summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-11-02 11:58:18 -0400
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-11-03 09:35:35 -0400
commit869feb33881ac0ee6f95fb3baa7eeb870c429c64 (patch)
tree0a73dc5eb28e339ebf79ba205c25489b2c59f0d1
parent7fa6328cc447a4a834ebc8d68ae6c335f4c9c9d3 (diff)
analyze: add syscall-filter verb
This should make it easier for users to understand what each filter means as the list of syscalls is updated in subsequent systemd versions.
-rw-r--r--man/systemd-analyze.xml11
-rw-r--r--man/systemd.exec.xml10
-rw-r--r--shell-completion/bash/systemd-analyze6
-rw-r--r--shell-completion/zsh/_systemd-analyze1
-rw-r--r--src/analyze/analyze.c98
5 files changed, 101 insertions, 25 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 8fa7cd3329..634e16b5f4 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -104,6 +104,12 @@
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="plain">syscall-filter</arg>
+ <arg choice="opt"><replaceable>SET</replaceable>...</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-analyze</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">verify</arg>
<arg choice="opt" rep="repeat"><replaceable>FILES</replaceable></arg>
</cmdsynopsis>
@@ -181,6 +187,11 @@
<option>--log-target=</option>, described in
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
+ <para><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command>
+ will list system calls contained in the specified system call set <replaceable>SET</replaceable>,
+ or all known sets if no sets are specified. Argument <replaceable>SET</replaceable> must include
+ the <literal>@</literal> prefix.</para>
+
<para><command>systemd-analyze verify</command> will load unit files and print
warnings if any errors are detected. Files specified on the command line will be
loaded, but also any other units referenced by them. The full unit search path is
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3c350df11f..0de263cb07 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1373,8 +1373,13 @@
</tgroup>
</table>
- Note that as new system calls are added to the kernel, additional system calls might be added to the groups
- above, so the contents of the sets may change between systemd versions.</para>
+ Note, that as new system calls are added to the kernel, additional system calls might be
+ added to the groups above. Contents of the sets may also change between systemd
+ versions. In addition, the list of system calls depends on the kernel version and
+ architecture for which systemd was compiled. Use
+ <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in
+ each filter.
+ </para>
<para>It is recommended to combine the file system namespacing related options with
<varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the
@@ -1844,6 +1849,7 @@
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
diff --git a/shell-completion/bash/systemd-analyze b/shell-completion/bash/systemd-analyze
index 7a5f46ba1d..92ff13d316 100644
--- a/shell-completion/bash/systemd-analyze
+++ b/shell-completion/bash/systemd-analyze
@@ -45,6 +45,7 @@ _systemd_analyze() {
[DOT]='dot'
[LOG_LEVEL]='set-log-level'
[VERIFY]='verify'
+ [SECCOMP_FILTER]='syscall-filter'
)
_init_completion || return
@@ -100,6 +101,11 @@ _systemd_analyze() {
comps='debug info notice warning err crit alert emerg'
fi
+ elif __contains_word "$verb" ${VERBS[SECCOMP_FILTER]}; then
+ if [[ $cur = -* ]]; then
+ comps='--help --version'
+ fi
+
elif __contains_word "$verb" ${VERBS[VERIFY]}; then
if [[ $cur = -* ]]; then
comps='--help --version --system --user --man'
diff --git a/shell-completion/zsh/_systemd-analyze b/shell-completion/zsh/_systemd-analyze
index efafddc686..0e670034c1 100644
--- a/shell-completion/zsh/_systemd-analyze
+++ b/shell-completion/zsh/_systemd-analyze
@@ -21,6 +21,7 @@ _systemd_analyze_command(){
'dot:Dump dependency graph (in dot(1) format)'
'dump:Dump server status'
'set-log-level:Set systemd log threshold'
+ 'syscall-filter:List syscalls in seccomp filter'
'verify:Check unit files for correctness'
)
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
index cbf9354a7a..0495fca17d 100644
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -36,6 +36,7 @@
#include "log.h"
#include "pager.h"
#include "parse-util.h"
+#include "seccomp-util.h"
#include "special.h"
#include "strv.h"
#include "strxcpyx.h"
@@ -1275,36 +1276,85 @@ static int set_log_target(sd_bus *bus, char **args) {
return 0;
}
+static void dump_syscall_filter(const SyscallFilterSet *set) {
+ const char *syscall;
+
+ printf("%s\n", set->name);
+ NULSTR_FOREACH(syscall, set->value)
+ printf(" %s\n", syscall);
+}
+
+static int dump_syscall_filters(char** names) {
+ bool first = true;
+
+ pager_open(arg_no_pager, false);
+
+ if (strv_isempty(names)) {
+ int i;
+
+ for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
+ if (!first)
+ puts("");
+ dump_syscall_filter(syscall_filter_sets + i);
+ first = false;
+ }
+ } else {
+ char **name;
+
+ STRV_FOREACH(name, names) {
+ const SyscallFilterSet *set;
+
+ if (!first)
+ puts("");
+
+ set = syscall_filter_set_find(*name);
+ if (!set) {
+ /* make sure the error appears below normal output */
+ fflush(stdout);
+
+ log_error("Filter set \"%s\" not found.", *name);
+ return -ENOENT;
+ }
+
+ dump_syscall_filter(set);
+ first = false;
+ }
+ }
+
+ return 0;
+}
+
static void help(void) {
pager_open(arg_no_pager, false);
printf("%s [OPTIONS...] {COMMAND} ...\n\n"
"Profile systemd, show unit dependencies, check unit files.\n\n"
- " -h --help Show this help\n"
- " --version Show package version\n"
- " --no-pager Do not pipe output into a pager\n"
- " --system Operate on system systemd instance\n"
- " --user Operate on user systemd instance\n"
- " -H --host=[USER@]HOST Operate on remote host\n"
- " -M --machine=CONTAINER Operate on local container\n"
- " --order Show only order in the graph\n"
- " --require Show only requirement in the graph\n"
- " --from-pattern=GLOB Show only origins in the graph\n"
- " --to-pattern=GLOB Show only destinations in the graph\n"
- " --fuzz=SECONDS Also print also services which finished SECONDS\n"
- " earlier than the latest in the branch\n"
- " --man[=BOOL] Do [not] check for existence of man pages\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " --no-pager Do not pipe output into a pager\n"
+ " --system Operate on system systemd instance\n"
+ " --user Operate on user systemd instance\n"
+ " -H --host=[USER@]HOST Operate on remote host\n"
+ " -M --machine=CONTAINER Operate on local container\n"
+ " --order Show only order in the graph\n"
+ " --require Show only requirement in the graph\n"
+ " --from-pattern=GLOB Show only origins in the graph\n"
+ " --to-pattern=GLOB Show only destinations in the graph\n"
+ " --fuzz=SECONDS Also print also services which finished SECONDS\n"
+ " earlier than the latest in the branch\n"
+ " --man[=BOOL] Do [not] check for existence of man pages\n\n"
"Commands:\n"
- " time Print time spent in the kernel\n"
- " blame Print list of running units ordered by time to init\n"
- " critical-chain Print a tree of the time critical chain of units\n"
- " plot Output SVG graphic showing service initialization\n"
- " dot Output dependency graph in dot(1) format\n"
- " set-log-level LEVEL Set logging threshold for manager\n"
- " set-log-target TARGET Set logging target for manager\n"
- " dump Output state serialization of service manager\n"
- " verify FILE... Check unit files for correctness\n"
+ " time Print time spent in the kernel\n"
+ " blame Print list of running units ordered by time to init\n"
+ " critical-chain Print a tree of the time critical chain of units\n"
+ " plot Output SVG graphic showing service initialization\n"
+ " dot Output dependency graph in dot(1) format\n"
+ " set-log-level LEVEL Set logging threshold for manager\n"
+ " set-log-target TARGET Set logging target for manager\n"
+ " dump Output state serialization of service manager\n"
+ " syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
+ " verify FILE... Check unit files for correctness\n"
, program_invocation_short_name);
/* When updating this list, including descriptions, apply
@@ -1471,6 +1521,8 @@ int main(int argc, char *argv[]) {
r = set_log_level(bus, argv+optind+1);
else if (streq(argv[optind], "set-log-target"))
r = set_log_target(bus, argv+optind+1);
+ else if (streq(argv[optind], "syscall-filter"))
+ r = dump_syscall_filters(argv+optind+1);
else
log_error("Unknown operation '%s'.", argv[optind]);
}