#include "env-util.h"
#include "errno-list.h"
#include "macro.h"
+#include "namespace-util.h"
#include "nsflags.h"
#include "nulstr-util.h"
#include "process-util.h"
"pause\0"
"prlimit64\0"
"restart_syscall\0"
+ "riscv_flush_icache\0"
"rseq\0"
"rt_sigreturn\0"
"sched_getaffinity\0"
"pidfd_getfd\0"
"ptrace\0"
"rtas\0"
-#if defined __s390__ || defined __s390x__
"s390_runtime_instr\0"
-#endif
"sys_debug_setcontext\0"
},
[SYSCALL_FILTER_SET_FILE_SYSTEM] = {
"pciconfig_iobase\0"
"pciconfig_read\0"
"pciconfig_write\0"
-#if defined __s390__ || defined __s390x__
"s390_pci_mmio_read\0"
"s390_pci_mmio_write\0"
-#endif
},
[SYSCALL_FILTER_SET_REBOOT] = {
.name = "@reboot",
bool log_missing,
char ***added) {
- const char *sys;
int r;
/* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
if (name[0] == '@') {
const SyscallFilterSet *set;
- const char *i;
set = syscall_filter_set_find(name);
if (!set) {
continue;
}
- for (unsigned i = 0; namespace_flag_map[i].name; i++) {
+ for (unsigned i = 0; namespace_info[i].proc_name; i++) {
unsigned long f;
- f = namespace_flag_map[i].flag;
+ f = namespace_info[i].clone_flag;
if (FLAGS_SET(retain, f)) {
- log_debug("Permitting %s.", namespace_flag_map[i].name);
+ log_debug("Permitting %s.", namespace_info[i].proc_name);
continue;
}
- log_debug("Blocking %s.", namespace_flag_map[i].name);
+ log_debug("Blocking %s.", namespace_info[i].proc_name);
r = seccomp_rule_add_exact(
seccomp,
return 0;
}
-int seccomp_restrict_realtime(void) {
+int seccomp_restrict_realtime_full(int error_code) {
static const int permitted_policies[] = {
SCHED_OTHER,
SCHED_BATCH,
uint32_t arch;
unsigned i;
+ assert(error_code > 0);
+
/* Determine the highest policy constant we want to allow */
for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
if (permitted_policies[i] > max_policy)
/* Deny this policy */
r = seccomp_rule_add_exact(
seccomp,
- SCMP_ACT_ERRNO(EPERM),
+ SCMP_ACT_ERRNO(error_code),
SCMP_SYS(sched_setscheduler),
1,
SCMP_A1(SCMP_CMP_EQ, p));
* are unsigned here, hence no need no check for < 0 values. */
r = seccomp_rule_add_exact(
seccomp,
- SCMP_ACT_ERRNO(EPERM),
+ SCMP_ACT_ERRNO(error_code),
SCMP_SYS(sched_setscheduler),
1,
SCMP_A1(SCMP_CMP_GT, max_policy));
}
int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) {
- const char *i;
int r;
assert(set);
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
- const char *c;
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
if (r < 0)