Lennart Poettering
GitHub
commit
6f90962a87
|
|
@ -692,7 +692,7 @@ static int seccomp_add_syscall_filter_set(
|
|||
r = seccomp_rule_add_exact(seccomp, action, id, 0);
|
||||
if (r < 0)
|
||||
/* If the system call is not known on this architecture, then that's fine, let's ignore it */
|
||||
log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", sys);
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", sys, id);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -761,7 +761,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint3
|
|||
_cleanup_free_ char *n = NULL;
|
||||
|
||||
n = seccomp_syscall_resolve_num_arch(arch, PTR_TO_INT(id) - 1);
|
||||
log_debug_errno(r, "Failed to add rule for system call %s, ignoring: %m", strna(n));
|
||||
log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", strna(n), PTR_TO_INT(id) - 1);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -899,6 +899,10 @@ int seccomp_protect_sysctl(void) {
|
|||
|
||||
log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
|
||||
|
||||
if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64))
|
||||
/* No _sysctl syscall */
|
||||
continue;
|
||||
|
||||
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -1219,10 +1223,6 @@ int seccomp_memory_deny_write_execute(void) {
|
|||
|
||||
break;
|
||||
|
||||
case SCMP_ARCH_AARCH64:
|
||||
block_syscall = SCMP_SYS(mmap);
|
||||
/* fall through */
|
||||
|
||||
case SCMP_ARCH_ARM:
|
||||
filter_syscall = SCMP_SYS(mmap2); /* arm has only mmap2 */
|
||||
shmat_syscall = SCMP_SYS(shmat);
|
||||
|
|
@ -1230,7 +1230,8 @@ int seccomp_memory_deny_write_execute(void) {
|
|||
|
||||
case SCMP_ARCH_X86_64:
|
||||
case SCMP_ARCH_X32:
|
||||
filter_syscall = SCMP_SYS(mmap); /* amd64 and x32 have only mmap */
|
||||
case SCMP_ARCH_AARCH64:
|
||||
filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */
|
||||
shmat_syscall = SCMP_SYS(shmat);
|
||||
break;
|
||||
|
||||
|
|
|
|||
|
|
@ -244,13 +244,17 @@ static void test_protect_sysctl(void) {
|
|||
assert_se(pid >= 0);
|
||||
|
||||
if (pid == 0) {
|
||||
#if __NR__sysctl > 0
|
||||
assert_se(syscall(__NR__sysctl, NULL) < 0);
|
||||
assert_se(errno == EFAULT);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_protect_sysctl() >= 0);
|
||||
|
||||
#if __NR__sysctl > 0
|
||||
assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
|
||||
assert_se(errno == EPERM);
|
||||
#endif
|
||||
|
||||
_exit(EXIT_SUCCESS);
|
||||
}
|
||||
|
|
@ -525,7 +529,11 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
assert_se(s = set_new(NULL));
|
||||
#if SCMP_SYS(access) >= 0
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0);
|
||||
#else
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
|
||||
|
||||
|
|
@ -537,7 +545,11 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
s = set_free(s);
|
||||
|
||||
assert_se(s = set_new(NULL));
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0);
|
||||
#else
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue