From: Yu Watanabe Date: Sun, 17 Aug 2025 15:58:56 +0000 (+0900) Subject: Bump required minimum version of libseccomp to 2.4.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=431fc656bcff3038fa257d7dcaf577f02361760a;p=thirdparty%2Fsystemd.git Bump required minimum version of libseccomp to 2.4.0 Major distributions already have libseccomp 2.5.x or newer. Let's bump to the required minimum version to 2.4.0, which provides SCMP_ACT_KILL_PROCESS, SCMP_ACT_LOG, SCMP_ARCH_PARISC, and SCMP_ARCH_PARISC64. Note, libseccomp 2.4.0 was released on 2019-03-15. See also #38608. --- diff --git a/README b/README index 9492d717dec..83493b04177 100644 --- a/README +++ b/README @@ -215,7 +215,7 @@ REQUIREMENTS: libxcrypt or glibc (<= 2.38 built with --enable-crypt) libmount >= 2.30 (from util-linux) (util-linux *must* be built without --enable-libmount-support-mtab) - libseccomp >= 2.3.1 (optional) + libseccomp >= 2.4.0 (optional) libblkid >= 2.37 (from util-linux) (optional) libkmod >= 15 (optional) PAM >= 1.1.2 (optional) diff --git a/meson.build b/meson.build index 26b6fea22ca..cc26bbd63e2 100644 --- a/meson.build +++ b/meson.build @@ -1180,7 +1180,7 @@ conf.set10('HAVE_PWQUALITY', have) conf.set10('HAVE_PASSWDQC', not have and libpwquality.found()) libseccomp = dependency('libseccomp', - version : '>= 2.3.1', + version : '>= 2.4.0', required : get_option('seccomp')) conf.set10('HAVE_SECCOMP', libseccomp.found()) libseccomp_cflags = libseccomp.partial_dependency(includes: true, compile_args: true) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index cf47d996b29..4adf8d00ce8 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -1673,7 +1673,7 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p) { if (skip_seccomp_unavailable("SystemCallFilter=")) return 0; - negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno); + negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? SCMP_ACT_KILL_PROCESS : SCMP_ACT_ERRNO(c->syscall_errno); if (c->syscall_allow_list) { default_action = negative_action; @@ -1694,9 +1694,7 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p) { } static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) { -#ifdef SCMP_ACT_LOG uint32_t default_action, action; -#endif assert(c); assert(p); @@ -1704,7 +1702,6 @@ static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) { if (!context_has_syscall_logs(c)) return 0; -#ifdef SCMP_ACT_LOG if (skip_seccomp_unavailable("SystemCallLog=")) return 0; @@ -1719,11 +1716,6 @@ static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) { } return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false); -#else - /* old libseccomp */ - log_debug( "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog="); - return 0; -#endif } static int apply_syscall_archs(const ExecContext *c, const ExecParameters *p) { diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index b0cc7a58cf8..29091bd82c8 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1554,15 +1554,9 @@ static int oci_seccomp_action_from_string(const char *name, uint32_t *ret) { { "SCMP_ACT_ALLOW", SCMP_ACT_ALLOW }, { "SCMP_ACT_ERRNO", SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */ { "SCMP_ACT_KILL", SCMP_ACT_KILL }, -#ifdef SCMP_ACT_KILL_PROCESS { "SCMP_ACT_KILL_PROCESS", SCMP_ACT_KILL_PROCESS }, -#endif -#ifdef SCMP_ACT_KILL_THREAD { "SCMP_ACT_KILL_THREAD", SCMP_ACT_KILL_THREAD }, -#endif -#ifdef SCMP_ACT_LOG { "SCMP_ACT_LOG", SCMP_ACT_LOG }, -#endif { "SCMP_ACT_TRAP", SCMP_ACT_TRAP }, /* We don't support SCMP_ACT_TRACE because that requires a tracer, and that doesn't really make sense @@ -1596,12 +1590,8 @@ static int oci_seccomp_arch_from_string(const char *name, uint32_t *ret) { { "SCMP_ARCH_MIPSEL64", SCMP_ARCH_MIPSEL64 }, { "SCMP_ARCH_MIPSEL64N32", SCMP_ARCH_MIPSEL64N32 }, { "SCMP_ARCH_NATIVE", SCMP_ARCH_NATIVE }, -#ifdef SCMP_ARCH_PARISC { "SCMP_ARCH_PARISC", SCMP_ARCH_PARISC }, -#endif -#ifdef SCMP_ARCH_PARISC64 { "SCMP_ARCH_PARISC64", SCMP_ARCH_PARISC64 }, -#endif { "SCMP_ARCH_PPC", SCMP_ARCH_PPC }, { "SCMP_ARCH_PPC64", SCMP_ARCH_PPC64 }, { "SCMP_ARCH_PPC64LE", SCMP_ARCH_PPC64LE }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c3eb9049e8d..5719693a4fd 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -129,10 +129,10 @@ uint32_t seccomp_local_archs[] = { SCMP_ARCH_MIPSEL64, SCMP_ARCH_MIPS64N32, SCMP_ARCH_MIPSEL64N32, /* native */ -#elif defined(__hppa64__) && defined(SCMP_ARCH_PARISC) && defined(SCMP_ARCH_PARISC64) +#elif defined(__hppa64__) SCMP_ARCH_PARISC, SCMP_ARCH_PARISC64, /* native */ -#elif defined(__hppa__) && defined(SCMP_ARCH_PARISC) +#elif defined(__hppa__) SCMP_ARCH_PARISC, #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN SCMP_ARCH_PPC, @@ -190,14 +190,10 @@ const char* seccomp_arch_to_string(uint32_t c) { return "mips64-le"; case SCMP_ARCH_MIPSEL64N32: return "mips64-le-n32"; -#ifdef SCMP_ARCH_PARISC case SCMP_ARCH_PARISC: return "parisc"; -#endif -#ifdef SCMP_ARCH_PARISC64 case SCMP_ARCH_PARISC64: return "parisc64"; -#endif case SCMP_ARCH_PPC: return "ppc"; case SCMP_ARCH_PPC64: @@ -251,14 +247,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { *ret = SCMP_ARCH_MIPSEL64; else if (streq(n, "mips64-le-n32")) *ret = SCMP_ARCH_MIPSEL64N32; -#ifdef SCMP_ARCH_PARISC else if (streq(n, "parisc")) *ret = SCMP_ARCH_PARISC; -#endif -#ifdef SCMP_ARCH_PARISC64 else if (streq(n, "parisc64")) *ret = SCMP_ARCH_PARISC64; -#endif else if (streq(n, "ppc")) *ret = SCMP_ARCH_PPC; else if (streq(n, "ppc64")) @@ -1159,10 +1151,8 @@ static uint32_t override_default_action(uint32_t default_action) { if (default_action == SCMP_ACT_ALLOW) return default_action; -#ifdef SCMP_ACT_LOG if (default_action == SCMP_ACT_LOG) return default_action; -#endif return SCMP_ACT_ERRNO(ENOSYS); } @@ -1264,11 +1254,9 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter int error = PTR_TO_INT(val); if (error == SECCOMP_ERROR_NUMBER_KILL) - a = scmp_act_kill_process(); -#ifdef SCMP_ACT_LOG + a = SCMP_ACT_KILL_PROCESS; else if (action == SCMP_ACT_LOG) a = SCMP_ACT_LOG; -#endif else if (error >= 0) a = SCMP_ACT_ERRNO(error); @@ -1677,12 +1665,8 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { case SCMP_ARCH_X86: case SCMP_ARCH_MIPSEL: case SCMP_ARCH_MIPS: -#ifdef SCMP_ARCH_PARISC case SCMP_ARCH_PARISC: -#endif -#ifdef SCMP_ARCH_PARISC64 case SCMP_ARCH_PARISC64: -#endif case SCMP_ARCH_PPC: case SCMP_ARCH_PPC64: case SCMP_ARCH_PPC64LE: @@ -2488,21 +2472,6 @@ int seccomp_restrict_suid_sgid(void) { return 0; } -uint32_t scmp_act_kill_process(void) { - - /* Returns SCMP_ACT_KILL_PROCESS if it's supported, and SCMP_ACT_KILL_THREAD otherwise. We never - * actually want to use SCMP_ACT_KILL_THREAD as its semantics are nuts (killing arbitrary threads of - * a program is just a bad idea), but on old kernels/old libseccomp it is all we have, and at least - * for single-threaded apps does the right thing. */ - -#ifdef SCMP_ACT_KILL_PROCESS - if (dlopen_libseccomp() >= 0 && sym_seccomp_api_get() >= 3) - return SCMP_ACT_KILL_PROCESS; -#endif - - return SCMP_ACT_KILL; /* same as SCMP_ACT_KILL_THREAD */ -} - int parse_syscall_and_errno(const char *in, char **name, int *error) { _cleanup_free_ char *n = NULL; const char *p; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 871135c85be..51c2ba65050 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -153,9 +153,6 @@ _DEFINE_ABS_WRAPPER(SECCOMP_FATAL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(scmp_filter_ctx, sym_seccomp_release, seccomp_releasep, NULL); int parse_syscall_archs(char **l, Set **ret_archs); - -uint32_t scmp_act_kill_process(void); - int parse_syscall_and_errno(const char *in, char **name, int *error); int seccomp_suppress_sync(void); diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 81eed6d89d6..fa05eecb95a 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -682,7 +682,7 @@ TEST(load_syscall_filter_set_raw) { assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0); - assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0); + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL_PROCESS, true) >= 0); assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0); @@ -791,7 +791,7 @@ TEST(native_syscalls_filtered) { assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0); - assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0); + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL_PROCESS, true) >= 0); assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0);