From: Zbigniew Jędrzejewski-Szmek Date: Thu, 10 Aug 2023 08:18:12 +0000 (+0200) Subject: nspawn,shared: make ERRNO_IS_SECCOMP_FATAL an inline func with _NEG_ variant X-Git-Tag: v255-rc1~706^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3c098014f5559376e7ed2fa1e3d4ce626bf40a61;p=thirdparty%2Fsystemd.git nspawn,shared: make ERRNO_IS_SECCOMP_FATAL an inline func with _NEG_ variant Also rebreak comments and lines. No functional change. --- diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index f26bcf829fa..5f45f367d0a 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -206,11 +206,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy return r; r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); - log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); + if (r < 0) + log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } SECCOMP_FOREACH_LOCAL_ARCH(arch) { @@ -243,11 +243,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp audit filter: %m"); - log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp audit filter: %m"); + if (r < 0) + log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 95e5bf29c59..e614b05c83d 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3409,13 +3409,11 @@ static int inner_child( if (arg_seccomp) { if (is_seccomp_available()) { - r = seccomp_load(arg_seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); + if (r < 0) log_debug_errno(r, "Failed to install seccomp filter: %m"); - } } } else #endif diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index de78de3b80d..66c564aea28 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1102,11 +1102,11 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter return log_debug_errno(r, "Failed to add filter set: %m"); r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1164,12 +1164,11 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } } return 0; @@ -1206,10 +1205,10 @@ int seccomp_parse_syscall_filter( } NULSTR_FOREACH(i, set->value) { - /* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take - * away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem, - * not a problem in user configuration data and we shouldn't pretend otherwise by complaining - * about them. */ + /* Call ourselves again, for the group to parse. Note that we downgrade logging here + * (i.e. take away the SECCOMP_PARSE_LOG flag) since any issues in the group table + * are our own problem, not a problem in user configuration data and we shouldn't + * pretend otherwise by complaining about them. */ r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line); if (r < 0) return r; @@ -1227,9 +1226,9 @@ int seccomp_parse_syscall_filter( return 0; } - /* If we previously wanted to forbid a syscall and now we want to allow it, then remove - * it from the list. The entries in allow-list with non-negative error value will be - * handled with SCMP_ACT_ERRNO() instead of the default action. */ + /* If we previously wanted to forbid a syscall and now we want to allow it, then remove it + * from the list. The entries in allow-list with non-negative error value will be handled + * with SCMP_ACT_ERRNO() instead of the default action. */ if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) == FLAGS_SET(flags, SECCOMP_PARSE_ALLOW_LIST) || (FLAGS_SET(flags, SECCOMP_PARSE_INVERT | SECCOMP_PARSE_ALLOW_LIST) && errno_num >= 0)) { r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num)); @@ -1287,19 +1286,20 @@ int seccomp_restrict_namespaces(unsigned long retain) { SCMP_SYS(clone3), 0); if (r < 0) - log_debug_errno(r, "Failed to add clone3() rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add clone3() rule for architecture %s, ignoring: %m", + seccomp_arch_to_string(arch)); if ((retain & NAMESPACE_FLAGS_ALL) == 0) - /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall - * altogether. */ + /* If every single kind of namespace shall be prohibited, then let's block the whole + * setns() syscall altogether. */ r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(setns), 0); else - /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the - * special invocation with a zero flags argument, right here. */ + /* Otherwise, block only the invocations with the appropriate flags in the loop + * below, but also the special invocation with a zero flags argument, right here. */ r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EPERM), @@ -1307,7 +1307,8 @@ int seccomp_restrict_namespaces(unsigned long retain) { 1, SCMP_A1(SCMP_CMP_EQ, 0)); if (r < 0) { - log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } @@ -1329,7 +1330,8 @@ int seccomp_restrict_namespaces(unsigned long retain) { 1, SCMP_A0(SCMP_CMP_MASKED_EQ, f, f)); if (r < 0) { - log_debug_errno(r, "Failed to add unshare() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add unshare() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); break; } @@ -1349,7 +1351,8 @@ int seccomp_restrict_namespaces(unsigned long retain) { 1, SCMP_A1(SCMP_CMP_MASKED_EQ, f, f)); if (r < 0) { - log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); break; } @@ -1361,7 +1364,8 @@ int seccomp_restrict_namespaces(unsigned long retain) { 1, SCMP_A1(SCMP_CMP_MASKED_EQ, f, f)); if (r < 0) { - log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); break; } } @@ -1370,11 +1374,11 @@ int seccomp_restrict_namespaces(unsigned long retain) { continue; r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1412,16 +1416,17 @@ int seccomp_protect_sysctl(void) { SCMP_SYS(_sysctl), 0); if (r < 0) { - log_debug_errno(r, "Failed to add _sysctl() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add _sysctl() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1450,11 +1455,11 @@ int seccomp_protect_syslog(void) { } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1550,7 +1555,8 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { SCMP_SYS(socket), 0); if (r < 0) { - log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } @@ -1564,7 +1570,8 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { 1, SCMP_A0(SCMP_CMP_LT, first)); if (r < 0) { - log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } @@ -1576,7 +1583,8 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { 1, SCMP_A0(SCMP_CMP_GT, last)); if (r < 0) { - log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } @@ -1596,7 +1604,8 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { break; } if (r < 0) { - log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } } @@ -1618,17 +1627,18 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { break; } if (r < 0) { - log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1685,7 +1695,8 @@ int seccomp_restrict_realtime_full(int error_code) { 1, SCMP_A1(SCMP_CMP_EQ, p)); if (r < 0) { - log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } } @@ -1699,16 +1710,17 @@ int seccomp_restrict_realtime_full(int error_code) { 1, SCMP_A1(SCMP_CMP_GT, max_policy)); if (r < 0) { - log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -1842,12 +1854,11 @@ int seccomp_memory_deny_write_execute(void) { } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } loaded++; } @@ -1916,11 +1927,10 @@ int seccomp_restrict_archs(Set *archs) { return r; r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); - } return 0; } @@ -2007,16 +2017,17 @@ int seccomp_lock_personality(unsigned long personality) { 1, SCMP_A0(SCMP_CMP_NE, personality)); if (r < 0) { - log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -2039,7 +2050,8 @@ int seccomp_protect_hostname(void) { SCMP_SYS(sethostname), 0); if (r < 0) { - log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } @@ -2049,16 +2061,17 @@ int seccomp_protect_hostname(void) { SCMP_SYS(setdomainname), 0); if (r < 0) { - log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); continue; } r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -2223,21 +2236,23 @@ int seccomp_restrict_suid_sgid(void) { r = seccomp_restrict_sxid(seccomp, S_ISUID); if (r < 0) - log_debug_errno(r, "Failed to add suid rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add suid rule for architecture %s, ignoring: %m", + seccomp_arch_to_string(arch)); k = seccomp_restrict_sxid(seccomp, S_ISGID); if (k < 0) - log_debug_errno(r, "Failed to add sgid rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to add sgid rule for architecture %s, ignoring: %m", + seccomp_arch_to_string(arch)); if (r < 0 && k < 0) continue; r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; @@ -2379,11 +2394,11 @@ int seccomp_suppress_sync(void) { #endif r = seccomp_load(seccomp); - if (r < 0) { - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); - } + if (ERRNO_IS_NEG_SECCOMP_FATAL(r)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); } return 0; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 5fd135d5972..9c6016449e8 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -8,6 +8,7 @@ #include #include "errno-list.h" +#include "errno-util.h" #include "parse-util.h" #include "set.h" #include "string-util.h" @@ -127,8 +128,14 @@ extern uint32_t seccomp_local_archs[]; /* EACCES: does not have the CAP_SYS_ADMIN or no_new_privs == 1 * ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant * EFAULT: addresses passed as args (by libseccomp) are invalid */ -#define ERRNO_IS_SECCOMP_FATAL(r) \ - IN_SET(abs(r), EPERM, EACCES, ENOMEM, EFAULT) +static inline bool ERRNO_IS_NEG_SECCOMP_FATAL(intmax_t r) { + return IN_SET(r, + -EPERM, + -EACCES, + -ENOMEM, + -EFAULT); +} +_DEFINE_ABS_WRAPPER(SECCOMP_FATAL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(scmp_filter_ctx, seccomp_release, NULL);