core: rework syscall filter

- Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
author: Lennart Poettering <lennart@poettering.net> 2014-02-12 18:28:21 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-02-12 18:30:36 +0100
commit: 17df7223be064b1542dbe868e3b35cca977ee639 (patch)
tree: 8c88ea1827e95cb5a0c639b17a30b4295b924f79 /src/core/load-fragment-gperf.gperf.m4
parent: c0467cf387548dc98c0254f63553d862b35a84e5 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 7d405788d7..16c9e25785 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -49,7 +49,11 @@ $1.SecureBits,                   config_parse_exec_secure_bits,      0,
 $1.CapabilityBoundingSet,        config_parse_bounding_set,          0,                             offsetof($1, exec_context.capability_bounding_set_drop)
 $1.TimerSlackNSec,               config_parse_nsec,                  0,                             offsetof($1, exec_context.timer_slack_nsec)
 $1.NoNewPrivileges,              config_parse_bool,                  0,                             offsetof($1, exec_context.no_new_privileges)
-$1.SystemCallFilter,             config_parse_syscall_filter,        0,                             offsetof($1, exec_context)
+m4_ifdef(`HAVE_SECCOMP',
+`$1.SystemCallFilter,            config_parse_syscall_filter,        0,                             offsetof($1, exec_context)
+$1.SystemCallErrorNumber,        config_parse_syscall_errno,         0,                             offsetof($1, exec_context)',
+`$1.SystemCallFilter,            config_parse_warn_compat,           0,                             0
+$1.SystemCallErrorNumber,        config_parse_warn_compat,           0,                             0')
 $1.LimitCPU,                     config_parse_limit,                 RLIMIT_CPU,                    offsetof($1, exec_context.rlimit)
 $1.LimitFSIZE,                   config_parse_limit,                 RLIMIT_FSIZE,                  offsetof($1, exec_context.rlimit)
 $1.LimitDATA,                    config_parse_limit,                 RLIMIT_DATA,                   offsetof($1, exec_context.rlimit)
author	Lennart Poettering <lennart@poettering.net>	2014-02-12 18:28:21 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-02-12 18:30:36 +0100
commit	17df7223be064b1542dbe868e3b35cca977ee639 (patch)
tree	8c88ea1827e95cb5a0c639b17a30b4295b924f79 /src/core/load-fragment-gperf.gperf.m4
parent	c0467cf387548dc98c0254f63553d862b35a84e5 (diff)