shared/seccomp-util: added functionality to make list of filtred syscalls

While at it, start removing the "seccomp_" prefix from our own functions. It is used by libseccomp.
2020-08-21 17:21:04 +02:00 · 2020-08-21 17:21:04 +02:00 · 000c05207d
parent 752fedbea7
commit 000c05207d
3 changed files with 46 additions and 10 deletions
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -146,13 +146,18 @@ static int seccomp_add_default_syscall_filter(
                if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0)
                        continue;

-                r = seccomp_add_syscall_filter_item(ctx, allow_list[i].name, SCMP_ACT_ALLOW, syscall_deny_list, false);
+                r = seccomp_add_syscall_filter_item(ctx,
+                                                    allow_list[i].name,
+                                                    SCMP_ACT_ALLOW,
+                                                    syscall_deny_list,
+                                                    false,
+                                                    NULL);
                if (r < 0)
                        return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
        }

        STRV_FOREACH(p, syscall_allow_list) {
-                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true);
+                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                          *p, seccomp_arch_to_string(arch));
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -902,15 +902,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
        return NULL;
 }

-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
+static int add_syscall_filter_set(
+                scmp_filter_ctx seccomp,
+                const SyscallFilterSet *set,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added);
+
+int seccomp_add_syscall_filter_item(
+                scmp_filter_ctx *seccomp,
+                const char *name,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added) {

-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
        assert(seccomp);
        assert(name);

        if (strv_contains(exclude, name))
                return 0;

+        /* Any syscalls that are handled are added to the *added strv. The pointer
+         * must be either NULL or point to a valid pre-initialized possibly-empty strv. */
+
        if (name[0] == '@') {
                const SyscallFilterSet *other;

@ -920,7 +936,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
                                               "Filter set %s is not known!",
                                               name);

-                return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
+                return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);

        } else {
                int id, r;
@ -944,25 +960,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
                                return r;
                }

+                if (added) {
+                        r = strv_extend(added, name);
+                        if (r < 0)
+                                return r;
+                }
+
                return 0;
        }
 }

-static int seccomp_add_syscall_filter_set(
+static int add_syscall_filter_set(
                scmp_filter_ctx seccomp,
                const SyscallFilterSet *set,
                uint32_t action,
                char **exclude,
-                bool log_missing) {
+                bool log_missing,
+                char ***added) {

        const char *sys;
        int r;

+        /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
+
        assert(seccomp);
        assert(set);

        NULSTR_FOREACH(sys, set->value) {
-                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
+                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
                if (r < 0)
                        return r;
        }
@ -988,7 +1013,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
                if (r < 0)
                        return r;

-                r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
+                r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
                if (r < 0)
                        return log_debug_errno(r, "Failed to add filter set: %m");

--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -60,7 +60,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);

 int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);

-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
+int seccomp_add_syscall_filter_item(
+                scmp_filter_ctx *ctx,
+                const char *name,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added);

 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
 int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);