960e4569e1
Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
50 lines
2.9 KiB
Plaintext
50 lines
2.9 KiB
Plaintext
%{
|
|
#include <stddef.h>
|
|
#include "conf-parser.h"
|
|
#include "nspawn-settings.h"
|
|
#include "nspawn-expose-ports.h"
|
|
%}
|
|
struct ConfigPerfItem;
|
|
%null_strings
|
|
%language=ANSI-C
|
|
%define slot-name section_and_lvalue
|
|
%define hash-function-name nspawn_gperf_hash
|
|
%define lookup-function-name nspawn_gperf_lookup
|
|
%readonly-tables
|
|
%omit-struct-type
|
|
%struct-type
|
|
%includes
|
|
%%
|
|
Exec.Boot, config_parse_boot, 0, 0
|
|
Exec.ProcessTwo, config_parse_pid2, 0, 0
|
|
Exec.Parameters, config_parse_strv, 0, offsetof(Settings, parameters)
|
|
Exec.Environment, config_parse_strv, 0, offsetof(Settings, environment)
|
|
Exec.User, config_parse_string, 0, offsetof(Settings, user)
|
|
Exec.Capability, config_parse_capability, 0, offsetof(Settings, capability)
|
|
Exec.DropCapability, config_parse_capability, 0, offsetof(Settings, drop_capability)
|
|
Exec.KillSignal, config_parse_signal, 0, offsetof(Settings, kill_signal)
|
|
Exec.Personality, config_parse_personality, 0, offsetof(Settings, personality)
|
|
Exec.MachineID, config_parse_id128, 0, offsetof(Settings, machine_id)
|
|
Exec.WorkingDirectory, config_parse_path, 0, offsetof(Settings, working_directory)
|
|
Exec.PivotRoot, config_parse_pivot_root, 0, 0
|
|
Exec.PrivateUsers, config_parse_private_users, 0, 0
|
|
Exec.NotifyReady, config_parse_bool, 0, offsetof(Settings, notify_ready)
|
|
Exec.SystemCallFilter, config_parse_syscall_filter,0, 0,
|
|
Files.ReadOnly, config_parse_tristate, 0, offsetof(Settings, read_only)
|
|
Files.Volatile, config_parse_volatile_mode, 0, offsetof(Settings, volatile_mode)
|
|
Files.Bind, config_parse_bind, 0, 0
|
|
Files.BindReadOnly, config_parse_bind, 1, 0
|
|
Files.TemporaryFileSystem, config_parse_tmpfs, 0, 0
|
|
Files.Overlay, config_parse_overlay, 0, 0
|
|
Files.OverlayReadOnly, config_parse_overlay, 1, 0
|
|
Files.PrivateUsersChown, config_parse_tristate, 0, offsetof(Settings, userns_chown)
|
|
Network.Private, config_parse_tristate, 0, offsetof(Settings, private_network)
|
|
Network.Interface, config_parse_strv, 0, offsetof(Settings, network_interfaces)
|
|
Network.MACVLAN, config_parse_strv, 0, offsetof(Settings, network_macvlan)
|
|
Network.IPVLAN, config_parse_strv, 0, offsetof(Settings, network_ipvlan)
|
|
Network.VirtualEthernet, config_parse_tristate, 0, offsetof(Settings, network_veth)
|
|
Network.VirtualEthernetExtra, config_parse_veth_extra, 0, 0
|
|
Network.Bridge, config_parse_ifname, 0, offsetof(Settings, network_bridge)
|
|
Network.Zone, config_parse_network_zone, 0, 0
|
|
Network.Port, config_parse_expose_port, 0, 0
|