diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-08-05 16:31:26 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-09-15 12:54:17 +0300 |
commit | 005bfaf11876e261de6b99d597b69f664b53e7c5 (patch) | |
tree | 7aa214e69fad5ff0d0ac245529707dbf2dbbd44d /src/shared/seccomp-util.h | |
parent | 150c430fd499082164b6ddbd2f501e2333261a78 (diff) | |
download | systemd-005bfaf11876e261de6b99d597b69f664b53e7c5.tar.gz |
exec: Add kill action to system call filters
Define explicit action "kill" for SystemCallErrorNumber=.
In addition to errno code, allow specifying "kill" as action for
SystemCallFilter=.
---
v7: seccomp_parse_errno_or_action() returns -EINVAL if !HAVE_SECCOMP
v6: use streq_ptr(), let errno_to_name() handle bad values, kill processes,
init syscall_errno
v5: actually use seccomp_errno_or_action_to_string(), don't fail bus unit
parsing without seccomp
v4: fix build without seccomp
v3: drop log action
v2: action -> number
Diffstat (limited to 'src/shared/seccomp-util.h')
-rw-r--r-- | src/shared/seccomp-util.h | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index b62ee7c448..ff3b96df4b 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -5,7 +5,10 @@ #include <stdbool.h> #include <stdint.h> +#include "errno-list.h" +#include "parse-util.h" #include "set.h" +#include "string-util.h" const char* seccomp_arch_to_string(uint32_t c); int seccomp_arch_from_string(const char *n, uint32_t *ret); @@ -115,3 +118,25 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release); int parse_syscall_archs(char **l, Set **ret_archs); uint32_t scmp_act_kill_process(void); + +/* This is a special value to be used where syscall filters otherwise expect errno numbers, will be + replaced with real seccomp action. */ +enum { + SECCOMP_ERROR_NUMBER_KILL = INT_MAX - 1, +}; + +static inline bool seccomp_errno_or_action_is_valid(int n) { + return n == SECCOMP_ERROR_NUMBER_KILL || errno_is_valid(n); +} + +static inline int seccomp_parse_errno_or_action(const char *p) { + if (streq_ptr(p, "kill")) + return SECCOMP_ERROR_NUMBER_KILL; + return parse_errno(p); +} + +static inline const char *seccomp_errno_or_action_to_string(int num) { + if (num == SECCOMP_ERROR_NUMBER_KILL) + return "kill"; + return errno_to_name(num); +} |