From 40eb6a801427e28a237d32869639fffc8436c930 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Wed, 2 Nov 2016 12:01:04 -0400 Subject: seccomp-util: move @default to the first position Now that the list is user-visible, @default should be first. --- src/shared/seccomp-util.c | 36 ++++++++++++++++++------------------ src/shared/seccomp-util.h | 3 ++- 2 files changed, 20 insertions(+), 19 deletions(-) (limited to 'src/shared') diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c9b24f1065..325dcc866e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -217,6 +217,24 @@ bool is_seccomp_available(void) { } const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + [SYSCALL_FILTER_SET_DEFAULT] = { + /* Default list: the most basic of operations */ + .name = "@default", + .value = + "clock_getres\0" + "clock_gettime\0" + "clock_nanosleep\0" + "execve\0" + "exit\0" + "exit_group\0" + "getrlimit\0" /* make sure processes can query stack size and such */ + "gettimeofday\0" + "nanosleep\0" + "pause\0" + "rt_sigreturn\0" + "sigreturn\0" + "time\0" + }, [SYSCALL_FILTER_SET_BASIC_IO] = { /* Basic IO */ .name = "@basic-io", @@ -270,24 +288,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { #endif "sys_debug_setcontext\0" }, - [SYSCALL_FILTER_SET_DEFAULT] = { - /* Default list: the most basic of operations */ - .name = "@default", - .value = - "clock_getres\0" - "clock_gettime\0" - "clock_nanosleep\0" - "execve\0" - "exit\0" - "exit_group\0" - "getrlimit\0" /* make sure processes can query stack size and such */ - "gettimeofday\0" - "nanosleep\0" - "pause\0" - "rt_sigreturn\0" - "sigreturn\0" - "time\0" - }, [SYSCALL_FILTER_SET_IO_EVENT] = { /* Event loop use */ .name = "@io-event", diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 8e209efef2..ce7417b0ba 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,11 +38,12 @@ typedef struct SyscallFilterSet { } SyscallFilterSet; enum { + /* Please leave DEFAULT first, but sort the rest alphabetically */ + SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_CLOCK, SYSCALL_FILTER_SET_CPU_EMULATION, SYSCALL_FILTER_SET_DEBUG, - SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_IPC, SYSCALL_FILTER_SET_KEYRING, -- cgit v1.2.3-54-g00ecf From d5efc18b609ad8cfe63325c8b4f82264e56eadf3 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Wed, 2 Nov 2016 12:24:34 -0400 Subject: seccomp-util, analyze: export comments as a help string Just to make the whole thing easier for users. --- man/systemd.exec.xml | 6 +++--- src/analyze/analyze.c | 1 + src/shared/seccomp-util.c | 34 ++++++++++++++++++---------------- src/shared/seccomp-util.h | 1 + 4 files changed, 23 insertions(+), 19 deletions(-) (limited to 'src/shared') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0de263cb07..dd574df82a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1339,11 +1339,11 @@ @module - Kernel module control (init_module2, delete_module2 and related calls) + Loading and unloading of kernel modules (init_module2, delete_module2 and related calls) @mount - File system mounting and unmounting (mount2, chroot2, and related calls) + Mounting and unmounting of file systems (mount2, chroot2, and related calls) @network-io @@ -1359,7 +1359,7 @@ @process - Process control, execution, namespaces (clone2, kill2, namespaces7, … + Process control, execution, namespaceing operations (clone2, kill2, namespaces7, … @raw-io diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 0495fca17d..83e1cdf11d 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -1280,6 +1280,7 @@ static void dump_syscall_filter(const SyscallFilterSet *set) { const char *syscall; printf("%s\n", set->name); + printf(" # %s\n", set->help); NULSTR_FOREACH(syscall, set->value) printf(" %s\n", syscall); } diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 325dcc866e..fc1f6b68f2 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -218,8 +218,8 @@ bool is_seccomp_available(void) { const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { [SYSCALL_FILTER_SET_DEFAULT] = { - /* Default list: the most basic of operations */ .name = "@default", + .help = "System calls that are always permitted", .value = "clock_getres\0" "clock_gettime\0" @@ -236,8 +236,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "time\0" }, [SYSCALL_FILTER_SET_BASIC_IO] = { - /* Basic IO */ .name = "@basic-io", + .help = "Basic IO", .value = "close\0" "dup2\0" @@ -254,8 +254,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "writev\0" }, [SYSCALL_FILTER_SET_CLOCK] = { - /* Clock */ .name = "@clock", + .help = "Change the system time", .value = "adjtimex\0" "clock_adjtime\0" @@ -264,8 +264,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "stime\0" }, [SYSCALL_FILTER_SET_CPU_EMULATION] = { - /* CPU emulation calls */ .name = "@cpu-emulation", + .help = "System calls for CPU emulation functionality", .value = "modify_ldt\0" "subpage_prot\0" @@ -274,8 +274,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "vm86old\0" }, [SYSCALL_FILTER_SET_DEBUG] = { - /* Debugging/Performance Monitoring/Tracing */ .name = "@debug", + .help = "Debugging, performance monitoring and tracing functionality", .value = "lookup_dcookie\0" "perf_event_open\0" @@ -289,8 +289,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "sys_debug_setcontext\0" }, [SYSCALL_FILTER_SET_IO_EVENT] = { - /* Event loop use */ .name = "@io-event", + .help = "Event loop system calls", .value = "_newselect\0" "epoll_create1\0" @@ -308,9 +308,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "select\0" }, [SYSCALL_FILTER_SET_IPC] = { - /* Message queues, SYSV IPC or other IPC */ .name = "@ipc", - .value = "ipc\0" + .help = "SysV IPC, POSIX Message Queues or other IPC", + .value = + "ipc\0" "memfd_create\0" "mq_getsetattr\0" "mq_notify\0" @@ -336,24 +337,24 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "shmget\0" }, [SYSCALL_FILTER_SET_KEYRING] = { - /* Keyring */ .name = "@keyring", + .help = "Kernel keyring access", .value = "add_key\0" "keyctl\0" "request_key\0" }, [SYSCALL_FILTER_SET_MODULE] = { - /* Kernel module control */ .name = "@module", + .help = "Loading and unloading of kernel modules", .value = "delete_module\0" "finit_module\0" "init_module\0" }, [SYSCALL_FILTER_SET_MOUNT] = { - /* Mounting */ .name = "@mount", + .help = "Mounting and unmounting of file systems", .value = "chroot\0" "mount\0" @@ -362,8 +363,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "umount\0" }, [SYSCALL_FILTER_SET_NETWORK_IO] = { - /* Network or Unix socket IO, should not be needed if not network facing */ .name = "@network-io", + .help = "Network or Unix socket IO, should not be needed if not network facing", .value = "accept4\0" "accept\0" @@ -388,8 +389,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "socketpair\0" }, [SYSCALL_FILTER_SET_OBSOLETE] = { - /* Unusual, obsolete or unimplemented, some unknown even to libseccomp */ + /* some unknown even to libseccomp */ .name = "@obsolete", + .help = "Unusual, obsolete or unimplemented system calls", .value = "_sysctl\0" "afs_syscall\0" @@ -417,8 +419,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "vserver\0" }, [SYSCALL_FILTER_SET_PRIVILEGED] = { - /* Nice grab-bag of all system calls which need superuser capabilities */ .name = "@privileged", + .help = "All system calls which need super-user capabilities", .value = "@clock\0" "@module\0" @@ -459,8 +461,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "vhangup\0" }, [SYSCALL_FILTER_SET_PROCESS] = { - /* Process control, execution, namespaces */ .name = "@process", + .help = "Process control, execution, namespaceing operations", .value = "arch_prctl\0" "clone\0" @@ -475,8 +477,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "vfork\0" }, [SYSCALL_FILTER_SET_RAW_IO] = { - /* Raw I/O ports */ .name = "@raw-io", + .help = "Raw I/O port access", .value = "ioperm\0" "iopl\0" diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index ce7417b0ba..f0b9f455ab 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -34,6 +34,7 @@ bool is_seccomp_available(void); typedef struct SyscallFilterSet { const char *name; + const char *help; const char *value; } SyscallFilterSet; -- cgit v1.2.3-54-g00ecf