picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #8280 from poettering/seccomp-flags 

seccomp flags rework + minor other build system/repo changes
This commit is contained in:
Yu Watanabe 2018-02-28 10:55:59 +09:00 committed by GitHub
parent 27e2779bed 13d92c6300
commit dca4bb35a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 59 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/CONTRIBUTING.md vendored
View File

@ -24,8 +24,8 @@ If you discover a security vulnerability, we'd appreciate a non-public disclosur
## Posting Pull Requests
* Make sure to post PRs only relative to a very recent git master.
* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/HACKING) for details how to do this.
* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/doc/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/doc/HACKING) for details how to do this.
* Make sure to run the test suite locally, before posting your PR. We use a CI system, meaning we don't even look at your PR, if the build and tests don't pass.
* If you need to update the code in an existing PR, force-push into the same branch, overriding old commits with new versions.
* After you have pushed a new version, add a comment about the new version (no notification is sent just for the commits, so it's easy to miss the update without an explicit comment). If you are a member of the systemd project on GitHub, remove the `reviewed/needs-rework` label.

8
NEWS
View File

@ -373,8 +373,8 @@ CHANGES WITH 236:
store again, ahead of POLLHUP or POLLERR when they are removed
anyway.
* A new document UIDS-GIDS.md has been added to the source tree, that
documents the UID/GID range and assignment assumptions and
* A new document doc/UIDS-GIDS.md has been added to the source tree,
that documents the UID/GID range and assignment assumptions and
requirements of systemd.
* The watchdog device PID 1 will ping may now be configured through the
@ -1106,7 +1106,7 @@ CHANGES WITH 233:
* Documentation has been added that lists all of systemd's low-level
environment variables:
https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md
https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
@ -1817,7 +1817,7 @@ CHANGES WITH 231:
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
HACKING for details.
doc/HACKING for details.
* configure learned the --with-support-url= option to specify the
distribution's bugtracker.

4
README.md
View File

@ -14,10 +14,10 @@ Information about build requirements are provided in the [README file](../master
Consult our [NEWS file](../master/NEWS) for information about what's new in the most recent systemd versions.
Please see the [HACKING file](../master/HACKING) for information how to hack on systemd and test your modifications.
Please see the [HACKING file](../master/doc/HACKING) for information how to hack on systemd and test your modifications.
Please see our [Contribution Guidelines](../master/.github/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/CODING_STYLE).
When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/doc/CODING_STYLE).
If you are looking for support, please contact our [mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) or join our [IRC channel](irc://irc.freenode.org/%23systemd).

56
coccinelle/empty-if.cocci
View File

@ -1,56 +0,0 @@
@@
expression e, f, g, h, i, j;
statement s, t;
@@
(
if (e) {
(
if (h) s
|
if (h) s else t
|
while (h) s
|
for (h; i; j) s
)
}
|
while (e) {
(
if (h) s
|
if (h) s else t
|
while (h) s
|
for (h; i; j) s
)
}
|
for (e; f; g) {
(
if (h) s
|
if (h) s else t
|
while (h) s
|
for (h; i; j) s
)
}
|
- if (e) {
+ if (e)
s
- }
|
- while (e) {
+ while (e)
s
- }
|
- for (e; f; g) {
+ for (e; f; g)
s
- }
)

1
coccinelle/run-coccinelle.sh
View File

@ -1,7 +1,6 @@
#!/bin/bash -e
for SCRIPT in ${@-*.cocci} ; do
[ "$SCRIPT" = "empty-if.cocci" ] && continue
echo "--x-- Processing $SCRIPT --x--"
TMPFILE=`mktemp`
spatch --sp-file $SCRIPT --dir $(pwd)/.. 2> "$TMPFILE" || cat "$TMPFILE"

0
CODING_STYLE → doc/CODING_STYLE
View File

0
DISTRO_PORTING → doc/DISTRO_PORTING
View File

0
ENVIRONMENT.md → doc/ENVIRONMENT.md
View File

2
HACKING → doc/HACKING
View File

@ -7,7 +7,7 @@ Request (PR):
https://github.com/systemd/systemd/pull/new
Please make sure to follow our Coding Style when submitting patches. See
CODING_STYLE for details. Also have a look at our Contribution Guidelines:
doc/CODING_STYLE for details. Also have a look at our Contribution Guidelines:
https://github.com/systemd/systemd/blob/master/.github/CONTRIBUTING.md

0
TRANSIENT-SETTINGS.md → doc/TRANSIENT-SETTINGS.md
View File

4
TRANSLATORS → doc/TRANSLATORS
View File

@ -1,12 +1,12 @@
Notes for translators
=====================
Systemd depends on gettext for multilingual support.
systemd depends on gettext for multilingual support.
In po/ directory you'll find the needed files.
POT (Portable Object Template)
------------------------------
A text file with .pot extension, with all the extracted labels from code.
A text file with .pot extension, with all the extracted labels from code.
To update the template:

0
UIDS-GIDS.md → doc/UIDS-GIDS.md
View File

18
meson.build
View File

@ -2596,15 +2596,17 @@ install_data('xorg/50-systemd-user.sh',
install_dir : xinitrcdir)
install_data('modprobe.d/systemd.conf',
install_dir : modprobedir)
install_data('README',
'NEWS',
'CODING_STYLE',
'DISTRO_PORTING',
'ENVIRONMENT.md',
'LICENSE.GPL2',
install_data('LICENSE.GPL2',
'LICENSE.LGPL2.1',
'TRANSIENT-SETTINGS.md',
'UIDS-GIDS.md',
'NEWS',
'README',
'doc/CODING_STYLE',
'doc/DISTRO_PORTING',
'doc/ENVIRONMENT.md',
'doc/HACKING',
'doc/TRANSIENT-SETTINGS.md',
'doc/TRANSLATORS',
'doc/UIDS-GIDS.md',
'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
install_dir : docdir)

2
src/basic/verbs.c
View File

@ -41,7 +41,7 @@ bool running_in_chroot_or_offline(void) {
/* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", but
* not "start"/"restart" for example.
*
* See ENVIRONMENT.md for docs.
* See doc/ENVIRONMENT.md for docs.
*/
r = getenv_bool("SYSTEMD_OFFLINE");
if (r < 0 && r != -ENXIO)

4
src/core/dbus-execute.c
View File

@ -1602,7 +1602,7 @@ int bus_exec_context_set_transient_property(
c->syscall_whitelist = whitelist;
if (c->syscall_whitelist) {
r = seccomp_parse_syscall_filter(invert, "@default", -1, c->syscall_filter, true);
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST | (invert ? SECCOMP_PARSE_INVERT : 0));
if (r < 0)
return r;
}
@ -1616,7 +1616,7 @@ int bus_exec_context_set_transient_property(
if (r < 0)
return r;
r = seccomp_parse_syscall_filter(invert, n, e, c->syscall_filter, c->syscall_whitelist);
r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, (invert ? SECCOMP_PARSE_INVERT : 0) | (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0));
if (r < 0)
return r;
}

6
src/core/load-fragment.c
View File

@ -2934,7 +2934,7 @@ int config_parse_syscall_filter(
c->syscall_whitelist = true;
/* Accept default syscalls if we are on a whitelist */
r = seccomp_parse_syscall_filter(false, "@default", -1, c->syscall_filter, true);
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
if (r < 0)
return r;
}
@ -2961,7 +2961,9 @@ int config_parse_syscall_filter(
continue;
}
r = seccomp_parse_syscall_filter_and_warn(invert, name, num, c->syscall_filter, c->syscall_whitelist, unit, filename, line);
r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
unit, filename, line);
if (r < 0)
return r;
}

34
src/shared/seccomp-util.c
View File

@ -950,13 +950,11 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
return 0;
}
int seccomp_parse_syscall_filter_internal(
bool invert,
int seccomp_parse_syscall_filter_full(
const char *name,
int errno_num,
Hashmap *filter,
bool whitelist,
bool warn,
SeccompParseFlags flags,
const char *unit,
const char *filename,
unsigned line) {
@ -972,15 +970,20 @@ int seccomp_parse_syscall_filter_internal(
set = syscall_filter_set_find(name);
if (!set) {
if (warn) {
log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown system call group, ignoring: %s", name);
return 0;
} else
if (!(flags & SECCOMP_PARSE_PERMISSIVE))
return -EINVAL;
log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
"Unknown system call group, ignoring: %s", name);
return 0;
}
NULSTR_FOREACH(i, set->value) {
r = seccomp_parse_syscall_filter_internal(invert, i, errno_num, filter, whitelist, warn, unit, filename, line);
/* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
* about them. */
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
if (r < 0)
return r;
}
@ -989,19 +992,20 @@ int seccomp_parse_syscall_filter_internal(
id = seccomp_syscall_resolve_name(name);
if (id == __NR_SCMP_ERROR) {
if (warn) {
log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse system call, ignoring: %s", name);
return 0;
} else
if (!(flags & SECCOMP_PARSE_PERMISSIVE))
return -EINVAL;
log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
"Failed to parse system call, ignoring: %s", name);
return 0;
}
/* If we previously wanted to forbid a syscall and now
* we want to allow it, then remove it from the list. */
if (!invert == whitelist) {
if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_WHITELIST)) {
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
if (r < 0)
return warn ? log_oom() : -ENOMEM;
return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
} else
(void) hashmap_remove(filter, INT_TO_PTR(id + 1));
}

25
src/shared/seccomp-util.h
View File

@ -81,22 +81,19 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
int seccomp_parse_syscall_filter_internal(
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
bool warn, const char *unit, const char *filename, unsigned line);
typedef enum SeccompParseFlags {
SECCOMP_PARSE_INVERT = 1U << 0,
SECCOMP_PARSE_WHITELIST = 1U << 1,
SECCOMP_PARSE_LOG = 1U << 2,
SECCOMP_PARSE_PERMISSIVE = 1U << 3,
} SeccompParseFlags;
static inline int seccomp_parse_syscall_filter_and_warn(
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
const char *unit, const char *filename, unsigned line) {
assert(unit);
assert(filename);
int seccomp_parse_syscall_filter_full(
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
const char *unit, const char *filename, unsigned line);
return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, true, unit, filename, line);
}
static inline int seccomp_parse_syscall_filter(
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist) {
return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, false, NULL, NULL, 0);
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
}
int seccomp_restrict_archs(Set *archs);

2
src/systemctl/systemd-sysv-install.SKELETON
View File

@ -11,7 +11,7 @@ usage() {
exit 1
}
ROOT=
unset ROOT
# parse options
eval set -- "$(getopt -o r: --long root: -- "$@")"