From 58f6ab4454fbd2ac440f97ce4a230a5b57dd5392 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 3 Apr 2019 09:17:42 +0200 Subject: [PATCH] pid1: pass unit name to seccomp parser when we have no file location Building on previous commit, let's pass the unit name when parsing dbus message or builtin whitelist, which is better than nothing. seccomp_parse_syscall_filter() is not needed anymore, so it is removed, and seccomp_parse_syscall_filter_full() is renamed to take its place. --- src/core/dbus-execute.c | 8 ++++++-- src/core/load-fragment.c | 6 ++++-- src/shared/seccomp-util.c | 4 ++-- src/shared/seccomp-util.h | 14 +++++++------- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 1f704127322..5532d1ada93 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -1417,7 +1417,9 @@ int bus_exec_context_set_transient_property( r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, - SECCOMP_PARSE_WHITELIST | invert_flag); + SECCOMP_PARSE_WHITELIST | invert_flag, + u->id, + NULL, 0); if (r < 0) return r; } @@ -1434,7 +1436,9 @@ int bus_exec_context_set_transient_property( r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, - (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag); + (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag, + u->id, + NULL, 0); if (r < 0) return r; } diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 6acfd9b8ea4..9b7c8cba672 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2735,7 +2735,9 @@ int config_parse_syscall_filter( /* Accept default syscalls if we are on a whitelist */ r = seccomp_parse_syscall_filter( "@default", -1, c->syscall_filter, - SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST); + SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST, + unit, + NULL, 0); if (r < 0) return r; } @@ -2762,7 +2764,7 @@ int config_parse_syscall_filter( continue; } - r = seccomp_parse_syscall_filter_full( + r = seccomp_parse_syscall_filter( name, num, c->syscall_filter, SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE| (invert ? SECCOMP_PARSE_INVERT : 0)| diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 7a179998bdb..aab1feadb3c 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u return 0; } -int seccomp_parse_syscall_filter_full( +int seccomp_parse_syscall_filter( const char *name, int errno_num, Hashmap *filter, @@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full( * away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem, * not a problem in user configuration data and we shouldn't pretend otherwise by complaining * about them. */ - r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line); + r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line); if (r < 0) return r; } diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 31c6c211fd2..14dbc42691e 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -70,13 +70,13 @@ typedef enum SeccompParseFlags { SECCOMP_PARSE_PERMISSIVE = 1 << 3, } SeccompParseFlags; -int seccomp_parse_syscall_filter_full( - const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags, - const char *unit, const char *filename, unsigned line); - -static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) { - return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0); -} +int seccomp_parse_syscall_filter( + const char *name, + int errno_num, + Hashmap *filter, + SeccompParseFlags flags, + const char *unit, + const char *filename, unsigned line); int seccomp_restrict_archs(Set *archs); int seccomp_restrict_namespaces(unsigned long retain); -- 2.47.3