diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2017-11-11 21:35:49 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2017-11-11 21:54:12 +0900 |
| commit | 8cfa775f4f116c5f56a140da268ea7b6072534e6 (patch) | |
| tree | 7f88d52404e713e03c872c49a7c908fbbec479b3 /src/shared/seccomp-util.c | |
| parent | 473d2ec39cc9f43c7918c4587c8984ec9235455f (diff) | |
| download | systemd-8cfa775f4f116c5f56a140da268ea7b6072534e6.tar.gz | |
core: add support to specify errno in SystemCallFilter=
This makes each system call in SystemCallFilter= blacklist optionally
takes errno name or number after a colon. The errno takes precedence
over the one given by SystemCallErrorNumber=.
C.f. #7173.
Closes #7169.
Diffstat (limited to 'src/shared/seccomp-util.c')
| -rw-r--r-- | src/shared/seccomp-util.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index f87701675b..d60ac918b3 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -900,20 +900,20 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter return 0; } -int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint32_t action) { +int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action) { uint32_t arch; int r; /* Similar to seccomp_load_syscall_filter_set(), but takes a raw Set* of syscalls, instead of a * SyscallFilterSet* table. */ - if (set_isempty(set) && default_action == SCMP_ACT_ALLOW) + if (hashmap_isempty(set) && default_action == SCMP_ACT_ALLOW) return 0; SECCOMP_FOREACH_LOCAL_ARCH(arch) { _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; Iterator i; - void *id; + void *id, *val; log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); @@ -921,8 +921,14 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint3 if (r < 0) return r; - SET_FOREACH(id, set, i) { - r = seccomp_rule_add_exact(seccomp, action, PTR_TO_INT(id) - 1, 0); + HASHMAP_FOREACH_KEY(val, id, set, i) { + uint32_t a = action; + int e = PTR_TO_INT(val); + + if (action != SCMP_ACT_ALLOW && e >= 0) + a = SCMP_ACT_ERRNO(e); + + r = seccomp_rule_add_exact(seccomp, a, PTR_TO_INT(id) - 1, 0); if (r < 0) { /* If the system call is not known on this architecture, then that's fine, let's ignore it */ _cleanup_free_ char *n = NULL; @@ -1515,7 +1521,7 @@ int parse_syscall_archs(char **l, Set **archs) { return 0; } -int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) { +int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) { const char *i; int r; @@ -1543,11 +1549,11 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) { } if (add) { - r = set_put(filter, INT_TO_PTR(id + 1)); + r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1)); if (r < 0) return r; } else - (void) set_remove(filter, INT_TO_PTR(id + 1)); + (void) hashmap_remove(filter, INT_TO_PTR(id + 1)); } } |