shared/seccomp-util: added functionality to make list of filtred syscalls
While at it, start removing the "seccomp_" prefix from our own functions. It is used by libseccomp.
This commit is contained in:
parent
752fedbea7
commit
000c05207d
|
@ -146,13 +146,18 @@ static int seccomp_add_default_syscall_filter(
|
|||
if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0)
|
||||
continue;
|
||||
|
||||
r = seccomp_add_syscall_filter_item(ctx, allow_list[i].name, SCMP_ACT_ALLOW, syscall_deny_list, false);
|
||||
r = seccomp_add_syscall_filter_item(ctx,
|
||||
allow_list[i].name,
|
||||
SCMP_ACT_ALLOW,
|
||||
syscall_deny_list,
|
||||
false,
|
||||
NULL);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
|
||||
}
|
||||
|
||||
STRV_FOREACH(p, syscall_allow_list) {
|
||||
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true);
|
||||
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, NULL);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
|
||||
*p, seccomp_arch_to_string(arch));
|
||||
|
|
|
@ -902,15 +902,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
|||
return NULL;
|
||||
}
|
||||
|
||||
static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
|
||||
static int add_syscall_filter_set(
|
||||
scmp_filter_ctx seccomp,
|
||||
const SyscallFilterSet *set,
|
||||
uint32_t action,
|
||||
char **exclude,
|
||||
bool log_missing,
|
||||
char ***added);
|
||||
|
||||
int seccomp_add_syscall_filter_item(
|
||||
scmp_filter_ctx *seccomp,
|
||||
const char *name,
|
||||
uint32_t action,
|
||||
char **exclude,
|
||||
bool log_missing,
|
||||
char ***added) {
|
||||
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
|
||||
assert(seccomp);
|
||||
assert(name);
|
||||
|
||||
if (strv_contains(exclude, name))
|
||||
return 0;
|
||||
|
||||
/* Any syscalls that are handled are added to the *added strv. The pointer
|
||||
* must be either NULL or point to a valid pre-initialized possibly-empty strv. */
|
||||
|
||||
if (name[0] == '@') {
|
||||
const SyscallFilterSet *other;
|
||||
|
||||
|
@ -920,7 +936,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
|||
"Filter set %s is not known!",
|
||||
name);
|
||||
|
||||
return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
|
||||
return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
|
||||
|
||||
} else {
|
||||
int id, r;
|
||||
|
@ -944,25 +960,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
|
|||
return r;
|
||||
}
|
||||
|
||||
if (added) {
|
||||
r = strv_extend(added, name);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static int seccomp_add_syscall_filter_set(
|
||||
static int add_syscall_filter_set(
|
||||
scmp_filter_ctx seccomp,
|
||||
const SyscallFilterSet *set,
|
||||
uint32_t action,
|
||||
char **exclude,
|
||||
bool log_missing) {
|
||||
bool log_missing,
|
||||
char ***added) {
|
||||
|
||||
const char *sys;
|
||||
int r;
|
||||
|
||||
/* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
|
||||
|
||||
assert(seccomp);
|
||||
assert(set);
|
||||
|
||||
NULSTR_FOREACH(sys, set->value) {
|
||||
r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
|
||||
r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
@ -988,7 +1013,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
|
||||
r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to add filter set: %m");
|
||||
|
||||
|
|
|
@ -60,7 +60,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
|||
|
||||
int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
|
||||
|
||||
int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
|
||||
int seccomp_add_syscall_filter_item(
|
||||
scmp_filter_ctx *ctx,
|
||||
const char *name,
|
||||
uint32_t action,
|
||||
char **exclude,
|
||||
bool log_missing,
|
||||
char ***added);
|
||||
|
||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
|
||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
|
||||
|
|
Loading…
Reference in New Issue