From 2f6b9110fcdf12751a39dd93f498dbc5b318d4e1 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 28 Mar 2019 12:00:56 +0100 Subject: [PATCH 1/4] core: parse '@default' seccomp group permissively We are about to add system calls (rseq()) not available on old libseccomp/old kernels, and hence we need to be permissive when parsing our definitions. --- src/core/load-fragment.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 2f62c7acb5..58833dfc7c 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2695,7 +2695,9 @@ int config_parse_syscall_filter( c->syscall_whitelist = true; /* Accept default syscalls if we are on a whitelist */ - r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST); + r = seccomp_parse_syscall_filter( + "@default", -1, c->syscall_filter, + SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST); if (r < 0) return r; } From acd142af79fe081cf7a107ab057b4609dad2bcc5 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 28 Mar 2019 12:09:23 +0100 Subject: [PATCH 2/4] core: break overly long line --- src/core/load-fragment.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 58833dfc7c..77592e8faf 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2724,9 +2724,12 @@ int config_parse_syscall_filter( continue; } - r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter, - SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0), - unit, filename, line); + r = seccomp_parse_syscall_filter_full( + name, num, c->syscall_filter, + SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE| + (invert ? SECCOMP_PARSE_INVERT : 0)| + (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0), + unit, filename, line); if (r < 0) return r; } From 6fee3be0b4929d5641bf1c850fce7884b6d1e44e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 28 Mar 2019 10:01:09 +0100 Subject: [PATCH 3/4] seccomp: add rseq() to default list of syscalls to whitelist Apparently glibc is going to call this implicitly soon, hence let's whitelist this by default. Fixes: #12127 --- src/shared/seccomp-util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 905be0f6a9..ba3f433106 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -291,6 +291,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "pause\0" "prlimit64\0" "restart_syscall\0" + "rseq\0" "rt_sigreturn\0" "sched_yield\0" "set_robust_list\0" From d84520e9d97c190196847e22c9ff7a431f18a002 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 28 Mar 2019 12:00:28 +0100 Subject: [PATCH 4/4] update TODO --- TODO | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/TODO b/TODO index 5b312649a5..3762aa2447 100644 --- a/TODO +++ b/TODO @@ -23,6 +23,12 @@ Janitorial Clean-ups: Features: +* tweak journald context caching. In addition to caching per-process attributes + keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read) + keyed by cgroup path, and guarded by ctime changes. This should provide us + with a nice speed-up on services that have many processes running in the same + cgroup. + * clean up sleep.c: - Use CLOCK_BOOTTIME_ALARM for waking up s2h instead of RTC ioctls - Parse sleep.conf only once, and parse its whole contents so that we don't