shared: add @known syscall list
This commit is contained in:
parent
47354b440e
commit
95aac01259
|
@ -1933,6 +1933,10 @@ RestrictNamespaces=~cgroup net</programlisting>
|
||||||
<entry>@timer</entry>
|
<entry>@timer</entry>
|
||||||
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||||
</row>
|
</row>
|
||||||
|
<row>
|
||||||
|
<entry>@known</entry>
|
||||||
|
<entry>All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systmed version was released. It will become progressively more out-of-date as the kernel is updated.</entry>
|
||||||
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
5
src/shared/generate-syscall-list.py
Executable file
5
src/shared/generate-syscall-list.py
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
import sys
|
||||||
|
|
||||||
|
for line in open(sys.argv[1]):
|
||||||
|
print('"{}\\0"'.format(line.strip()))
|
|
@ -262,6 +262,16 @@ endif
|
||||||
test_tables_h = files('test-tables.h')
|
test_tables_h = files('test-tables.h')
|
||||||
shared_sources += test_tables_h
|
shared_sources += test_tables_h
|
||||||
|
|
||||||
|
generate_syscall_list = find_program('generate-syscall-list.py')
|
||||||
|
fname = 'syscall-list.h'
|
||||||
|
syscall_list_h = custom_target(
|
||||||
|
fname,
|
||||||
|
input : 'syscall-names.text',
|
||||||
|
output : fname,
|
||||||
|
command : [generate_syscall_list,
|
||||||
|
'@INPUT@'],
|
||||||
|
capture : true)
|
||||||
|
|
||||||
if conf.get('HAVE_ACL') == 1
|
if conf.get('HAVE_ACL') == 1
|
||||||
shared_sources += files('acl-util.c')
|
shared_sources += files('acl-util.c')
|
||||||
endif
|
endif
|
||||||
|
@ -272,6 +282,7 @@ endif
|
||||||
|
|
||||||
if conf.get('HAVE_SECCOMP') == 1
|
if conf.get('HAVE_SECCOMP') == 1
|
||||||
shared_sources += files('seccomp-util.c')
|
shared_sources += files('seccomp-util.c')
|
||||||
|
shared_sources += syscall_list_h
|
||||||
endif
|
endif
|
||||||
|
|
||||||
if conf.get('HAVE_LIBIPTC') == 1
|
if conf.get('HAVE_LIBIPTC') == 1
|
||||||
|
|
|
@ -883,6 +883,12 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||||
"timerfd_settime64\0"
|
"timerfd_settime64\0"
|
||||||
"times\0"
|
"times\0"
|
||||||
},
|
},
|
||||||
|
[SYSCALL_FILTER_SET_KNOWN] = {
|
||||||
|
.name = "@known",
|
||||||
|
.help = "All known syscalls declared in the kernel",
|
||||||
|
.value =
|
||||||
|
#include "syscall-list.h"
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
const SyscallFilterSet *syscall_filter_set_find(const char *name) {
|
||||||
|
|
|
@ -21,7 +21,7 @@ typedef struct SyscallFilterSet {
|
||||||
} SyscallFilterSet;
|
} SyscallFilterSet;
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
/* Please leave DEFAULT first, but sort the rest alphabetically */
|
/* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
|
||||||
SYSCALL_FILTER_SET_DEFAULT,
|
SYSCALL_FILTER_SET_DEFAULT,
|
||||||
SYSCALL_FILTER_SET_AIO,
|
SYSCALL_FILTER_SET_AIO,
|
||||||
SYSCALL_FILTER_SET_BASIC_IO,
|
SYSCALL_FILTER_SET_BASIC_IO,
|
||||||
|
@ -50,6 +50,7 @@ enum {
|
||||||
SYSCALL_FILTER_SET_SYNC,
|
SYSCALL_FILTER_SET_SYNC,
|
||||||
SYSCALL_FILTER_SET_SYSTEM_SERVICE,
|
SYSCALL_FILTER_SET_SYSTEM_SERVICE,
|
||||||
SYSCALL_FILTER_SET_TIMER,
|
SYSCALL_FILTER_SET_TIMER,
|
||||||
|
SYSCALL_FILTER_SET_KNOWN,
|
||||||
_SYSCALL_FILTER_SET_MAX
|
_SYSCALL_FILTER_SET_MAX
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -121,7 +121,9 @@ static void test_filter_sets(void) {
|
||||||
int fd, r;
|
int fd, r;
|
||||||
|
|
||||||
/* If we look at the default set (or one that includes it), allow-list instead of deny-list */
|
/* If we look at the default set (or one that includes it), allow-list instead of deny-list */
|
||||||
if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE))
|
if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT,
|
||||||
|
SYSCALL_FILTER_SET_SYSTEM_SERVICE,
|
||||||
|
SYSCALL_FILTER_SET_KNOWN))
|
||||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
|
r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
|
||||||
else
|
else
|
||||||
r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
|
r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
|
||||||
|
@ -145,22 +147,25 @@ static void test_filter_sets(void) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_filter_sets_ordered(void) {
|
static void test_filter_sets_ordered(void) {
|
||||||
size_t i;
|
|
||||||
|
|
||||||
log_info("/* %s */", __func__);
|
log_info("/* %s */", __func__);
|
||||||
|
|
||||||
/* Ensure "@default" always remains at the beginning of the list */
|
/* Ensure "@default" always remains at the beginning of the list */
|
||||||
assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
|
assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
|
||||||
assert_se(streq(syscall_filter_sets[0].name, "@default"));
|
assert_se(streq(syscall_filter_sets[0].name, "@default"));
|
||||||
|
|
||||||
for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
|
/* Ensure "@known" always remains at the end of the list */
|
||||||
|
assert_se(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX - 1);
|
||||||
|
assert_se(streq(syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].name, "@known"));
|
||||||
|
|
||||||
|
for (size_t i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
|
||||||
const char *k, *p = NULL;
|
const char *k, *p = NULL;
|
||||||
|
|
||||||
/* Make sure each group has a description */
|
/* Make sure each group has a description */
|
||||||
assert_se(!isempty(syscall_filter_sets[0].help));
|
assert_se(!isempty(syscall_filter_sets[0].help));
|
||||||
|
|
||||||
/* Make sure the groups are ordered alphabetically, except for the first entry */
|
/* Make sure the groups are ordered alphabetically, except for the first and last entries */
|
||||||
assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
|
assert_se(i < 2 || i == _SYSCALL_FILTER_SET_MAX - 1 ||
|
||||||
|
strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
|
||||||
|
|
||||||
NULSTR_FOREACH(k, syscall_filter_sets[i].value) {
|
NULSTR_FOREACH(k, syscall_filter_sets[i].value) {
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue