core: rework syscall filter set handling

A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
author: Lennart Poettering <lennart@poettering.net> 2016-10-21 21:50:05 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-10-24 17:32:50 +0200
commit: 8130926d32d76193e98ba783ba932816f276bfad (patch)
tree: 1c2d5281da29c9cc10480e95b186d88941b1acf8 /src/core/execute.c
parent: e0f3720e399573134657458f4c8bd20c68fc092a (diff)
1 files changed, 2 insertions, 39 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index e63a12f934..18bb67cda9 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1578,10 +1578,7 @@ finish:
 }
 
 static int apply_private_devices(Unit *u, const ExecContext *c) {
-        const SystemCallFilterSet *set;
         scmp_filter_ctx *seccomp;
-        const char *sys;
-        bool syscalls_found = false;
         int r;
 
         assert(c);
@@ -1599,43 +1596,9 @@ static int apply_private_devices(Unit *u, const ExecContext *c) {
         if (r < 0)
                 goto finish;
 
-        for (set = syscall_filter_sets; set->set_name; set++)
-                if (streq(set->set_name, "@raw-io")) {
-                        syscalls_found = true;
-                        break;
-                }
-
-        /* We should never fail here */
-        if (!syscalls_found) {
-                r = -EOPNOTSUPP;
+        r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
+        if (r < 0)
                 goto finish;
-        }
-
-        NULSTR_FOREACH(sys, set->value) {
-                int id;
-                bool add = true;
-
-#ifndef __NR_s390_pci_mmio_read
-                if (streq(sys, "s390_pci_mmio_read"))
-                        add = false;
-#endif
-#ifndef __NR_s390_pci_mmio_write
-                if (streq(sys, "s390_pci_mmio_write"))
-                        add = false;
-#endif
-
-                if (!add)
-                        continue;
-
-                id = seccomp_syscall_resolve_name(sys);
-
-                r = seccomp_rule_add(
-                                seccomp,
-                                SCMP_ACT_ERRNO(EPERM),
-                                id, 0);
-                if (r < 0)
-                        goto finish;
-        }
 
         r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
         if (r < 0)
author	Lennart Poettering <lennart@poettering.net>	2016-10-21 21:50:05 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-10-24 17:32:50 +0200
commit	8130926d32d76193e98ba783ba932816f276bfad (patch)
tree	1c2d5281da29c9cc10480e95b186d88941b1acf8 /src/core/execute.c
parent	e0f3720e399573134657458f4c8bd20c68fc092a (diff)