diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-03 20:27:45 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-11-03 20:27:45 -0400 |
commit | cf88547034d72e0c43e880b89d36643befc54bb9 (patch) | |
tree | 4baf2125530aadacc6ac73d5f80b843dad1ce2d1 /src/analyze/analyze.c | |
parent | d974f949f10d6945e1abe9bc6525e676bc515928 (diff) | |
parent | 1720590bfd7618efa10891f956bf4b265311be04 (diff) |
Merge pull request #4548 from keszybz/seccomp-help
systemd-analyze syscall-filter
Diffstat (limited to 'src/analyze/analyze.c')
-rw-r--r-- | src/analyze/analyze.c | 107 |
1 files changed, 84 insertions, 23 deletions
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index cbf9354a7a..f744a84501 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -36,6 +36,7 @@ #include "log.h" #include "pager.h" #include "parse-util.h" +#include "seccomp-util.h" #include "special.h" #include "strv.h" #include "strxcpyx.h" @@ -1275,36 +1276,94 @@ static int set_log_target(sd_bus *bus, char **args) { return 0; } +#ifdef HAVE_SECCOMP +static void dump_syscall_filter(const SyscallFilterSet *set) { + const char *syscall; + + printf("%s\n", set->name); + printf(" # %s\n", set->help); + NULSTR_FOREACH(syscall, set->value) + printf(" %s\n", syscall); +} + +static int dump_syscall_filters(char** names) { + bool first = true; + + pager_open(arg_no_pager, false); + + if (strv_isempty(names)) { + int i; + + for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { + if (!first) + puts(""); + dump_syscall_filter(syscall_filter_sets + i); + first = false; + } + } else { + char **name; + + STRV_FOREACH(name, names) { + const SyscallFilterSet *set; + + if (!first) + puts(""); + + set = syscall_filter_set_find(*name); + if (!set) { + /* make sure the error appears below normal output */ + fflush(stdout); + + log_error("Filter set \"%s\" not found.", *name); + return -ENOENT; + } + + dump_syscall_filter(set); + first = false; + } + } + + return 0; +} + +#else +static int dump_syscall_filters(char** names) { + log_error("Not compiled with syscall filters, sorry."); + return -EOPNOTSUPP; +} +#endif + static void help(void) { pager_open(arg_no_pager, false); printf("%s [OPTIONS...] {COMMAND} ...\n\n" "Profile systemd, show unit dependencies, check unit files.\n\n" - " -h --help Show this help\n" - " --version Show package version\n" - " --no-pager Do not pipe output into a pager\n" - " --system Operate on system systemd instance\n" - " --user Operate on user systemd instance\n" - " -H --host=[USER@]HOST Operate on remote host\n" - " -M --machine=CONTAINER Operate on local container\n" - " --order Show only order in the graph\n" - " --require Show only requirement in the graph\n" - " --from-pattern=GLOB Show only origins in the graph\n" - " --to-pattern=GLOB Show only destinations in the graph\n" - " --fuzz=SECONDS Also print also services which finished SECONDS\n" - " earlier than the latest in the branch\n" - " --man[=BOOL] Do [not] check for existence of man pages\n\n" + " -h --help Show this help\n" + " --version Show package version\n" + " --no-pager Do not pipe output into a pager\n" + " --system Operate on system systemd instance\n" + " --user Operate on user systemd instance\n" + " -H --host=[USER@]HOST Operate on remote host\n" + " -M --machine=CONTAINER Operate on local container\n" + " --order Show only order in the graph\n" + " --require Show only requirement in the graph\n" + " --from-pattern=GLOB Show only origins in the graph\n" + " --to-pattern=GLOB Show only destinations in the graph\n" + " --fuzz=SECONDS Also print also services which finished SECONDS\n" + " earlier than the latest in the branch\n" + " --man[=BOOL] Do [not] check for existence of man pages\n\n" "Commands:\n" - " time Print time spent in the kernel\n" - " blame Print list of running units ordered by time to init\n" - " critical-chain Print a tree of the time critical chain of units\n" - " plot Output SVG graphic showing service initialization\n" - " dot Output dependency graph in dot(1) format\n" - " set-log-level LEVEL Set logging threshold for manager\n" - " set-log-target TARGET Set logging target for manager\n" - " dump Output state serialization of service manager\n" - " verify FILE... Check unit files for correctness\n" + " time Print time spent in the kernel\n" + " blame Print list of running units ordered by time to init\n" + " critical-chain Print a tree of the time critical chain of units\n" + " plot Output SVG graphic showing service initialization\n" + " dot Output dependency graph in dot(1) format\n" + " set-log-level LEVEL Set logging threshold for manager\n" + " set-log-target TARGET Set logging target for manager\n" + " dump Output state serialization of service manager\n" + " syscall-filter [NAME...] Print list of syscalls in seccomp filter\n" + " verify FILE... Check unit files for correctness\n" , program_invocation_short_name); /* When updating this list, including descriptions, apply @@ -1471,6 +1530,8 @@ int main(int argc, char *argv[]) { r = set_log_level(bus, argv+optind+1); else if (streq(argv[optind], "set-log-target")) r = set_log_target(bus, argv+optind+1); + else if (streq(argv[optind], "syscall-filter")) + r = dump_syscall_filters(argv+optind+1); else log_error("Unknown operation '%s'.", argv[optind]); } |