Major distributions already have libseccomp 2.5.x or newer.
Let's bump to the required minimum version to 2.4.0, which provides
SCMP_ACT_KILL_PROCESS, SCMP_ACT_LOG, SCMP_ARCH_PARISC, and
SCMP_ARCH_PARISC64.
Note, libseccomp 2.4.0 was released on 2019-03-15.
See also #38608.
libxcrypt or glibc (<= 2.38 built with --enable-crypt)
libmount >= 2.30 (from util-linux)
(util-linux *must* be built without --enable-libmount-support-mtab)
- libseccomp >= 2.3.1 (optional)
+ libseccomp >= 2.4.0 (optional)
libblkid >= 2.37 (from util-linux) (optional)
libkmod >= 15 (optional)
PAM >= 1.1.2 (optional)
conf.set10('HAVE_PASSWDQC', not have and libpwquality.found())
libseccomp = dependency('libseccomp',
- version : '>= 2.3.1',
+ version : '>= 2.4.0',
required : get_option('seccomp'))
conf.set10('HAVE_SECCOMP', libseccomp.found())
libseccomp_cflags = libseccomp.partial_dependency(includes: true, compile_args: true)
if (skip_seccomp_unavailable("SystemCallFilter="))
return 0;
- negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
+ negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? SCMP_ACT_KILL_PROCESS : SCMP_ACT_ERRNO(c->syscall_errno);
if (c->syscall_allow_list) {
default_action = negative_action;
}
static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) {
-#ifdef SCMP_ACT_LOG
uint32_t default_action, action;
-#endif
assert(c);
assert(p);
if (!context_has_syscall_logs(c))
return 0;
-#ifdef SCMP_ACT_LOG
if (skip_seccomp_unavailable("SystemCallLog="))
return 0;
}
return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false);
-#else
- /* old libseccomp */
- log_debug( "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog=");
- return 0;
-#endif
}
static int apply_syscall_archs(const ExecContext *c, const ExecParameters *p) {
{ "SCMP_ACT_ALLOW", SCMP_ACT_ALLOW },
{ "SCMP_ACT_ERRNO", SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */
{ "SCMP_ACT_KILL", SCMP_ACT_KILL },
-#ifdef SCMP_ACT_KILL_PROCESS
{ "SCMP_ACT_KILL_PROCESS", SCMP_ACT_KILL_PROCESS },
-#endif
-#ifdef SCMP_ACT_KILL_THREAD
{ "SCMP_ACT_KILL_THREAD", SCMP_ACT_KILL_THREAD },
-#endif
-#ifdef SCMP_ACT_LOG
{ "SCMP_ACT_LOG", SCMP_ACT_LOG },
-#endif
{ "SCMP_ACT_TRAP", SCMP_ACT_TRAP },
/* We don't support SCMP_ACT_TRACE because that requires a tracer, and that doesn't really make sense
{ "SCMP_ARCH_MIPSEL64", SCMP_ARCH_MIPSEL64 },
{ "SCMP_ARCH_MIPSEL64N32", SCMP_ARCH_MIPSEL64N32 },
{ "SCMP_ARCH_NATIVE", SCMP_ARCH_NATIVE },
-#ifdef SCMP_ARCH_PARISC
{ "SCMP_ARCH_PARISC", SCMP_ARCH_PARISC },
-#endif
-#ifdef SCMP_ARCH_PARISC64
{ "SCMP_ARCH_PARISC64", SCMP_ARCH_PARISC64 },
-#endif
{ "SCMP_ARCH_PPC", SCMP_ARCH_PPC },
{ "SCMP_ARCH_PPC64", SCMP_ARCH_PPC64 },
{ "SCMP_ARCH_PPC64LE", SCMP_ARCH_PPC64LE },
SCMP_ARCH_MIPSEL64,
SCMP_ARCH_MIPS64N32,
SCMP_ARCH_MIPSEL64N32, /* native */
-#elif defined(__hppa64__) && defined(SCMP_ARCH_PARISC) && defined(SCMP_ARCH_PARISC64)
+#elif defined(__hppa64__)
SCMP_ARCH_PARISC,
SCMP_ARCH_PARISC64, /* native */
-#elif defined(__hppa__) && defined(SCMP_ARCH_PARISC)
+#elif defined(__hppa__)
SCMP_ARCH_PARISC,
#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
SCMP_ARCH_PPC,
return "mips64-le";
case SCMP_ARCH_MIPSEL64N32:
return "mips64-le-n32";
-#ifdef SCMP_ARCH_PARISC
case SCMP_ARCH_PARISC:
return "parisc";
-#endif
-#ifdef SCMP_ARCH_PARISC64
case SCMP_ARCH_PARISC64:
return "parisc64";
-#endif
case SCMP_ARCH_PPC:
return "ppc";
case SCMP_ARCH_PPC64:
*ret = SCMP_ARCH_MIPSEL64;
else if (streq(n, "mips64-le-n32"))
*ret = SCMP_ARCH_MIPSEL64N32;
-#ifdef SCMP_ARCH_PARISC
else if (streq(n, "parisc"))
*ret = SCMP_ARCH_PARISC;
-#endif
-#ifdef SCMP_ARCH_PARISC64
else if (streq(n, "parisc64"))
*ret = SCMP_ARCH_PARISC64;
-#endif
else if (streq(n, "ppc"))
*ret = SCMP_ARCH_PPC;
else if (streq(n, "ppc64"))
if (default_action == SCMP_ACT_ALLOW)
return default_action;
-#ifdef SCMP_ACT_LOG
if (default_action == SCMP_ACT_LOG)
return default_action;
-#endif
return SCMP_ACT_ERRNO(ENOSYS);
}
int error = PTR_TO_INT(val);
if (error == SECCOMP_ERROR_NUMBER_KILL)
- a = scmp_act_kill_process();
-#ifdef SCMP_ACT_LOG
+ a = SCMP_ACT_KILL_PROCESS;
else if (action == SCMP_ACT_LOG)
a = SCMP_ACT_LOG;
-#endif
else if (error >= 0)
a = SCMP_ACT_ERRNO(error);
case SCMP_ARCH_X86:
case SCMP_ARCH_MIPSEL:
case SCMP_ARCH_MIPS:
-#ifdef SCMP_ARCH_PARISC
case SCMP_ARCH_PARISC:
-#endif
-#ifdef SCMP_ARCH_PARISC64
case SCMP_ARCH_PARISC64:
-#endif
case SCMP_ARCH_PPC:
case SCMP_ARCH_PPC64:
case SCMP_ARCH_PPC64LE:
return 0;
}
-uint32_t scmp_act_kill_process(void) {
-
- /* Returns SCMP_ACT_KILL_PROCESS if it's supported, and SCMP_ACT_KILL_THREAD otherwise. We never
- * actually want to use SCMP_ACT_KILL_THREAD as its semantics are nuts (killing arbitrary threads of
- * a program is just a bad idea), but on old kernels/old libseccomp it is all we have, and at least
- * for single-threaded apps does the right thing. */
-
-#ifdef SCMP_ACT_KILL_PROCESS
- if (dlopen_libseccomp() >= 0 && sym_seccomp_api_get() >= 3)
- return SCMP_ACT_KILL_PROCESS;
-#endif
-
- return SCMP_ACT_KILL; /* same as SCMP_ACT_KILL_THREAD */
-}
-
int parse_syscall_and_errno(const char *in, char **name, int *error) {
_cleanup_free_ char *n = NULL;
const char *p;
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(scmp_filter_ctx, sym_seccomp_release, seccomp_releasep, NULL);
int parse_syscall_archs(char **l, Set **ret_archs);
-
-uint32_t scmp_act_kill_process(void);
-
int parse_syscall_and_errno(const char *in, char **name, int *error);
int seccomp_suppress_sync(void);
assert_se(access("/", F_OK) >= 0);
assert_se(poll(NULL, 0, 0) == 0);
- assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0);
+ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL_PROCESS, true) >= 0);
assert_se(access("/", F_OK) >= 0);
assert_se(poll(NULL, 0, 0) == 0);
assert_se(access("/", F_OK) >= 0);
assert_se(poll(NULL, 0, 0) == 0);
- assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0);
+ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL_PROCESS, true) >= 0);
assert_se(access("/", F_OK) >= 0);
assert_se(poll(NULL, 0, 0) == 0);
projects / thirdparty / systemd.git / commitdiff
