nsflags: replace namespace_flag_map with general namespace_info introduced earlier

author Christian Brauner <brauner@kernel.org>

Fri, 30 Sep 2022 13:02:18 +0000 (15:02 +0200)

committer Christian Brauner (Microsoft) <brauner@kernel.org>

Tue, 4 Oct 2022 16:51:04 +0000 (18:51 +0200)
author Christian Brauner <brauner@kernel.org>
Fri, 30 Sep 2022 13:02:18 +0000 (15:02 +0200)
committer Christian Brauner (Microsoft) <brauner@kernel.org>
Tue, 4 Oct 2022 16:51:04 +0000 (18:51 +0200)
diff --git a/src/shared/nsflags.c b/src/shared/nsflags.c

index b5bba809151b97acec061425697d120e0a4c8456..d4cee069dd651a79382f0046c16897b7091f5f2b 100644 (file)
--- a/src/shared/nsflags.c
+++ b/src/shared/nsflags.c
@@ -4,22 +4,10 @@
  
  #include "alloc-util.h"
  #include "extract-word.h"
+#include "namespace-util.h"
  #include "nsflags.h"
  #include "string-util.h"
  
-const struct namespace_flag_map namespace_flag_map[] = {
-        { CLONE_NEWCGROUP, "cgroup" },
-        { CLONE_NEWIPC,    "ipc"    },
-        { CLONE_NEWNET,    "net"    },
-        /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more
-         * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
-        { CLONE_NEWNS,     "mnt"    },
-        { CLONE_NEWPID,    "pid"    },
-        { CLONE_NEWUSER,   "user"   },
-        { CLONE_NEWUTS,    "uts"    },
-        {}
-};
-
  int namespace_flags_from_string(const char *name, unsigned long *ret) {
          unsigned long flags = 0;
          int r;
@@ -37,9 +25,9 @@ int namespace_flags_from_string(const char *name, unsigned long *ret) {
                  if (r == 0)
                          break;
  
-                for (i = 0; namespace_flag_map[i].name; i++)
-                        if (streq(word, namespace_flag_map[i].name)) {
-                                 f = namespace_flag_map[i].flag;
+                for (i = 0; namespace_info[i].proc_name; i++)
+                        if (streq(word, namespace_info[i].proc_name)) {
+                                 f = namespace_info[i].clone_flag;
                                   break;
                          }
  
@@ -57,11 +45,11 @@ int namespace_flags_to_string(unsigned long flags, char **ret) {
          _cleanup_free_ char *s = NULL;
          unsigned i;
  
-        for (i = 0; namespace_flag_map[i].name; i++) {
-                if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag)
+        for (i = 0; namespace_info[i].proc_name; i++) {
+                if ((flags & namespace_info[i].clone_flag) != namespace_info[i].clone_flag)
                          continue;
  
-                if (!strextend_with_separator(&s, " ", namespace_flag_map[i].name))
+                if (!strextend_with_separator(&s, " ", namespace_info[i].proc_name))
                          return -ENOMEM;
          }
  
@@ -71,9 +59,9 @@ int namespace_flags_to_string(unsigned long flags, char **ret) {
  }
  
  const char *namespace_single_flag_to_string(unsigned long flag) {
-        for (unsigned i = 0; namespace_flag_map[i].name; i++)
-                if (namespace_flag_map[i].flag == flag)
-                        return namespace_flag_map[i].name;
+        for (unsigned i = 0; namespace_info[i].proc_name; i++)
+                if (namespace_info[i].clone_flag == flag)
+                        return namespace_info[i].proc_name;
  
          return NULL;
  }
diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h

index a35332dd9701ccc6b1cdcf5e6dd7703bdfa26735..b59740c00954af79a17b84e08a3fd73b3beb5280 100644 (file)
--- a/src/shared/nsflags.h
+++ b/src/shared/nsflags.h
@@ -21,10 +21,3 @@
  int namespace_flags_from_string(const char *name, unsigned long *ret);
  int namespace_flags_to_string(unsigned long flags, char **ret);
  const char *namespace_single_flag_to_string(unsigned long flag);
-
-struct namespace_flag_map {
-        unsigned long flag;
-        const char *name;
-};
-
-extern const struct namespace_flag_map namespace_flag_map[];
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c

index cd0915e2b266174f6714612bd39777ba50ce1ad8..52ee315dda782bb13b0ab4f9e002433028741011 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -18,6 +18,7 @@
  #include "env-util.h"
  #include "errno-list.h"
  #include "macro.h"
+#include "namespace-util.h"
  #include "nsflags.h"
  #include "nulstr-util.h"
  #include "process-util.h"
@@ -1289,16 +1290,16 @@ int seccomp_restrict_namespaces(unsigned long retain) {
                          continue;
                  }
  
-                for (unsigned i = 0; namespace_flag_map[i].name; i++) {
+                for (unsigned i = 0; namespace_info[i].proc_name; i++) {
                          unsigned long f;
  
-                        f = namespace_flag_map[i].flag;
+                        f = namespace_info[i].clone_flag;
                          if (FLAGS_SET(retain, f)) {
-                                log_debug("Permitting %s.", namespace_flag_map[i].name);
+                                log_debug("Permitting %s.", namespace_info[i].proc_name);
                                  continue;
                          }
  
-                        log_debug("Blocking %s.", namespace_flag_map[i].name);
+                        log_debug("Blocking %s.", namespace_info[i].proc_name);
  
                          r = seccomp_rule_add_exact(
                                          seccomp,
author	Christian Brauner <brauner@kernel.org>
	Fri, 30 Sep 2022 13:02:18 +0000 (15:02 +0200)
committer	Christian Brauner (Microsoft) <brauner@kernel.org>
	Tue, 4 Oct 2022 16:51:04 +0000 (18:51 +0200)
src/shared/nsflags.c		patch \| blob \| blame \| history
src/shared/nsflags.h		patch \| blob \| blame \| history
src/shared/seccomp-util.c		patch \| blob \| blame \| history