From 241b15779be7621db5ea20a9c5611c6c8082afd9 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 30 Sep 2022 15:02:18 +0200 Subject: [PATCH] nsflags: replace namespace_flag_map with general namespace_info introduced earlier --- src/shared/nsflags.c | 32 ++++++++++---------------------- src/shared/nsflags.h | 7 ------- src/shared/seccomp-util.c | 9 +++++---- 3 files changed, 15 insertions(+), 33 deletions(-) diff --git a/src/shared/nsflags.c b/src/shared/nsflags.c index b5bba809151..d4cee069dd6 100644 --- a/src/shared/nsflags.c +++ b/src/shared/nsflags.c @@ -4,22 +4,10 @@ #include "alloc-util.h" #include "extract-word.h" +#include "namespace-util.h" #include "nsflags.h" #include "string-util.h" -const struct namespace_flag_map namespace_flag_map[] = { - { CLONE_NEWCGROUP, "cgroup" }, - { CLONE_NEWIPC, "ipc" }, - { CLONE_NEWNET, "net" }, - /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more - * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */ - { CLONE_NEWNS, "mnt" }, - { CLONE_NEWPID, "pid" }, - { CLONE_NEWUSER, "user" }, - { CLONE_NEWUTS, "uts" }, - {} -}; - int namespace_flags_from_string(const char *name, unsigned long *ret) { unsigned long flags = 0; int r; @@ -37,9 +25,9 @@ int namespace_flags_from_string(const char *name, unsigned long *ret) { if (r == 0) break; - for (i = 0; namespace_flag_map[i].name; i++) - if (streq(word, namespace_flag_map[i].name)) { - f = namespace_flag_map[i].flag; + for (i = 0; namespace_info[i].proc_name; i++) + if (streq(word, namespace_info[i].proc_name)) { + f = namespace_info[i].clone_flag; break; } @@ -57,11 +45,11 @@ int namespace_flags_to_string(unsigned long flags, char **ret) { _cleanup_free_ char *s = NULL; unsigned i; - for (i = 0; namespace_flag_map[i].name; i++) { - if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag) + for (i = 0; namespace_info[i].proc_name; i++) { + if ((flags & namespace_info[i].clone_flag) != namespace_info[i].clone_flag) continue; - if (!strextend_with_separator(&s, " ", namespace_flag_map[i].name)) + if (!strextend_with_separator(&s, " ", namespace_info[i].proc_name)) return -ENOMEM; } @@ -71,9 +59,9 @@ int namespace_flags_to_string(unsigned long flags, char **ret) { } const char *namespace_single_flag_to_string(unsigned long flag) { - for (unsigned i = 0; namespace_flag_map[i].name; i++) - if (namespace_flag_map[i].flag == flag) - return namespace_flag_map[i].name; + for (unsigned i = 0; namespace_info[i].proc_name; i++) + if (namespace_info[i].clone_flag == flag) + return namespace_info[i].proc_name; return NULL; } diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h index a35332dd970..b59740c0095 100644 --- a/src/shared/nsflags.h +++ b/src/shared/nsflags.h @@ -21,10 +21,3 @@ int namespace_flags_from_string(const char *name, unsigned long *ret); int namespace_flags_to_string(unsigned long flags, char **ret); const char *namespace_single_flag_to_string(unsigned long flag); - -struct namespace_flag_map { - unsigned long flag; - const char *name; -}; - -extern const struct namespace_flag_map namespace_flag_map[]; diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index cd0915e2b26..52ee315dda7 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -18,6 +18,7 @@ #include "env-util.h" #include "errno-list.h" #include "macro.h" +#include "namespace-util.h" #include "nsflags.h" #include "nulstr-util.h" #include "process-util.h" @@ -1289,16 +1290,16 @@ int seccomp_restrict_namespaces(unsigned long retain) { continue; } - for (unsigned i = 0; namespace_flag_map[i].name; i++) { + for (unsigned i = 0; namespace_info[i].proc_name; i++) { unsigned long f; - f = namespace_flag_map[i].flag; + f = namespace_info[i].clone_flag; if (FLAGS_SET(retain, f)) { - log_debug("Permitting %s.", namespace_flag_map[i].name); + log_debug("Permitting %s.", namespace_info[i].proc_name); continue; } - log_debug("Blocking %s.", namespace_flag_map[i].name); + log_debug("Blocking %s.", namespace_info[i].proc_name); r = seccomp_rule_add_exact( seccomp, -- 2.47.3