diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-10-21 20:12:33 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-10-24 17:32:50 +0200 |
commit | 25a8d8a0cb297f75b6b9fd3cc15747ba7f56031e (patch) | |
tree | 373b78e934205e4fe1bcf605c7bf9f1473b2d4b1 /src/core/execute.c | |
parent | 8130926d32d76193e98ba783ba932816f276bfad (diff) |
core: rework apply_protect_kernel_modules() to use seccomp_add_syscall_filter_set()
Let's simplify this call, by making use of the new infrastructure.
This is actually more in line with Djalal's original patch but instead of
search the filter set in the array by its name we can now use the set index and
jump directly to it.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r-- | src/core/execute.c | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 18bb67cda9..f435a079c7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1534,19 +1534,14 @@ finish: } static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) { - static const int module_syscalls[] = { - SCMP_SYS(delete_module), - SCMP_SYS(finit_module), - SCMP_SYS(init_module), - }; scmp_filter_ctx *seccomp; - unsigned i; + const char *sys; int r; assert(c); - /* Turn of module syscalls on ProtectKernelModules=yes */ + /* Turn off module syscalls on ProtectKernelModules=yes */ if (skip_seccomp_unavailable(u, "ProtectKernelModules=")) return 0; @@ -1559,12 +1554,9 @@ static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) { if (r < 0) goto finish; - for (i = 0; i < ELEMENTSOF(module_syscalls); i++) { - r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), - module_syscalls[i], 0); - if (r < 0) - goto finish; - } + r = seccomp_add_syscall_filter_set(seccomp, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM)); + if (r < 0) + goto finish; r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); if (r < 0) |