diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-25 20:37:03 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:19:28 +0100 |
| commit | 4298d0b5128326621c8f537107c4c8b459490721 (patch) | |
| tree | 38ed9f6806b45d153f39ea9da61eae5d34530523 /Makefile.am | |
| parent | 9875fd7875d433eea5c6e3319916e1be18722086 (diff) | |
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index 529b52588d..dd067f6d00 100644 --- a/Makefile.am +++ b/Makefile.am @@ -764,6 +764,8 @@ libsystemd_shared_la_SOURCES = \ src/shared/net-util.h \ src/shared/errno-list.c \ src/shared/errno-list.h \ + src/shared/af-list.c \ + src/shared/af-list.h \ src/shared/audit.c \ src/shared/audit.h \ src/shared/xml.c \ @@ -775,7 +777,9 @@ libsystemd_shared_la_SOURCES = \ nodist_libsystemd_shared_la_SOURCES = \ src/shared/errno-from-name.h \ - src/shared/errno-to-name.h + src/shared/errno-to-name.h \ + src/shared/af-from-name.h \ + src/shared/af-to-name.h libsystemd_shared_la_CFLAGS = \ $(AM_CFLAGS) \ @@ -1059,11 +1063,15 @@ CLEANFILES += \ src/core/load-fragment-gperf.c \ src/core/load-fragment-gperf-nulstr.c \ src/shared/errno-list.txt \ - src/shared/errno-from-name.gperf + src/shared/errno-from-name.gperf \ + src/shared/af-list.txt \ + src/shared/af-from-name.gperf BUILT_SOURCES += \ src/shared/errno-from-name.h \ - src/shared/errno-to-name.h + src/shared/errno-to-name.h \ + src/shared/af-from-name.h \ + src/shared/af-to-name.h src/shared/errno-list.txt: $(AM_V_at)$(MKDIR_P) $(dir $@) @@ -1081,6 +1089,22 @@ src/shared/errno-to-name.h: src/shared/errno-list.txt $(AM_V_at)$(MKDIR_P) $(dir $@) $(AM_V_GEN)$(AWK) 'BEGIN{ print "static const char* const errno_names[] = { "} { printf "[%s] = \"%s\",\n", $$1, $$1 } END{print "};"}' < $< > $@ +src/shared/af-list.txt: + $(AM_V_at)$(MKDIR_P) $(dir $@) + $(AM_V_GEN)$(CPP) $(CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) -dM -include sys/socket.h - < /dev/null | grep -v AF_UNSPEC | grep -v AF_MAX | $(AWK) '/^#define[ \t]+AF_[^ \t]+[ \t]+PF_[^ \t]/ { print $$2; }' > $@ + +src/shared/af-from-name.gperf: src/shared/af-list.txt + $(AM_V_at)$(MKDIR_P) $(dir $@) + $(AM_V_GEN)$(AWK) 'BEGIN{ print "struct af_name { const char* name; int id; };"; print "%null-strings"; print "%%";} { printf "%s, %s\n", $$1, $$1 }' < $< > $@ + +src/shared/af-from-name.h: src/shared/af-from-name.gperf + $(AM_V_at)$(MKDIR_P) $(dir $@) + $(AM_V_GPERF)$(GPERF) -L ANSI-C -t --ignore-case -N lookup_af -H hash_af_name -p -C < $< > $@ + +src/shared/af-to-name.h: src/shared/af-list.txt + $(AM_V_at)$(MKDIR_P) $(dir $@) + $(AM_V_GEN)$(AWK) 'BEGIN{ print "static const char* const af_names[] = { "} !/AF_FILE/ && !/AF_ROUTE/ && !/AF_LOCAL/ { printf "[%s] = \"%s\",\n", $$1, $$1 } END{print "};"}' < $< > $@ + # ------------------------------------------------------------------------------ systemd_SOURCES = \ src/core/main.c |