mirror of
https://github.com/systemd/systemd
synced 2024-09-30 05:15:19 +00:00
Merge pull request #33451 from yuwata/core-exec-use-write
core: use write() instead of send()
This commit is contained in:
commit
4d2a86936a
|
@ -1439,6 +1439,13 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p, b
|
|||
return r;
|
||||
}
|
||||
|
||||
/* Sending over exec_fd or handoff_timestamp_fd requires write() syscall. */
|
||||
if (p->exec_fd >= 0 || p->handoff_timestamp_fd >= 0) {
|
||||
r = seccomp_filter_set_add_by_name(c->syscall_filter, c->syscall_allow_list, "write");
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
|
||||
}
|
||||
|
||||
|
@ -4013,7 +4020,7 @@ static int send_handoff_timestamp(
|
|||
dual_timestamp dt;
|
||||
dual_timestamp_now(&dt);
|
||||
|
||||
if (send(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2, 0) < 0) {
|
||||
if (write(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2) < 0) {
|
||||
if (reterr_exit_status)
|
||||
*reterr_exit_status = EXIT_EXEC;
|
||||
return log_exec_error_errno(c, p, errno, "Failed to send handoff timestamp: %m");
|
||||
|
|
|
@ -2030,39 +2030,43 @@ int parse_syscall_archs(char **l, Set **ret_archs) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
int seccomp_filter_set_add_by_name(Hashmap *filter, bool add, const char *name) {
|
||||
assert(filter);
|
||||
assert(name);
|
||||
|
||||
if (name[0] == '@') {
|
||||
const SyscallFilterSet *more;
|
||||
|
||||
more = syscall_filter_set_find(name);
|
||||
if (!more)
|
||||
return -ENXIO;
|
||||
|
||||
return seccomp_filter_set_add(filter, add, more);
|
||||
}
|
||||
|
||||
int id = seccomp_syscall_resolve_name(name);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known, ignoring.", name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (add)
|
||||
return hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1));
|
||||
|
||||
(void) hashmap_remove(filter, INT_TO_PTR(id + 1));
|
||||
return 0;
|
||||
}
|
||||
|
||||
int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set) {
|
||||
int r;
|
||||
|
||||
assert(filter);
|
||||
assert(set);
|
||||
|
||||
NULSTR_FOREACH(i, set->value) {
|
||||
|
||||
if (i[0] == '@') {
|
||||
const SyscallFilterSet *more;
|
||||
|
||||
more = syscall_filter_set_find(i);
|
||||
if (!more)
|
||||
return -ENXIO;
|
||||
|
||||
r = seccomp_filter_set_add(filter, add, more);
|
||||
if (r < 0)
|
||||
return r;
|
||||
} else {
|
||||
int id;
|
||||
|
||||
id = seccomp_syscall_resolve_name(i);
|
||||
if (id == __NR_SCMP_ERROR) {
|
||||
log_debug("System call %s is not known, ignoring.", i);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (add) {
|
||||
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(-1));
|
||||
if (r < 0)
|
||||
return r;
|
||||
} else
|
||||
(void) hashmap_remove(filter, INT_TO_PTR(id + 1));
|
||||
}
|
||||
r = seccomp_filter_set_add_by_name(filter, add, i);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -70,6 +70,7 @@ extern const SyscallFilterSet syscall_filter_sets[];
|
|||
|
||||
const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
||||
|
||||
int seccomp_filter_set_add_by_name(Hashmap *s, bool b, const char *name);
|
||||
int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
|
||||
|
||||
int seccomp_add_syscall_filter_item(
|
||||
|
|
|
@ -832,6 +832,8 @@ static void test_exec_systemcallfilter(Manager *m) {
|
|||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-systemcallfilter-writing-handoff-timestamp.service", 0, CLD_EXITED);
|
||||
|
||||
test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-not-failing3.service", 0, CLD_EXITED);
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test for SystemCallFilter
|
||||
|
||||
[Service]
|
||||
ExecStart=true
|
||||
Type=oneshot
|
||||
# For issue #33299
|
||||
SystemCallFilter=~@network-io
|
||||
SystemCallFilter=~write
|
||||
SystemCallErrorNumber=ENOSYS
|
Loading…
Reference in a new issue