summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-21 20:12:33 +0200
committerLennart Poettering <lennart@poettering.net>2016-10-24 17:32:50 +0200
commit25a8d8a0cb297f75b6b9fd3cc15747ba7f56031e (patch)
tree373b78e934205e4fe1bcf605c7bf9f1473b2d4b1
parent8130926d32d76193e98ba783ba932816f276bfad (diff)
core: rework apply_protect_kernel_modules() to use seccomp_add_syscall_filter_set()
Let's simplify this call, by making use of the new infrastructure. This is actually more in line with Djalal's original patch but instead of search the filter set in the array by its name we can now use the set index and jump directly to it.
-rw-r--r--src/core/execute.c18
1 files changed, 5 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 18bb67cda9..f435a079c7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1534,19 +1534,14 @@ finish:
}
static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
- static const int module_syscalls[] = {
- SCMP_SYS(delete_module),
- SCMP_SYS(finit_module),
- SCMP_SYS(init_module),
- };
scmp_filter_ctx *seccomp;
- unsigned i;
+ const char *sys;
int r;
assert(c);
- /* Turn of module syscalls on ProtectKernelModules=yes */
+ /* Turn off module syscalls on ProtectKernelModules=yes */
if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
return 0;
@@ -1559,12 +1554,9 @@ static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
if (r < 0)
goto finish;
- for (i = 0; i < ELEMENTSOF(module_syscalls); i++) {
- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM),
- module_syscalls[i], 0);
- if (r < 0)
- goto finish;
- }
+ r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
+ if (r < 0)
+ goto finish;
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
if (r < 0)