diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-02-26 12:51:35 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-02-27 19:59:09 +0100 |
| commit | 13d92c6300edbb1369f97c2e1bef4c4096de8ddb (patch) | |
| tree | 120ab6d5ae6ee4c73b97e78fe895803d3512936e /src/shared/seccomp-util.h | |
| parent | fa7bc1d1c71e84b1676ed6853a09e612ca7bd67f (diff) | |
| download | systemd-13d92c6300edbb1369f97c2e1bef4c4096de8ddb.tar.gz | |
seccomp: rework functions for parsing system call filters
This reworks system call filter parsing, and replaces a couple of "bool"
function arguments by a single flags parameter.
This shouldn't change behaviour, except for one case: when we
recursively call our parsing function on our own syscall list, then
we'll lower the log level to LOG_DEBUG from LOG_WARNING, because at that
point things are just a problem in our own code rather than in the user
configuration we are parsing, and we shouldn't hence generate confusing
warnings about syntax errors.
Fixes: #8261
Diffstat (limited to 'src/shared/seccomp-util.h')
| -rw-r--r-- | src/shared/seccomp-util.h | 29 |
1 files changed, 13 insertions, 16 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 0b30cdf388..5915ceb9a3 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -81,22 +81,19 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action); int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action); -int seccomp_parse_syscall_filter_internal( - bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist, - bool warn, const char *unit, const char *filename, unsigned line); - -static inline int seccomp_parse_syscall_filter_and_warn( - bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist, - const char *unit, const char *filename, unsigned line) { - assert(unit); - assert(filename); - - return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, true, unit, filename, line); -} - -static inline int seccomp_parse_syscall_filter( - bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist) { - return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, false, NULL, NULL, 0); +typedef enum SeccompParseFlags { + SECCOMP_PARSE_INVERT = 1U << 0, + SECCOMP_PARSE_WHITELIST = 1U << 1, + SECCOMP_PARSE_LOG = 1U << 2, + SECCOMP_PARSE_PERMISSIVE = 1U << 3, +} SeccompParseFlags; + +int seccomp_parse_syscall_filter_full( + const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags, + const char *unit, const char *filename, unsigned line); + +static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) { + return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0); } int seccomp_restrict_archs(Set *archs); |