From d6e12907a06e7254540efea060a524f02959d56f Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 20 Jul 2020 17:26:12 +0200 Subject: [PATCH] lxcseccomp: hide unnecessary symbols Signed-off-by: Christian Brauner --- src/lxc/Makefile.am | 104 +++++++++++++++++++++++++++++++++++++++++- src/lxc/lxcseccomp.h | 29 ++++++------ src/tests/Makefile.am | 30 +++++++++++- 3 files changed, 146 insertions(+), 17 deletions(-) diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 32ab6eeb0..2caaaad25 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -183,7 +183,7 @@ endif endif if ENABLE_SECCOMP -liblxc_la_SOURCES += seccomp.c +liblxc_la_SOURCES += seccomp.c lxcseccomp.h endif if !HAVE_STRLCPY @@ -341,6 +341,10 @@ lxc_attach_SOURCES = tools/lxc_attach.c \ log.c log.h \ rexec.c rexec.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_attach_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_autostart_SOURCES = tools/lxc_autostart.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -352,6 +356,10 @@ lxc_autostart_SOURCES = tools/lxc_autostart.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_autostart_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_cgroup_SOURCES = tools/lxc_cgroup.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -363,6 +371,10 @@ lxc_cgroup_SOURCES = tools/lxc_cgroup.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_cgroup_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_config_SOURCES = tools/lxc_config.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -374,6 +386,10 @@ lxc_config_SOURCES = tools/lxc_config.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_config_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_console_SOURCES = tools/lxc_console.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -385,6 +401,10 @@ lxc_console_SOURCES = tools/lxc_console.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_console_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_destroy_SOURCES = tools/lxc_destroy.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -396,6 +416,10 @@ lxc_destroy_SOURCES = tools/lxc_destroy.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_destroy_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_device_SOURCES = tools/lxc_device.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -407,6 +431,10 @@ lxc_device_SOURCES = tools/lxc_device.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_device_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_execute_SOURCES = tools/lxc_execute.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -418,6 +446,10 @@ lxc_execute_SOURCES = tools/lxc_execute.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_execute_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_freeze_SOURCES = tools/lxc_freeze.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -429,6 +461,10 @@ lxc_freeze_SOURCES = tools/lxc_freeze.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_freeze_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_info_SOURCES = tools/lxc_info.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -440,6 +476,10 @@ lxc_info_SOURCES = tools/lxc_info.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_info_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_monitor_SOURCES = tools/lxc_monitor.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -452,6 +492,10 @@ lxc_monitor_SOURCES = tools/lxc_monitor.c \ log.c log.h \ macro.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_monitor_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_ls_SOURCES = tools/lxc_ls.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -464,6 +508,10 @@ lxc_ls_SOURCES = tools/lxc_ls.c \ log.c log.h \ memory_utils.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_ls_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_copy_SOURCES = tools/lxc_copy.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -476,6 +524,10 @@ lxc_copy_SOURCES = tools/lxc_copy.c \ log.c log.h \ storage/storage_utils.c storage/storage_utils.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_copy_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_start_SOURCES = tools/lxc_start.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -487,6 +539,10 @@ lxc_start_SOURCES = tools/lxc_start.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_start_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_stop_SOURCES = tools/lxc_stop.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -498,6 +554,10 @@ lxc_stop_SOURCES = tools/lxc_stop.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_stop_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_top_SOURCES = tools/lxc_top.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -509,6 +569,10 @@ lxc_top_SOURCES = tools/lxc_top.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_top_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_unfreeze_SOURCES = tools/lxc_unfreeze.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -520,6 +584,10 @@ lxc_unfreeze_SOURCES = tools/lxc_unfreeze.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_unfreeze_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_unshare_SOURCES = tools/lxc_unshare.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -533,6 +601,10 @@ lxc_unshare_SOURCES = tools/lxc_unshare.c \ string_utils.c string_utils.h \ syscall_numbers.h \ syscall_wrappers.h +if ENABLE_SECCOMP +lxc_unshare_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_wait_SOURCES = tools/lxc_wait.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -544,6 +616,10 @@ lxc_wait_SOURCES = tools/lxc_wait.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_wait_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_create_SOURCES = tools/lxc_create.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -556,6 +632,10 @@ lxc_create_SOURCES = tools/lxc_create.c \ log.c log.h \ storage/storage_utils.c storage/storage_utils.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_create_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_snapshot_SOURCES = tools/lxc_snapshot.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -567,6 +647,10 @@ lxc_snapshot_SOURCES = tools/lxc_snapshot.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_snapshot_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_checkpoint_SOURCES = tools/lxc_checkpoint.c \ tools/arguments.c tools/arguments.h \ af_unix.c af_unix.h \ @@ -578,6 +662,10 @@ lxc_checkpoint_SOURCES = tools/lxc_checkpoint.c \ initutils.c initutils.h \ log.c log.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +lxc_checkpoint_SOURCES += seccomp.c lxcseccomp.h +endif + endif if ENABLE_COMMANDS @@ -594,6 +682,9 @@ init_lxc_SOURCES = cmd/lxc_init.c \ process_utils.c process_utils.h \ syscall_numbers.h \ string_utils.c string_utils.h +if ENABLE_SECCOMP +init_lxc_SOURCES += seccomp.c lxcseccomp.h +endif init_lxc_LDFLAGS = -pthread @@ -612,6 +703,10 @@ lxc_monitord_SOURCES = cmd/lxc_monitord.c \ string_utils.c string_utils.h \ syscall_numbers.h \ utils.c utils.h +if ENABLE_SECCOMP +lxc_monitord_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_user_nic_SOURCES = cmd/lxc_user_nic.c \ ../include/netns_ifaddrs.c ../include/netns_ifaddrs.h \ af_unix.c af_unix.h \ @@ -630,6 +725,10 @@ lxc_user_nic_SOURCES = cmd/lxc_user_nic.c \ syscall_numbers.h \ string_utils.c string_utils.h \ syscall_wrappers.h +if ENABLE_SECCOMP +lxc_user_nic_SOURCES += seccomp.c lxcseccomp.h +endif + lxc_usernsexec_SOURCES = cmd/lxc_usernsexec.c \ af_unix.c af_unix.h \ caps.c caps.h \ @@ -645,6 +744,9 @@ lxc_usernsexec_SOURCES = cmd/lxc_usernsexec.c \ string_utils.c string_utils.h \ syscall_wrappers.h \ utils.c utils.h +if ENABLE_SECCOMP +lxc_usernsexec_SOURCES += seccomp.c lxcseccomp.h +endif endif diff --git a/src/lxc/lxcseccomp.h b/src/lxc/lxcseccomp.h index d96a015b2..2e9bda5a4 100644 --- a/src/lxc/lxcseccomp.h +++ b/src/lxc/lxcseccomp.h @@ -16,6 +16,7 @@ #include #endif +#include "compiler.h" #include "conf.h" #include "config.h" #include "memory_utils.h" @@ -77,21 +78,19 @@ struct lxc_seccomp { #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */ }; -extern int lxc_seccomp_load(struct lxc_conf *conf); -extern int lxc_read_seccomp_config(struct lxc_conf *conf); -extern void lxc_seccomp_free(struct lxc_seccomp *seccomp); -extern int seccomp_notify_handler(int fd, uint32_t events, void *data, - struct lxc_epoll_descr *descr); -extern void seccomp_conf_init(struct lxc_conf *conf); -extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, - struct lxc_epoll_descr *descr, - struct lxc_handler *handler); -extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, - int socket_fd); -extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, - int socket_fd); -extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath, - struct lxc_seccomp *seccomp); +__hidden extern int lxc_seccomp_load(struct lxc_conf *conf); +__hidden extern int lxc_read_seccomp_config(struct lxc_conf *conf); +__hidden extern void lxc_seccomp_free(struct lxc_seccomp *seccomp); +__hidden extern int seccomp_notify_handler(int fd, uint32_t events, void *data, + struct lxc_epoll_descr *descr); +__hidden extern void seccomp_conf_init(struct lxc_conf *conf); +__hidden extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp, + struct lxc_epoll_descr *descr, + struct lxc_handler *handler); +__hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd); +__hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd); +__hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath, + struct lxc_seccomp *seccomp); static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp) { #if HAVE_DECL_SECCOMP_NOTIFY_FD diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am index 8c84c1d2b..064b2b0f6 100644 --- a/src/tests/Makefile.am +++ b/src/tests/Makefile.am @@ -1,6 +1,11 @@ if ENABLE_TESTS -LDADD = ../lxc/liblxc.la +LDADD = ../lxc/liblxc.la \ + @CAP_LIBS@ \ + @OPENSSL_LIBS@ \ + @SECCOMP_LIBS@ \ + @SELINUX_LIBS@ \ + @DLOG_LIBS@ lxc_test_api_reboot_SOURCES = api_reboot.c \ ../lxc/af_unix.c ../lxc/af_unix.h \ @@ -16,6 +21,10 @@ lxc_test_api_reboot_SOURCES = api_reboot.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_api_reboot_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif + lxc_test_apparmor_SOURCES = aa.c lxc_test_attach_SOURCES = attach.c \ ../lxc/af_unix.c ../lxc/af_unix.h \ @@ -31,6 +40,10 @@ lxc_test_attach_SOURCES = attach.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_attach_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif + lxc_test_basic_SOURCES = basic.c lxc_test_cgpath_SOURCES = cgpath.c \ ../lxc/af_unix.c ../lxc/af_unix.h \ @@ -46,6 +59,10 @@ lxc_test_cgpath_SOURCES = cgpath.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_cgpath_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif + lxc_test_clonetest_SOURCES = clonetest.c lxc_test_concurrent_SOURCES = concurrent.c lxc_test_config_jump_table_SOURCES = config_jump_table.c \ @@ -63,6 +80,10 @@ lxc_test_config_jump_table_SOURCES = config_jump_table.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_config_jump_table_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif + lxc_test_console_SOURCES = console.c lxc_test_console_log_SOURCES = console_log.c lxctest.h lxc_test_containertests_SOURCES = containertests.c @@ -99,6 +120,10 @@ lxc_test_parse_config_file_SOURCES = parse_config_file.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_parse_config_file_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif + lxc_test_raw_clone_SOURCES = lxc_raw_clone.c \ lxctest.h \ ../lxc/caps.c ../lxc/caps.h \ @@ -137,6 +162,9 @@ lxc_test_utils_SOURCES = lxc-test-utils.c \ ../lxc/network.c ../lxc/network.h \ ../lxc/nl.c ../lxc/nl.h \ ../lxc/string_utils.c ../lxc/string_utils.h +if ENABLE_SECCOMP +lxc_test_utils_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h +endif AM_CFLAGS=-DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ -DLXCPATH=\"$(LXCPATH)\" \ -- 2.47.2