analyze: add syscall-filter verb

This should make it easier for users to understand what each filter
means as the list of syscalls is updated in subsequent systemd versions.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2016-11-02 11:58:18 -04:00
parent 7fa6328cc4
commit 869feb3388
5 changed files with 101 additions and 25 deletions

View File

@ -101,6 +101,12 @@
<arg choice="plain">set-log-target</arg>
<arg choice="plain"><replaceable>TARGET</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">syscall-filter</arg>
<arg choice="opt"><replaceable>SET</replaceable>...</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
@ -181,6 +187,11 @@
<option>--log-target=</option>, described in
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
<para><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command>
will list system calls contained in the specified system call set <replaceable>SET</replaceable>,
or all known sets if no sets are specified. Argument <replaceable>SET</replaceable> must include
the <literal>@</literal> prefix.</para>
<para><command>systemd-analyze verify</command> will load unit files and print
warnings if any errors are detected. Files specified on the command line will be
loaded, but also any other units referenced by them. The full unit search path is

View File

@ -1373,8 +1373,13 @@
</tgroup>
</table>
Note that as new system calls are added to the kernel, additional system calls might be added to the groups
above, so the contents of the sets may change between systemd versions.</para>
Note, that as new system calls are added to the kernel, additional system calls might be
added to the groups above. Contents of the sets may also change between systemd
versions. In addition, the list of system calls depends on the kernel version and
architecture for which systemd was compiled. Use
<command>systemd-analyze syscall-filter</command> to list the actual list of system calls in
each filter.
</para>
<para>It is recommended to combine the file system namespacing related options with
<varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the
@ -1844,6 +1849,7 @@
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,

View File

@ -45,6 +45,7 @@ _systemd_analyze() {
[DOT]='dot'
[LOG_LEVEL]='set-log-level'
[VERIFY]='verify'
[SECCOMP_FILTER]='syscall-filter'
)
_init_completion || return
@ -100,6 +101,11 @@ _systemd_analyze() {
comps='debug info notice warning err crit alert emerg'
fi
elif __contains_word "$verb" ${VERBS[SECCOMP_FILTER]}; then
if [[ $cur = -* ]]; then
comps='--help --version'
fi
elif __contains_word "$verb" ${VERBS[VERIFY]}; then
if [[ $cur = -* ]]; then
comps='--help --version --system --user --man'

View File

@ -21,6 +21,7 @@ _systemd_analyze_command(){
'dot:Dump dependency graph (in dot(1) format)'
'dump:Dump server status'
'set-log-level:Set systemd log threshold'
'syscall-filter:List syscalls in seccomp filter'
'verify:Check unit files for correctness'
)

View File

@ -36,6 +36,7 @@
#include "log.h"
#include "pager.h"
#include "parse-util.h"
#include "seccomp-util.h"
#include "special.h"
#include "strv.h"
#include "strxcpyx.h"
@ -1275,36 +1276,85 @@ static int set_log_target(sd_bus *bus, char **args) {
return 0;
}
static void dump_syscall_filter(const SyscallFilterSet *set) {
const char *syscall;
printf("%s\n", set->name);
NULSTR_FOREACH(syscall, set->value)
printf(" %s\n", syscall);
}
static int dump_syscall_filters(char** names) {
bool first = true;
pager_open(arg_no_pager, false);
if (strv_isempty(names)) {
int i;
for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
if (!first)
puts("");
dump_syscall_filter(syscall_filter_sets + i);
first = false;
}
} else {
char **name;
STRV_FOREACH(name, names) {
const SyscallFilterSet *set;
if (!first)
puts("");
set = syscall_filter_set_find(*name);
if (!set) {
/* make sure the error appears below normal output */
fflush(stdout);
log_error("Filter set \"%s\" not found.", *name);
return -ENOENT;
}
dump_syscall_filter(set);
first = false;
}
}
return 0;
}
static void help(void) {
pager_open(arg_no_pager, false);
printf("%s [OPTIONS...] {COMMAND} ...\n\n"
"Profile systemd, show unit dependencies, check unit files.\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --no-pager Do not pipe output into a pager\n"
" --system Operate on system systemd instance\n"
" --user Operate on user systemd instance\n"
" -H --host=[USER@]HOST Operate on remote host\n"
" -M --machine=CONTAINER Operate on local container\n"
" --order Show only order in the graph\n"
" --require Show only requirement in the graph\n"
" --from-pattern=GLOB Show only origins in the graph\n"
" --to-pattern=GLOB Show only destinations in the graph\n"
" --fuzz=SECONDS Also print also services which finished SECONDS\n"
" earlier than the latest in the branch\n"
" --man[=BOOL] Do [not] check for existence of man pages\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --no-pager Do not pipe output into a pager\n"
" --system Operate on system systemd instance\n"
" --user Operate on user systemd instance\n"
" -H --host=[USER@]HOST Operate on remote host\n"
" -M --machine=CONTAINER Operate on local container\n"
" --order Show only order in the graph\n"
" --require Show only requirement in the graph\n"
" --from-pattern=GLOB Show only origins in the graph\n"
" --to-pattern=GLOB Show only destinations in the graph\n"
" --fuzz=SECONDS Also print also services which finished SECONDS\n"
" earlier than the latest in the branch\n"
" --man[=BOOL] Do [not] check for existence of man pages\n\n"
"Commands:\n"
" time Print time spent in the kernel\n"
" blame Print list of running units ordered by time to init\n"
" critical-chain Print a tree of the time critical chain of units\n"
" plot Output SVG graphic showing service initialization\n"
" dot Output dependency graph in dot(1) format\n"
" set-log-level LEVEL Set logging threshold for manager\n"
" set-log-target TARGET Set logging target for manager\n"
" dump Output state serialization of service manager\n"
" verify FILE... Check unit files for correctness\n"
" time Print time spent in the kernel\n"
" blame Print list of running units ordered by time to init\n"
" critical-chain Print a tree of the time critical chain of units\n"
" plot Output SVG graphic showing service initialization\n"
" dot Output dependency graph in dot(1) format\n"
" set-log-level LEVEL Set logging threshold for manager\n"
" set-log-target TARGET Set logging target for manager\n"
" dump Output state serialization of service manager\n"
" syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
" verify FILE... Check unit files for correctness\n"
, program_invocation_short_name);
/* When updating this list, including descriptions, apply
@ -1471,6 +1521,8 @@ int main(int argc, char *argv[]) {
r = set_log_level(bus, argv+optind+1);
else if (streq(argv[optind], "set-log-target"))
r = set_log_target(bus, argv+optind+1);
else if (streq(argv[optind], "syscall-filter"))
r = dump_syscall_filters(argv+optind+1);
else
log_error("Unknown operation '%s'.", argv[optind]);
}