summaryrefslogtreecommitdiffstats
path: root/src/shared/seccomp-util.h
diff options
context:
space:
mode:
authorYu Watanabe <watanabe.yu+github@gmail.com>2017-12-23 10:45:32 +0100
committerYu Watanabe <watanabe.yu+github@gmail.com>2017-12-23 10:45:32 +0100
commit898748d8b97194e43f909e6edf27c100ecaad1be (patch)
tree78fce10d14c30101c2feedb0884126115074ef2a /src/shared/seccomp-util.h
parentcore: move path_kill_slashes() to manager (diff)
downloadsystemd-898748d8b97194e43f909e6edf27c100ecaad1be.tar.xz
systemd-898748d8b97194e43f909e6edf27c100ecaad1be.zip
core,seccomp: fix logic to parse syscall filter in dbus-execute.c
If multiple SystemCallFilter= settings, some of them are whitelist and the others are blacklist, are sent to bus, then the parse result was corrupted. This fixes the parse logic, now it is the same as one used in load-fragment.c
Diffstat (limited to '')
-rw-r--r--src/shared/seccomp-util.h18
1 files changed, 18 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index ad2ab7f6b5..0b30cdf388 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -81,6 +81,24 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
+int seccomp_parse_syscall_filter_internal(
+ bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
+ bool warn, const char *unit, const char *filename, unsigned line);
+
+static inline int seccomp_parse_syscall_filter_and_warn(
+ bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist,
+ const char *unit, const char *filename, unsigned line) {
+ assert(unit);
+ assert(filename);
+
+ return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, true, unit, filename, line);
+}
+
+static inline int seccomp_parse_syscall_filter(
+ bool invert, const char *name, int errno_num, Hashmap *filter, bool whitelist) {
+ return seccomp_parse_syscall_filter_internal(invert, name, errno_num, filter, whitelist, false, NULL, NULL, 0);
+}
+
int seccomp_restrict_archs(Set *archs);
int seccomp_restrict_namespaces(unsigned long retain);
int seccomp_protect_sysctl(void);