From: Lennart Poettering Date: Sun, 10 Sep 2017 17:16:09 +0000 (+0200) Subject: nspawn: part over seccomp code to use seccomp_add_syscall_filter_item() X-Git-Tag: v235~126^2~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=402530d91ef003e924cf68d93ce10e1e00c6b769;p=platform%2Fupstream%2Fsystemd.git nspawn: part over seccomp code to use seccomp_add_syscall_filter_item() Let's unify a bit of the code here. --- diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 72ecc51..06f77ef 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -43,90 +43,88 @@ static int seccomp_add_default_syscall_filter( static const struct { uint64_t capability; - int syscall_num; + const char* name; } blacklist[] = { - { 0, SCMP_SYS(_sysctl) }, /* obsolete syscall */ - { 0, SCMP_SYS(add_key) }, /* keyring is not namespaced */ - { 0, SCMP_SYS(afs_syscall) }, /* obsolete syscall */ - { 0, SCMP_SYS(bdflush) }, + { 0, "_sysctl" }, /* obsolete syscall */ + { 0, "add_key" }, /* keyring is not namespaced */ + { 0, "afs_syscall" }, /* obsolete syscall */ + { 0, "bdflush" }, #ifdef __NR_bpf - { 0, SCMP_SYS(bpf) }, + { 0, "bpf" }, #endif - { 0, SCMP_SYS(break) }, /* obsolete syscall */ - { 0, SCMP_SYS(create_module) }, /* obsolete syscall */ - { 0, SCMP_SYS(ftime) }, /* obsolete syscall */ - { 0, SCMP_SYS(get_kernel_syms) }, /* obsolete syscall */ - { 0, SCMP_SYS(getpmsg) }, /* obsolete syscall */ - { 0, SCMP_SYS(gtty) }, /* obsolete syscall */ + { 0, "break" }, /* obsolete syscall */ + { 0, "create_module" }, /* obsolete syscall */ + { 0, "ftime" }, /* obsolete syscall */ + { 0, "get_kernel_syms" }, /* obsolete syscall */ + { 0, "getpmsg" }, /* obsolete syscall */ + { 0, "gtty" }, /* obsolete syscall */ #ifdef __NR_kexec_file_load - { 0, SCMP_SYS(kexec_file_load) }, + { 0, "kexec_file_load" }, #endif - { 0, SCMP_SYS(kexec_load) }, - { 0, SCMP_SYS(keyctl) }, /* keyring is not namespaced */ - { 0, SCMP_SYS(lock) }, /* obsolete syscall */ - { 0, SCMP_SYS(lookup_dcookie) }, - { 0, SCMP_SYS(mpx) }, /* obsolete syscall */ - { 0, SCMP_SYS(nfsservctl) }, /* obsolete syscall */ - { 0, SCMP_SYS(open_by_handle_at) }, - { 0, SCMP_SYS(perf_event_open) }, - { 0, SCMP_SYS(prof) }, /* obsolete syscall */ - { 0, SCMP_SYS(profil) }, /* obsolete syscall */ - { 0, SCMP_SYS(putpmsg) }, /* obsolete syscall */ - { 0, SCMP_SYS(query_module) }, /* obsolete syscall */ - { 0, SCMP_SYS(quotactl) }, - { 0, SCMP_SYS(request_key) }, /* keyring is not namespaced */ - { 0, SCMP_SYS(security) }, /* obsolete syscall */ - { 0, SCMP_SYS(sgetmask) }, /* obsolete syscall */ - { 0, SCMP_SYS(ssetmask) }, /* obsolete syscall */ - { 0, SCMP_SYS(stty) }, /* obsolete syscall */ - { 0, SCMP_SYS(swapoff) }, - { 0, SCMP_SYS(swapon) }, - { 0, SCMP_SYS(sysfs) }, /* obsolete syscall */ - { 0, SCMP_SYS(tuxcall) }, /* obsolete syscall */ - { 0, SCMP_SYS(ulimit) }, /* obsolete syscall */ - { 0, SCMP_SYS(uselib) }, /* obsolete syscall */ - { 0, SCMP_SYS(ustat) }, /* obsolete syscall */ - { 0, SCMP_SYS(vserver) }, /* obsolete syscall */ - { CAP_SYSLOG, SCMP_SYS(syslog) }, - { CAP_SYS_MODULE, SCMP_SYS(delete_module) }, - { CAP_SYS_MODULE, SCMP_SYS(finit_module) }, - { CAP_SYS_MODULE, SCMP_SYS(init_module) }, - { CAP_SYS_PACCT, SCMP_SYS(acct) }, - { CAP_SYS_PTRACE, SCMP_SYS(process_vm_readv) }, - { CAP_SYS_PTRACE, SCMP_SYS(process_vm_writev) }, - { CAP_SYS_PTRACE, SCMP_SYS(ptrace) }, - { CAP_SYS_RAWIO, SCMP_SYS(ioperm) }, - { CAP_SYS_RAWIO, SCMP_SYS(iopl) }, - { CAP_SYS_RAWIO, SCMP_SYS(pciconfig_iobase) }, - { CAP_SYS_RAWIO, SCMP_SYS(pciconfig_read) }, - { CAP_SYS_RAWIO, SCMP_SYS(pciconfig_write) }, + { 0, "kexec_load" }, + { 0, "keyctl" }, /* keyring is not namespaced */ + { 0, "lock" }, /* obsolete syscall */ + { 0, "lookup_dcookie" }, + { 0, "mpx" }, /* obsolete syscall */ + { 0, "nfsservctl" }, /* obsolete syscall */ + { 0, "open_by_handle_at" }, + { 0, "perf_event_open" }, + { 0, "prof" }, /* obsolete syscall */ + { 0, "profil" }, /* obsolete syscall */ + { 0, "putpmsg" }, /* obsolete syscall */ + { 0, "query_module" }, /* obsolete syscall */ + { 0, "quotactl" }, + { 0, "request_key" }, /* keyring is not namespaced */ + { 0, "security" }, /* obsolete syscall */ + { 0, "sgetmask" }, /* obsolete syscall */ + { 0, "ssetmask" }, /* obsolete syscall */ + { 0, "stty" }, /* obsolete syscall */ + { 0, "swapoff" }, + { 0, "swapon" }, + { 0, "sysfs" }, /* obsolete syscall */ + { 0, "tuxcall" }, /* obsolete syscall */ + { 0, "ulimit" }, /* obsolete syscall */ + { 0, "uselib" }, /* obsolete syscall */ + { 0, "ustat" }, /* obsolete syscall */ + { 0, "vserver" }, /* obsolete syscall */ + { CAP_SYSLOG, "syslog" }, + { CAP_SYS_MODULE, "delete_module" }, + { CAP_SYS_MODULE, "finit_module" }, + { CAP_SYS_MODULE, "init_module" }, + { CAP_SYS_PACCT, "acct" }, + { CAP_SYS_PTRACE, "process_vm_readv" }, + { CAP_SYS_PTRACE, "process_vm_writev" }, + { CAP_SYS_PTRACE, "ptrace" }, + { CAP_SYS_RAWIO, "ioperm" }, + { CAP_SYS_RAWIO, "iopl" }, + { CAP_SYS_RAWIO, "pciconfig_iobase" }, + { CAP_SYS_RAWIO, "pciconfig_read" }, + { CAP_SYS_RAWIO, "pciconfig_write" }, #ifdef __NR_s390_pci_mmio_read - { CAP_SYS_RAWIO, SCMP_SYS(s390_pci_mmio_read) }, + { CAP_SYS_RAWIO, "s390_pci_mmio_read" }, #endif #ifdef __NR_s390_pci_mmio_write - { CAP_SYS_RAWIO, SCMP_SYS(s390_pci_mmio_write) }, + { CAP_SYS_RAWIO, "s390_pci_mmio_write" }, #endif - { CAP_SYS_TIME, SCMP_SYS(adjtimex) }, - { CAP_SYS_TIME, SCMP_SYS(clock_adjtime) }, - { CAP_SYS_TIME, SCMP_SYS(clock_settime) }, - { CAP_SYS_TIME, SCMP_SYS(settimeofday) }, - { CAP_SYS_TIME, SCMP_SYS(stime) }, + { CAP_SYS_TIME, "adjtimex" }, + { CAP_SYS_TIME, "clock_adjtime" }, + { CAP_SYS_TIME, "clock_settime" }, + { CAP_SYS_TIME, "settimeofday" }, + { CAP_SYS_TIME, "stime" }, }; - unsigned i; + int r, c = 0; + size_t i; for (i = 0; i < ELEMENTSOF(blacklist); i++) { if (blacklist[i].capability != 0 && (cap_list_retain & (1ULL << blacklist[i].capability))) continue; - r = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0); - if (r < 0) { + r = seccomp_add_syscall_filter_item(ctx, blacklist[i].name, SCMP_ACT_ERRNO(EPERM)); + if (r < 0) /* If the system call is not known on this architecture, then that's fine, let's ignore it */ - _cleanup_free_ char *n = NULL; - - n = seccomp_syscall_resolve_num_arch(arch, blacklist[i].syscall_num); - log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", strna(n)); - } else + log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", blacklist[i].name); + else c++; }