Merge pull request #8280 from poettering/seccomp-flags
seccomp flags rework + minor other build system/repo changes
This commit is contained in:
commit
dca4bb35a4
4
.github/CONTRIBUTING.md
vendored
4
.github/CONTRIBUTING.md
vendored
|
@ -24,8 +24,8 @@ If you discover a security vulnerability, we'd appreciate a non-public disclosur
|
||||||
## Posting Pull Requests
|
## Posting Pull Requests
|
||||||
|
|
||||||
* Make sure to post PRs only relative to a very recent git master.
|
* Make sure to post PRs only relative to a very recent git master.
|
||||||
* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
|
* Follow our [Coding Style](https://raw.githubusercontent.com/systemd/systemd/master/doc/CODING_STYLE) when contributing code. This is a requirement for all code we merge.
|
||||||
* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/HACKING) for details how to do this.
|
* Please make sure to test your change before submitting the PR. See [HACKING](https://raw.githubusercontent.com/systemd/systemd/master/doc/HACKING) for details how to do this.
|
||||||
* Make sure to run the test suite locally, before posting your PR. We use a CI system, meaning we don't even look at your PR, if the build and tests don't pass.
|
* Make sure to run the test suite locally, before posting your PR. We use a CI system, meaning we don't even look at your PR, if the build and tests don't pass.
|
||||||
* If you need to update the code in an existing PR, force-push into the same branch, overriding old commits with new versions.
|
* If you need to update the code in an existing PR, force-push into the same branch, overriding old commits with new versions.
|
||||||
* After you have pushed a new version, add a comment about the new version (no notification is sent just for the commits, so it's easy to miss the update without an explicit comment). If you are a member of the systemd project on GitHub, remove the `reviewed/needs-rework` label.
|
* After you have pushed a new version, add a comment about the new version (no notification is sent just for the commits, so it's easy to miss the update without an explicit comment). If you are a member of the systemd project on GitHub, remove the `reviewed/needs-rework` label.
|
||||||
|
|
8
NEWS
8
NEWS
|
@ -373,8 +373,8 @@ CHANGES WITH 236:
|
||||||
store again, ahead of POLLHUP or POLLERR when they are removed
|
store again, ahead of POLLHUP or POLLERR when they are removed
|
||||||
anyway.
|
anyway.
|
||||||
|
|
||||||
* A new document UIDS-GIDS.md has been added to the source tree, that
|
* A new document doc/UIDS-GIDS.md has been added to the source tree,
|
||||||
documents the UID/GID range and assignment assumptions and
|
that documents the UID/GID range and assignment assumptions and
|
||||||
requirements of systemd.
|
requirements of systemd.
|
||||||
|
|
||||||
* The watchdog device PID 1 will ping may now be configured through the
|
* The watchdog device PID 1 will ping may now be configured through the
|
||||||
|
@ -1106,7 +1106,7 @@ CHANGES WITH 233:
|
||||||
* Documentation has been added that lists all of systemd's low-level
|
* Documentation has been added that lists all of systemd's low-level
|
||||||
environment variables:
|
environment variables:
|
||||||
|
|
||||||
https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md
|
https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md
|
||||||
|
|
||||||
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
|
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
|
||||||
whether a specific socket file descriptor matches a specified socket
|
whether a specific socket file descriptor matches a specified socket
|
||||||
|
@ -1817,7 +1817,7 @@ CHANGES WITH 231:
|
||||||
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
|
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
|
||||||
UEFI PC. This functionality is particularly useful to easily test
|
UEFI PC. This functionality is particularly useful to easily test
|
||||||
local changes made to systemd in a pristine, defined environment. See
|
local changes made to systemd in a pristine, defined environment. See
|
||||||
HACKING for details.
|
doc/HACKING for details.
|
||||||
|
|
||||||
* configure learned the --with-support-url= option to specify the
|
* configure learned the --with-support-url= option to specify the
|
||||||
distribution's bugtracker.
|
distribution's bugtracker.
|
||||||
|
|
|
@ -14,10 +14,10 @@ Information about build requirements are provided in the [README file](../master
|
||||||
|
|
||||||
Consult our [NEWS file](../master/NEWS) for information about what's new in the most recent systemd versions.
|
Consult our [NEWS file](../master/NEWS) for information about what's new in the most recent systemd versions.
|
||||||
|
|
||||||
Please see the [HACKING file](../master/HACKING) for information how to hack on systemd and test your modifications.
|
Please see the [HACKING file](../master/doc/HACKING) for information how to hack on systemd and test your modifications.
|
||||||
|
|
||||||
Please see our [Contribution Guidelines](../master/.github/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
|
Please see our [Contribution Guidelines](../master/.github/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
|
||||||
|
|
||||||
When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/CODING_STYLE).
|
When preparing patches for systemd, please follow our [Coding Style Guidelines](../master/doc/CODING_STYLE).
|
||||||
|
|
||||||
If you are looking for support, please contact our [mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) or join our [IRC channel](irc://irc.freenode.org/%23systemd).
|
If you are looking for support, please contact our [mailing list](https://lists.freedesktop.org/mailman/listinfo/systemd-devel) or join our [IRC channel](irc://irc.freenode.org/%23systemd).
|
||||||
|
|
|
@ -1,56 +0,0 @@
|
||||||
@@
|
|
||||||
expression e, f, g, h, i, j;
|
|
||||||
statement s, t;
|
|
||||||
@@
|
|
||||||
(
|
|
||||||
if (e) {
|
|
||||||
(
|
|
||||||
if (h) s
|
|
||||||
|
|
|
||||||
if (h) s else t
|
|
||||||
|
|
|
||||||
while (h) s
|
|
||||||
|
|
|
||||||
for (h; i; j) s
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
|
||||||
while (e) {
|
|
||||||
(
|
|
||||||
if (h) s
|
|
||||||
|
|
|
||||||
if (h) s else t
|
|
||||||
|
|
|
||||||
while (h) s
|
|
||||||
|
|
|
||||||
for (h; i; j) s
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
|
||||||
for (e; f; g) {
|
|
||||||
(
|
|
||||||
if (h) s
|
|
||||||
|
|
|
||||||
if (h) s else t
|
|
||||||
|
|
|
||||||
while (h) s
|
|
||||||
|
|
|
||||||
for (h; i; j) s
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
|
||||||
- if (e) {
|
|
||||||
+ if (e)
|
|
||||||
s
|
|
||||||
- }
|
|
||||||
|
|
|
||||||
- while (e) {
|
|
||||||
+ while (e)
|
|
||||||
s
|
|
||||||
- }
|
|
||||||
|
|
|
||||||
- for (e; f; g) {
|
|
||||||
+ for (e; f; g)
|
|
||||||
s
|
|
||||||
- }
|
|
||||||
)
|
|
|
@ -1,7 +1,6 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
|
|
||||||
for SCRIPT in ${@-*.cocci} ; do
|
for SCRIPT in ${@-*.cocci} ; do
|
||||||
[ "$SCRIPT" = "empty-if.cocci" ] && continue
|
|
||||||
echo "--x-- Processing $SCRIPT --x--"
|
echo "--x-- Processing $SCRIPT --x--"
|
||||||
TMPFILE=`mktemp`
|
TMPFILE=`mktemp`
|
||||||
spatch --sp-file $SCRIPT --dir $(pwd)/.. 2> "$TMPFILE" || cat "$TMPFILE"
|
spatch --sp-file $SCRIPT --dir $(pwd)/.. 2> "$TMPFILE" || cat "$TMPFILE"
|
||||||
|
|
|
@ -7,7 +7,7 @@ Request (PR):
|
||||||
https://github.com/systemd/systemd/pull/new
|
https://github.com/systemd/systemd/pull/new
|
||||||
|
|
||||||
Please make sure to follow our Coding Style when submitting patches. See
|
Please make sure to follow our Coding Style when submitting patches. See
|
||||||
CODING_STYLE for details. Also have a look at our Contribution Guidelines:
|
doc/CODING_STYLE for details. Also have a look at our Contribution Guidelines:
|
||||||
|
|
||||||
https://github.com/systemd/systemd/blob/master/.github/CONTRIBUTING.md
|
https://github.com/systemd/systemd/blob/master/.github/CONTRIBUTING.md
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
Notes for translators
|
Notes for translators
|
||||||
=====================
|
=====================
|
||||||
|
|
||||||
Systemd depends on gettext for multilingual support.
|
systemd depends on gettext for multilingual support.
|
||||||
In po/ directory you'll find the needed files.
|
In po/ directory you'll find the needed files.
|
||||||
|
|
||||||
POT (Portable Object Template)
|
POT (Portable Object Template)
|
||||||
------------------------------
|
------------------------------
|
||||||
A text file with .pot extension, with all the extracted labels from code.
|
A text file with .pot extension, with all the extracted labels from code.
|
||||||
|
|
||||||
To update the template:
|
To update the template:
|
||||||
|
|
18
meson.build
18
meson.build
|
@ -2596,15 +2596,17 @@ install_data('xorg/50-systemd-user.sh',
|
||||||
install_dir : xinitrcdir)
|
install_dir : xinitrcdir)
|
||||||
install_data('modprobe.d/systemd.conf',
|
install_data('modprobe.d/systemd.conf',
|
||||||
install_dir : modprobedir)
|
install_dir : modprobedir)
|
||||||
install_data('README',
|
install_data('LICENSE.GPL2',
|
||||||
'NEWS',
|
|
||||||
'CODING_STYLE',
|
|
||||||
'DISTRO_PORTING',
|
|
||||||
'ENVIRONMENT.md',
|
|
||||||
'LICENSE.GPL2',
|
|
||||||
'LICENSE.LGPL2.1',
|
'LICENSE.LGPL2.1',
|
||||||
'TRANSIENT-SETTINGS.md',
|
'NEWS',
|
||||||
'UIDS-GIDS.md',
|
'README',
|
||||||
|
'doc/CODING_STYLE',
|
||||||
|
'doc/DISTRO_PORTING',
|
||||||
|
'doc/ENVIRONMENT.md',
|
||||||
|
'doc/HACKING',
|
||||||
|
'doc/TRANSIENT-SETTINGS.md',
|
||||||
|
'doc/TRANSLATORS',
|
||||||
|
'doc/UIDS-GIDS.md',
|
||||||
'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
|
'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
|
||||||
install_dir : docdir)
|
install_dir : docdir)
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,7 @@ bool running_in_chroot_or_offline(void) {
|
||||||
/* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", but
|
/* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", but
|
||||||
* not "start"/"restart" for example.
|
* not "start"/"restart" for example.
|
||||||
*
|
*
|
||||||
* See ENVIRONMENT.md for docs.
|
* See doc/ENVIRONMENT.md for docs.
|
||||||
*/
|
*/
|
||||||
r = getenv_bool("SYSTEMD_OFFLINE");
|
r = getenv_bool("SYSTEMD_OFFLINE");
|
||||||
if (r < 0 && r != -ENXIO)
|
if (r < 0 && r != -ENXIO)
|
||||||
|
|
|
@ -1602,7 +1602,7 @@ int bus_exec_context_set_transient_property(
|
||||||
c->syscall_whitelist = whitelist;
|
c->syscall_whitelist = whitelist;
|
||||||
|
|
||||||
if (c->syscall_whitelist) {
|
if (c->syscall_whitelist) {
|
||||||
r = seccomp_parse_syscall_filter(invert, "@default", -1, c->syscall_filter, true);
|
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST | (invert ? SECCOMP_PARSE_INVERT : 0));
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
@ -1616,7 +1616,7 @@ int bus_exec_context_set_transient_property(
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = seccomp_parse_syscall_filter(invert, n, e, c->syscall_filter, c->syscall_whitelist);
|
r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, (invert ? SECCOMP_PARSE_INVERT : 0) | (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0));
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2934,7 +2934,7 @@ int config_parse_syscall_filter(
|
||||||
c->syscall_whitelist = true;
|
c->syscall_whitelist = true;
|
||||||
|
|
||||||
/* Accept default syscalls if we are on a whitelist */
|
/* Accept default syscalls if we are on a whitelist */
|
||||||
r = seccomp_parse_syscall_filter(false, "@default", -1, c->syscall_filter, true);
|
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
@ -2961,7 +2961,9 @@ int config_parse_syscall_filter(
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = seccomp_parse_syscall_filter_and_warn(invert, name, num, c->syscall_filter, c->syscall_whitelist, unit, filename, line);
|
r = seccomp_parse_syscall_filter_full(name, num, c->syscall_filter,
|
||||||
|
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|(invert ? SECCOMP_PARSE_INVERT : 0)|(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
|
||||||
|
unit, filename, line);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
|
@ -950,13 +950,11 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int seccomp_parse_syscall_filter_internal(
|
int seccomp_parse_syscall_filter_full(
|
||||||
bool invert,
|
|
||||||
const char *name,
|
const char *name,
|
||||||
int errno_num,
|
int errno_num,
|
||||||
Hashmap *filter,
|
Hashmap *filter,
|
||||||
bool whitelist,
|
SeccompParseFlags flags,
|
||||||
bool warn,
|
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line) {
|
unsigned line) {
|
||||||
|
@ -972,15 +970,20 @@ int seccomp_parse_syscall_filter_internal(
|
||||||
|
|
||||||
set = syscall_filter_set_find(name);
|
set = syscall_filter_set_find(name);
|
||||||
if (!set) {
|
if (!set) {
|
||||||
if (warn) {
|
if (!(flags & SECCOMP_PARSE_PERMISSIVE))
|
||||||
log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown system call group, ignoring: %s", name);
|
|
||||||
return 0;
|
|
||||||
} else
|
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
|
||||||
|
"Unknown system call group, ignoring: %s", name);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
NULSTR_FOREACH(i, set->value) {
|
NULSTR_FOREACH(i, set->value) {
|
||||||
r = seccomp_parse_syscall_filter_internal(invert, i, errno_num, filter, whitelist, warn, unit, filename, line);
|
/* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take
|
||||||
|
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
|
||||||
|
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
|
||||||
|
* about them. */
|
||||||
|
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
@ -989,19 +992,20 @@ int seccomp_parse_syscall_filter_internal(
|
||||||
|
|
||||||
id = seccomp_syscall_resolve_name(name);
|
id = seccomp_syscall_resolve_name(name);
|
||||||
if (id == __NR_SCMP_ERROR) {
|
if (id == __NR_SCMP_ERROR) {
|
||||||
if (warn) {
|
if (!(flags & SECCOMP_PARSE_PERMISSIVE))
|
||||||
log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse system call, ignoring: %s", name);
|
|
||||||
return 0;
|
|
||||||
} else
|
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
log_syntax(unit, flags & SECCOMP_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
|
||||||
|
"Failed to parse system call, ignoring: %s", name);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* If we previously wanted to forbid a syscall and now
|
/* If we previously wanted to forbid a syscall and now
|
||||||
* we want to allow it, then remove it from the list. */
|
* we want to allow it, then remove it from the list. */
|
||||||
if (!invert == whitelist) {
|
if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_WHITELIST)) {
|
||||||
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
|
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return warn ? log_oom() : -ENOMEM;
|
return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
|
||||||
} else
|
} else
|
||||||
(void) hashmap_remove(filter, INT_TO_PTR(id + 1));
|
(void) hashmap_remove(filter, INT_TO_PTR(id + 1));
|
||||||
}
|
}
|
||||||
|
|
|
@ -81,22 +81,19 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint
|
||||||
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
|
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
|
||||||
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
|
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
|
||||||
|
|
||||||
int seccomp_parse_syscall_filter_internal(
|
typedef enum SeccompParseFlags {
|
||||||
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
|
SECCOMP_PARSE_INVERT = 1U << 0,
|
||||||
bool warn, const char *unit, const char *filename, unsigned line);
|
SECCOMP_PARSE_WHITELIST = 1U << 1,
|
||||||
|
SECCOMP_PARSE_LOG = 1U << 2,
|
||||||
|
SECCOMP_PARSE_PERMISSIVE = 1U << 3,
|
||||||
|
} SeccompParseFlags;
|
||||||
|
|
||||||
static inline int seccomp_parse_syscall_filter_and_warn(
|
int seccomp_parse_syscall_filter_full(
|
||||||
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
|
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
|
||||||
const char *unit, const char *filename, unsigned line) {
|
const char *unit, const char *filename, unsigned line);
|
||||||
assert(unit);
|
|
||||||
assert(filename);
|
|
||||||
|
|
||||||
return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, true, unit, filename, line);
|
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
|
||||||
}
|
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
|
||||||
|
|
||||||
static inline int seccomp_parse_syscall_filter(
|
|
||||||
bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist) {
|
|
||||||
return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, false, NULL, NULL, 0);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int seccomp_restrict_archs(Set *archs);
|
int seccomp_restrict_archs(Set *archs);
|
||||||
|
|
|
@ -11,7 +11,7 @@ usage() {
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
ROOT=
|
unset ROOT
|
||||||
|
|
||||||
# parse options
|
# parse options
|
||||||
eval set -- "$(getopt -o r: --long root: -- "$@")"
|
eval set -- "$(getopt -o r: --long root: -- "$@")"
|
||||||
|
|
Loading…
Reference in a new issue