(seccomp);
-        return r;
+        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
 }
 
 static int apply_private_devices(Unit *u, const ExecContext *c) {
-        scmp_filter_ctx seccomp;
-        int r;
-
         assert(c);
 
         /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
@@ -1538,19 +1520,7 @@ static int apply_private_devices(Unit *u, const ExecContext *c) {
         if (skip_seccomp_unavailable(u, "PrivateDevices="))
                 return 0;
 
-        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
-        if (r < 0)
-                return r;
-
-        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
-        if (r < 0)
-                goto finish;
-
-        r = seccomp_load(seccomp);
-
-finish:
-        seccomp_release(seccomp);
-        return r;
+        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
 }
 
 #endif

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index f1e9de0..6252cd1 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -452,3 +452,27 @@ int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterS
 
         return 0;
 }
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
+        scmp_filter_ctx seccomp;
+        int r;
+
+        assert(set);
+
+        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */
+
+        r = seccomp_init_conservative(&seccomp, default_action);
+        if (r < 0)
+                return r;
+
+        r = seccomp_add_syscall_filter_set(seccomp, set, action);
+        if (r < 0)
+                goto finish;
+
+        r = seccomp_load(seccomp);
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+
+}

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 2de429a..667687b 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -59,3 +59,5 @@ extern const SyscallFilterSet syscall_filter_sets[];
 const SyscallFilterSet *syscall_filter_set_find(const char *name);
 
 int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);