diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-09-11 17:45:21 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-09-12 14:06:21 +0200 |
| commit | 960e4569e17abf7c84f07b697d57ac7d0418edfc (patch) | |
| tree | dd8c180c850f0c97fdf6811b6296e79a6d5b7d6b /src/nspawn/nspawn-settings.h | |
| parent | 7609340e2f9d5b5fd46fa767dd41184b273d7e48 (diff) | |
| download | systemd-960e4569e17abf7c84f07b697d57ac7d0418edfc.tar.gz | |
nspawn: implement configurable syscall whitelisting/blacklisting
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.
This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.
(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)
Fixes: #5163
Replaces: #5944
Diffstat (limited to 'src/nspawn/nspawn-settings.h')
| -rw-r--r-- | src/nspawn/nspawn-settings.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h index 021403258f..75d68ce4cf 100644 --- a/src/nspawn/nspawn-settings.h +++ b/src/nspawn/nspawn-settings.h @@ -58,7 +58,8 @@ typedef enum SettingsMask { SETTING_USERNS = 1 << 13, SETTING_NOTIFY_READY = 1 << 14, SETTING_PIVOT_ROOT = 1 << 15, - _SETTINGS_MASK_ALL = (1 << 16) -1 + SETTING_SYSCALL_FILTER = 1 << 16, + _SETTINGS_MASK_ALL = (1 << 17) -1 } SettingsMask; typedef struct Settings { @@ -78,6 +79,8 @@ typedef struct Settings { UserNamespaceMode userns_mode; uid_t uid_shift, uid_range; bool notify_ready; + char **syscall_whitelist; + char **syscall_blacklist; /* [Image] */ int read_only; @@ -121,3 +124,4 @@ int config_parse_network_zone(const char *unit, const char *filename, unsigned l int config_parse_boot(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_pid2(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_private_users(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_syscall_filter(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); |