Merge pull request #8280 from poettering/seccomp-flags

seccomp flags rework + minor other build system/repo changes

.github/CONTRIBUTING.md

@@ -24,8 +24,8 @@ If you discover a security vulnerability, we'd appreciate a non-public disclosur
 ## Posting Pull Requests
 
 * Make sure to post PRs only relative to a very recent git master.
-* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
+* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/doc/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
-* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/HACKING) for details how to do this.
+* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/doc/HACKING) for details how to do this.
 * Make sure to run the test suite locally, before posting your PR. We use a CI system, meaning we don't even look at your PR, if the build and tests don't pass.
 * If you need to update the code in an existing PR, force-push into the same branch, overriding old commits with new versions.
 * After you have pushed a new version, add a comment about the new version (no notification is sent just for the commits, so it's easy to miss the update without an explicit comment). If you are a member of the systemd project on GitHub, remove the `reviewed/needs-rework` label.

NEWS

@@ -373,8 +373,8 @@ CHANGES WITH 236:
           store again, ahead of POLLHUP or POLLERR when they are removed
           anyway.
 
-        * A new document UIDS-GIDS.md has been added to the source tree, that
+        * A new document doc/UIDS-GIDS.md has been added to the source tree,
-          documents the UID/GID range and assignment assumptions and
+          that documents the UID/GID range and assignment assumptions and
           requirements of systemd.
 
         * The watchdog device PID 1 will ping may now be configured through the
@@ -1106,7 +1106,7 @@ CHANGES WITH 233:
         * Documentation has been added that lists all of systemd's low-level
           environment variables:
 
-          https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md
+          https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md
 
         * sd-daemon gained a new API sd_is_socket_sockaddr() for determining
           whether a specific socket file descriptor matches a specified socket
@@ -1817,7 +1817,7 @@ CHANGES WITH 231:
           booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
           UEFI PC. This functionality is particularly useful to easily test
           local changes made to systemd in a pristine, defined environment. See
-          HACKING for details.
+          doc/HACKING for details.
 
         * configure learned the --with-support-url= option to specify the
           distribution's bugtracker.

README.md

@@ -14,10 +14,10 @@ Information about build requirements are provided in the [README file](../master
 
 Consult our [NEWS file](../master/NEWS) for information about what's new in the most recent systemd versions.
 
-Please see the [HACKING file](../master/HACKING) for information how to hack on systemd and test your modifications.
+Please see the [HACKING file](../master/doc/HACKING) for information how to hack on systemd and test your modifications.
 
 Please see our [Contribution Guidelines](../master/.github/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
 
-When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/CODING_STYLE).
+When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/doc/CODING_STYLE).
 
 If you are looking for support, please contact our [mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) or join our [IRC channel](irc://irc.freenode.org/%23systemd).

coccinelle/empty-if.cocci

@@ -1,56 +0,0 @@
-@@
-expression e, f, g, h, i, j;
-statement s, t;
-@@
-(
-if (e) {
-(
-if (h) s
-|
-if (h) s else t
-|
-while (h) s
-|
-for (h; i; j) s
-)
-}
-|
-while (e) {
-(
-if (h) s
-|
-if (h) s else t
-|
-while (h) s
-|
-for (h; i; j) s
-)
-}
-|
-for (e; f; g) {
-(
-if (h) s
-|
-if (h) s else t
-|
-while (h) s
-|
-for (h; i; j) s
-)
-}
-|
-- if (e) {
-+ if (e)
-s
-- }
-|
-- while (e) {
-+ while (e)
-s
-- }
-|
-- for (e; f; g) {
-+ for (e; f; g)
-s
-- }
-)

coccinelle/run-coccinelle.sh

@@ -1,7 +1,6 @@
 #!/bin/bash -e
 
 for SCRIPT in ${@-*.cocci} ; do
-        [ "$SCRIPT" = "empty-if.cocci" ] && continue
         echo "--x-- Processing $SCRIPT --x--"
         TMPFILE=`mktemp`
         spatch --sp-file $SCRIPT --dir $(pwd)/.. 2> "$TMPFILE" || cat "$TMPFILE"

doc/HACKING

@@ -7,7 +7,7 @@ Request (PR):
         https://github.com/systemd/systemd/pull/new
 
 Please make sure to follow our Coding Style when submitting patches. See
-CODING_STYLE for details. Also have a look at our Contribution Guidelines:
+doc/CODING_STYLE for details. Also have a look at our Contribution Guidelines:
 
         https://github.com/systemd/systemd/blob/master/.github/CONTRIBUTING.md
 

doc/TRANSLATORS

@@ -1,12 +1,12 @@
 Notes for translators
 =====================
 
-Systemd depends on gettext for multilingual support.
+systemd depends on gettext for multilingual support.
 In po/ directory you'll find the needed files.
 
 POT (Portable Object Template)
 ------------------------------
-A text file with .pot extension, with all the extracted labels from code. 
+A text file with .pot extension, with all the extracted labels from code.
 
 To update the template:
 

meson.build

@@ -2596,15 +2596,17 @@ install_data('xorg/50-systemd-user.sh',
              install_dir : xinitrcdir)
 install_data('modprobe.d/systemd.conf',
              install_dir : modprobedir)
-install_data('README',
+install_data('LICENSE.GPL2',
-             'NEWS',
-             'CODING_STYLE',
-             'DISTRO_PORTING',
-             'ENVIRONMENT.md',
-             'LICENSE.GPL2',
              'LICENSE.LGPL2.1',
-             'TRANSIENT-SETTINGS.md',
+             'NEWS',
-             'UIDS-GIDS.md',
+             'README',
+             'doc/CODING_STYLE',
+             'doc/DISTRO_PORTING',
+             'doc/ENVIRONMENT.md',
+             'doc/HACKING',
+             'doc/TRANSIENT-SETTINGS.md',
+             'doc/TRANSLATORS',
+             'doc/UIDS-GIDS.md',
              'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
              install_dir : docdir)
 

src/basic/verbs.c

@@ -41,7 +41,7 @@ bool running_in_chroot_or_offline(void) {
         /* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", but
          * not "start"/"restart" for example.
          *
-         * See ENVIRONMENT.md for docs.
+         * See doc/ENVIRONMENT.md for docs.
          */
         r = getenv_bool("SYSTEMD_OFFLINE");
         if (r < 0 && r != -ENXIO)

src/core/dbus-execute.c

@@ -1602,7 +1602,7 @@ int bus_exec_context_set_transient_property(
                                 c->syscall_whitelist = whitelist;
 
                                 if (c->syscall_whitelist) {
-                                        r = seccomp_parse_syscall_filter(invert, "@default", -1, c->syscall_filter, true);
+                                        r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST | (invert ? SECCOMP_PARSE_INVERT : 0));
                                         if (r < 0)
                                                 return r;
                                 }
@@ -1616,7 +1616,7 @@ int bus_exec_context_set_transient_property(
                                 if (r < 0)
                                         return r;
 
-                                r = seccomp_parse_syscall_filter(invert, n, e, c->syscall_filter, c->syscall_whitelist);
+                                r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, (invert ? SECCOMP_PARSE_INVERT : 0) | (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0));
                                 if (r < 0)
                                         return r;
                         }

src/core/load-fragment.c

@@ -2934,7 +2934,7 @@ int config_parse_syscall_filter(
                         c->syscall_whitelist = true;
 
                         /* Accept default syscalls if we are on a whitelist */
-                        r = seccomp_parse_syscall_filter(false, "@default", -1, c->syscall_filter, true);
+                        r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
                         if (r < 0)
                                 return r;
                 }
@@ -2961,7 +2961,9 @@ int config_parse_syscall_filter(
                         continue;
                 }
 
-                r = seccomp_parse_syscall_filter_and_warn(invert, name, num, c->syscall_filter, c->syscall_whitelist, unit, filename, line);
+                r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter,
+                                                      SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
+                                                      unit, filename, line);
                 if (r < 0)
                         return r;
         }

src/shared/seccomp-util.c

@@ -950,13 +950,11 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
         return 0;
 }
 
-int seccomp_parse_syscall_filter_internal(
+int seccomp_parse_syscall_filter_full(
-                bool invert,
                 const char *name,
                 int errno_num,
                 Hashmap *filter,
-                bool whitelist,
+                SeccompParseFlags flags,
-                bool warn,
                 const char *unit,
                 const char *filename,
                 unsigned line) {
@@ -972,15 +970,20 @@ int seccomp_parse_syscall_filter_internal(
 
                 set = syscall_filter_set_find(name);
                 if (!set) {
-                        if (warn) {
+                        if (!(flags & SECCOMP_PARSE_PERMISSIVE))
-                                log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown system call group, ignoring: %s", name);
-                                return 0;
-                        } else
                                 return -EINVAL;
+
+                        log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
+                                   "Unknown system call group, ignoring: %s", name);
+                        return 0;
                 }
 
                 NULSTR_FOREACH(i, set->value) {
-                        r = seccomp_parse_syscall_filter_internal(invert, i, errno_num, filter, whitelist, warn, unit, filename, line);
+                        /* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take
+                         * away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
+                         * not a problem in user configuration data and we shouldn't pretend otherwise by complaining
+                         * about them. */
+                        r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
                         if (r < 0)
                                 return r;
                 }
@@ -989,19 +992,20 @@ int seccomp_parse_syscall_filter_internal(
 
                 id = seccomp_syscall_resolve_name(name);
                 if (id == __NR_SCMP_ERROR) {
-                        if (warn) {
+                        if (!(flags & SECCOMP_PARSE_PERMISSIVE))
-                                log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse system call, ignoring: %s", name);
-                                return 0;
-                        } else
                                 return -EINVAL;
+
+                        log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
+                                   "Failed to parse system call, ignoring: %s", name);
+                        return 0;
                 }
 
                 /* If we previously wanted to forbid a syscall and now
                  * we want to allow it, then remove it from the list. */
-                if (!invert == whitelist) {
+                if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_WHITELIST)) {
                         r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
                         if (r < 0)
-                                return warn ? log_oom() : -ENOMEM;
+                                return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
                 } else
                         (void) hashmap_remove(filter, INT_TO_PTR(id + 1));
         }

src/shared/seccomp-util.h

@@ -81,22 +81,19 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint
 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
 int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
 
-int seccomp_parse_syscall_filter_internal(
+typedef enum SeccompParseFlags {
-                bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
+        SECCOMP_PARSE_INVERT     = 1U << 0,
-                bool warn, const char *unit, const char *filename, unsigned line);
+        SECCOMP_PARSE_WHITELIST  = 1U << 1,
+        SECCOMP_PARSE_LOG        = 1U << 2,
+        SECCOMP_PARSE_PERMISSIVE = 1U << 3,
+} SeccompParseFlags;
 
-static inline int seccomp_parse_syscall_filter_and_warn(
+int seccomp_parse_syscall_filter_full(
-                bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
+                const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
-                const char *unit, const char *filename, unsigned line) {
+                const char *unit, const char *filename, unsigned line);
-        assert(unit);
-        assert(filename);
 
-        return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, true, unit, filename, line);
+static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
-}
+        return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
-
-static inline int seccomp_parse_syscall_filter(
-                bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist) {
-        return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, false, NULL, NULL, 0);
 }
 
 int seccomp_restrict_archs(Set *archs);

src/systemctl/systemd-sysv-install.SKELETON

@@ -11,7 +11,7 @@ usage() {
     exit 1
 }
 
-ROOT=
+unset ROOT
 
 # parse options
 eval set -- "$(getopt -o r: --long root: -- "$@")"