diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-10-21 21:18:46 +0200 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-10-24 17:32:50 +0200 | 
| commit | a3be2849b2570482757f83181b999febbfc7bbef (patch) | |
| tree | 332aa307c5a8120dc25a3472e18df4383c88c50b | |
| parent | 60f547cf684d27e8c0e7ff44663650e90f9e0bcf (diff) | |
seccomp: add new helper call seccomp_load_filter_set()
This allows us to unify most of the code in apply_protect_kernel_modules() and
apply_private_devices().
| -rw-r--r-- | src/core/execute.c | 34 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 24 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 2 | 
3 files changed, 28 insertions, 32 deletions
| diff --git a/src/core/execute.c b/src/core/execute.c index 668504c5cf..5e7d7c25d7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1502,9 +1502,6 @@ finish:  }  static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) { -        scmp_filter_ctx seccomp; -        int r; -          assert(c);          /* Turn off module syscalls on ProtectKernelModules=yes */ @@ -1512,25 +1509,10 @@ static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {          if (skip_seccomp_unavailable(u, "ProtectKernelModules="))                  return 0; -        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW); -        if (r < 0) -                return r; - -        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM)); -        if (r < 0) -                goto finish; - -        r = seccomp_load(seccomp); - -finish: -        seccomp_release(seccomp); -        return r; +        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));  }  static int apply_private_devices(Unit *u, const ExecContext *c) { -        scmp_filter_ctx seccomp; -        int r; -          assert(c);          /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */ @@ -1538,19 +1520,7 @@ static int apply_private_devices(Unit *u, const ExecContext *c) {          if (skip_seccomp_unavailable(u, "PrivateDevices="))                  return 0; -        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW); -        if (r < 0) -                return r; - -        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM)); -        if (r < 0) -                goto finish; - -        r = seccomp_load(seccomp); - -finish: -        seccomp_release(seccomp); -        return r; +        return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));  }  #endif diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index f1e9de05b2..6252cd16a6 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -452,3 +452,27 @@ int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterS          return 0;  } + +int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) { +        scmp_filter_ctx seccomp; +        int r; + +        assert(set); + +        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */ + +        r = seccomp_init_conservative(&seccomp, default_action); +        if (r < 0) +                return r; + +        r = seccomp_add_syscall_filter_set(seccomp, set, action); +        if (r < 0) +                goto finish; + +        r = seccomp_load(seccomp); + +finish: +        seccomp_release(seccomp); +        return r; + +} diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 2de429a772..667687b14f 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -59,3 +59,5 @@ extern const SyscallFilterSet syscall_filter_sets[];  const SyscallFilterSet *syscall_filter_set_find(const char *name);  int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action); + +int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action); | 
