diff options
| author | Luca Boccassi <bluca@debian.org> | 2024-06-25 14:44:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-25 14:44:21 +0200 |
| commit | 4d2a86936a9d834a1d59d00be92f32df50be1807 (patch) | |
| tree | 0c16a76d53217cfb665c7a406cb175690a51f635 /src | |
| parent | Merge pull request #33450 from yuwata/network-ndisc-do-not-override-static-ro... (diff) | |
| parent | test-execute: add a test case for issue #33299 (diff) | |
| download | systemd-4d2a86936a9d834a1d59d00be92f32df50be1807.tar.xz systemd-4d2a86936a9d834a1d59d00be92f32df50be1807.zip | |
Merge pull request #33451 from yuwata/core-exec-use-write
core: use write() instead of send()
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/exec-invoke.c | 9 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 56 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 1 | ||||
| -rw-r--r-- | src/test/test-execute.c | 2 |
4 files changed, 41 insertions, 27 deletions
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index ec5684d1a5..3f713e731f 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b return r; } + /* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */ + if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) { + r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write"); + if (r < 0) + return r; + } + return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false); } @@ -4013,7 +4020,7 @@ static int send_handoff_timestamp( dual_timestamp dt; dual_timestamp_now(&dt); - if (send(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2, 0) < 0) { + if (write(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2) < 0) { if (reterr_exit_status) *reterr_exit_status = EXIT_EXEC; return log_exec_error_errno(c, p, errno, "Failed to send handoff timestamp: %m"); diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 2469e24253..d31d6b494b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -2030,39 +2030,43 @@ int parse_syscall_archs(char **l, Set **ret_archs) { return 0; } -int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) { - int r; +int seccomp_filter_set_add_by_name(Hashmap *filter, bool add, const char *name) { + assert(filter); + assert(name); - assert(set); + if (name[0] == '@') { + const SyscallFilterSet *more; - NULSTR_FOREACH(i, set->value) { + more = syscall_filter_set_find(name); + if (!more) + return -ENXIO; - if (i[0] == '@') { - const SyscallFilterSet *more; + return seccomp_filter_set_add(filter, add, more); + } - more = syscall_filter_set_find(i); - if (!more) - return -ENXIO; + int id = seccomp_syscall_resolve_name(name); + if (id == __NR_SCMP_ERROR) { + log_debug("System call %s is not known, ignoring.", name); + return 0; + } - r = seccomp_filter_set_add(filter, add, more); - if (r < 0) - return r; - } else { - int id; + if (add) + return hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1)); - id = seccomp_syscall_resolve_name(i); - if (id == __NR_SCMP_ERROR) { - log_debug("System call %s is not known, ignoring.", i); - continue; - } + (void) hashmap_remove(filter, INT_TO_PTR(id + 1)); + return 0; +} - if (add) { - r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1)); - if (r < 0) - return r; - } else - (void) hashmap_remove(filter, INT_TO_PTR(id + 1)); - } +int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) { + int r; + + assert(filter); + assert(set); + + NULSTR_FOREACH(i, set->value) { + r = seccomp_filter_set_add_by_name(filter, add, i); + if (r < 0) + return r; } return 0; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index fbf8555669..64deb5fd5d 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -70,6 +70,7 @@ extern const SyscallFilterSet syscall_filter_sets[]; const SyscallFilterSet *syscall_filter_set_find(const char *name); +int seccomp_filter_set_add_by_name(Hashmap *s, bool b, const char *name); int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set); int seccomp_add_syscall_filter_item( diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 4b8daa46bb..56f5e340be 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -832,6 +832,8 @@ static void test_exec_systemcallfilter(Manager *m) { return; } + test(m, "exec-systemcallfilter-writing-handoff-timestamp.service", 0, CLD_EXITED); + test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED); test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED); test(m, "exec-systemcallfilter-not-failing3.service", 0, CLD_EXITED); |