pid1: pass unit name to seccomp parser when we have no file location

Building on previous commit, let's pass the unit name when parsing
dbus message or builtin whitelist, which is better than nothing.

seccomp_parse_syscall_filter() is not needed anymore, so it is removed,
and seccomp_parse_syscall_filter_full() is renamed to take its place.

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 1f704127322e7f7fe21933ede14c4e7acd281212..5532d1ada93f5167502939f0b50545edb824ee60 100644 (file)
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -1417,7 +1417,9 @@ int bus_exec_context_set_transient_property(
                                         r = seccomp_parse_syscall_filter("@default",
                                                                          -1,
                                                                          c->syscall_filter,
-                                                                         SECCOMP_PARSE_WHITELIST | invert_flag);
+                                                                         SECCOMP_PARSE_WHITELIST | invert_flag,
+                                                                         u->id,
+                                                                         NULL, 0);
                                         if (r < 0)
                                                 return r;
                                 }
@@ -1434,7 +1436,9 @@ int bus_exec_context_set_transient_property(
                                 r = seccomp_parse_syscall_filter(n,
                                                                  e,
                                                                  c->syscall_filter,
-                                                                 (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag);
+                                                                 (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
+                                                                 u->id,
+                                                                 NULL, 0);
                                 if (r < 0)
                                         return r;
                         }

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 6acfd9b8ea4c8d216077c240746c7a9c196aedc2..9b7c8cba6726b895c43dfa59d609eba9baf2f8eb 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2735,7 +2735,9 @@ int config_parse_syscall_filter(
                         /* Accept default syscalls if we are on a whitelist */
                         r = seccomp_parse_syscall_filter(
                                         "@default", -1, c->syscall_filter,
-                                        SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
+                                        SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST,
+                                        unit,
+                                        NULL, 0);
                         if (r < 0)
                                 return r;
                 }
@@ -2762,7 +2764,7 @@ int config_parse_syscall_filter(
                         continue;
                 }
 
-                r = seccomp_parse_syscall_filter_full(
+                r = seccomp_parse_syscall_filter(
                                 name, num, c->syscall_filter,
                                 SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
                                 (invert ? SECCOMP_PARSE_INVERT : 0)|

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 7a179998bdbd8cf63dd1fe37b810026d1ae57d6a..aab1feadb3ca52c3a8c11ce5c0ebf5b52e617a27 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
         return 0;
 }
 
-int seccomp_parse_syscall_filter_full(
+int seccomp_parse_syscall_filter(
                 const char *name,
                 int errno_num,
                 Hashmap *filter,
@@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full(
                          * away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
                          * not a problem in user configuration data and we shouldn't pretend otherwise by complaining
                          * about them. */
-                        r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
+                        r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
                         if (r < 0)
                                 return r;
                 }

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 31c6c211fd2f87bfe5afb35eb96ddf3ca65d6500..14dbc42691e33afbea4ec3b45955fc0b2692b10e 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -70,13 +70,13 @@ typedef enum SeccompParseFlags {
         SECCOMP_PARSE_PERMISSIVE = 1 << 3,
 } SeccompParseFlags;
 
-int seccomp_parse_syscall_filter_full(
-                const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
-                const char *unit, const char *filename, unsigned line);
-
-static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
-        return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
-}
+int seccomp_parse_syscall_filter(
+                const char *name,
+                int errno_num,
+                Hashmap *filter,
+                SeccompParseFlags flags,
+                const char *unit,
+                const char *filename, unsigned line);
 
 int seccomp_restrict_archs(Set *archs);
 int seccomp_restrict_namespaces(unsigned long retain);