diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/api.c | 12 | ||||
| -rw-r--r-- | src/db.c | 14 | ||||
| -rw-r--r-- | src/db.h | 2 | ||||
| -rw-r--r-- | src/python/libseccomp.pxd | 1 | ||||
| -rw-r--r-- | src/python/seccomp.pyx | 1 | ||||
| -rw-r--r-- | src/system.c | 13 | ||||
| -rw-r--r-- | src/system.h | 3 |
7 files changed, 45 insertions, 1 deletions
@@ -102,6 +102,11 @@ static unsigned int _seccomp_api_update(void) sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC) == 1) level = 2; + /* level 3 */ + if (level == 2 && + sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG) == 1) + level = 3; + /* update the stored api level and return */ seccomp_api_level = level; return seccomp_api_level; @@ -127,10 +132,17 @@ API int seccomp_api_set(unsigned int level) case 1: sys_set_seccomp_syscall(false); sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, false); + sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false); break; case 2: sys_set_seccomp_syscall(true); sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true); + sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false); + break; + case 3: + sys_set_seccomp_syscall(true); + sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true); + sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true); break; default: return -EINVAL; @@ -792,6 +792,9 @@ int db_col_attr_get(const struct db_filter_col *col, case SCMP_FLTATR_API_TSKIP: *value = col->attr.api_tskip; break; + case SCMP_FLTATR_CTL_LOG: + *value = col->attr.log_enable; + break; default: rc = -EEXIST; break; @@ -842,6 +845,17 @@ int db_col_attr_set(struct db_filter_col *col, case SCMP_FLTATR_API_TSKIP: col->attr.api_tskip = (value ? 1 : 0); break; + case SCMP_FLTATR_CTL_LOG: + rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG); + if (rc == 1) { + /* supported */ + rc = 0; + col->attr.log_enable = (value ? 1 : 0); + } else if (rc == 0) { + /* unsupported */ + rc = -EOPNOTSUPP; + } + break; default: rc = -EEXIST; break; @@ -139,6 +139,8 @@ struct db_filter_attr { uint32_t tsync_enable; /* allow rules with a -1 syscall value */ uint32_t api_tskip; + /* SECCOMP_FILTER_FLAG_LOG related attributes */ + uint32_t log_enable; }; struct db_filter { diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd index b851d25..4cc83fd 100644 --- a/src/python/libseccomp.pxd +++ b/src/python/libseccomp.pxd @@ -57,6 +57,7 @@ cdef extern from "seccomp.h": SCMP_FLTATR_CTL_NNP SCMP_FLTATR_CTL_TSYNC SCMP_FLTATR_API_TSKIP + SCMP_FLTATR_CTL_LOG cdef enum scmp_compare: SCMP_CMP_NE diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 27e374f..dbf0e0a 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -303,6 +303,7 @@ cdef class Attr: CTL_NNP = libseccomp.SCMP_FLTATR_CTL_NNP CTL_TSYNC = libseccomp.SCMP_FLTATR_CTL_TSYNC API_TSKIP = libseccomp.SCMP_FLTATR_API_TSKIP + CTL_LOG = libseccomp.SCMP_FLTATR_CTL_LOG cdef class Arg: """ Python object representing a SyscallFilter syscall argument. diff --git a/src/system.c b/src/system.c index 4ff641b..f84cab6 100644 --- a/src/system.c +++ b/src/system.c @@ -41,6 +41,7 @@ static int _nr_seccomp = -1; static int _support_seccomp_syscall = -1; static int _support_seccomp_flag_tsync = -1; +static int _support_seccomp_flag_log = -1; /** * Check to see if the seccomp() syscall is supported @@ -149,6 +150,11 @@ int sys_chk_seccomp_flag(int flag) _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag); return _support_seccomp_flag_tsync; + case SECCOMP_FILTER_FLAG_LOG: + if (_support_seccomp_flag_log < 0) + _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag); + + return _support_seccomp_flag_log; } return -EOPNOTSUPP; @@ -169,6 +175,9 @@ void sys_set_seccomp_flag(int flag, bool enable) case SECCOMP_FILTER_FLAG_TSYNC: _support_seccomp_flag_tsync = (enable ? 1 : 0); break; + case SECCOMP_FILTER_FLAG_LOG: + _support_seccomp_flag_log = (enable ? 1 : 0); + break; } } @@ -202,7 +211,9 @@ int sys_filter_load(const struct db_filter_col *col) if (sys_chk_seccomp_syscall() == 1) { int flgs = 0; if (col->attr.tsync_enable) - flgs = SECCOMP_FILTER_FLAG_TSYNC; + flgs |= SECCOMP_FILTER_FLAG_TSYNC; + if (col->attr.log_enable) + flgs |= SECCOMP_FILTER_FLAG_LOG; rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm); if (rc > 0 && col->attr.tsync_enable) /* always return -ESRCH if we fail to sync threads */ diff --git a/src/system.h b/src/system.h index 0e2cd82..edddf14 100644 --- a/src/system.h +++ b/src/system.h @@ -107,6 +107,9 @@ typedef struct sock_filter bpf_instr_raw; #ifndef SECCOMP_FILTER_FLAG_TSYNC #define SECCOMP_FILTER_FLAG_TSYNC 1 #endif +#ifndef SECCOMP_FILTER_FLAG_LOG +#define SECCOMP_FILTER_FLAG_LOG 2 +#endif int sys_chk_seccomp_syscall(void); void sys_set_seccomp_syscall(bool enable); |