[systemd-devel] [PATCH 2/2] syscallfilter: port to libseccomp
Ronny Chevalier
chevalier.ronny at gmail.com
Wed Jan 22 16:34:58 PST 2014
---
Hi,
This patch ports the syscall filter to libseccomp. It can be disable with
--disable-seccomp and is enabled by default if libseccomp is present.
Maybe I should add a warning when parsing SyscallFilter in a .service
if seccomp has been disabled ?
Now the SyscallFilter property is a duplicate of the string in the .service
file instead of a uint array.
Ronny
Makefile.am | 30 ++---------------
README | 1 +
TODO | 1 -
configure.ac | 14 ++++++++
src/core/dbus-execute.c | 8 ++---
src/core/execute.c | 72 +++++++++------------------------------
src/core/execute.h | 8 ++++-
src/core/load-fragment.c | 63 +++++++++++++++++-----------------
src/shared/.gitignore | 4 ---
src/shared/linux/seccomp-bpf.h | 76 ------------------------------------------
src/shared/linux/seccomp.h | 47 --------------------------
src/shared/syscall-list.c | 56 -------------------------------
src/shared/syscall-list.h | 41 -----------------------
src/test/test-tables.c | 3 --
14 files changed, 75 insertions(+), 349 deletions(-)
delete mode 100644 src/shared/linux/seccomp-bpf.h
delete mode 100644 src/shared/linux/seccomp.h
delete mode 100644 src/shared/syscall-list.c
delete mode 100644 src/shared/syscall-list.h
diff --git a/Makefile.am b/Makefile.am
index 935a195..9a69fce 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -648,8 +648,6 @@ noinst_LTLIBRARIES += \
libsystemd_shared_la_SOURCES = \
src/shared/linux/auto_dev-ioctl.h \
src/shared/linux/fanotify.h \
- src/shared/linux/seccomp.h \
- src/shared/linux/seccomp-bpf.h \
src/shared/ioprio.h \
src/shared/missing.h \
src/shared/initreq.h \
@@ -757,8 +755,6 @@ libsystemd_shared_la_SOURCES = \
src/shared/net-util.h \
src/shared/errno-list.c \
src/shared/errno-list.h \
- src/shared/syscall-list.c \
- src/shared/syscall-list.h \
src/shared/audit.c \
src/shared/audit.h \
src/shared/xml.c \
@@ -766,9 +762,7 @@ libsystemd_shared_la_SOURCES = \
nodist_libsystemd_shared_la_SOURCES = \
src/shared/errno-from-name.h \
- src/shared/errno-to-name.h \
- src/shared/syscall-from-name.h \
- src/shared/syscall-to-name.h
+ src/shared/errno-to-name.h
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
@@ -993,6 +987,7 @@ libsystemd_core_la_CFLAGS = \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
$(KMOD_CFLAGS) \
+ $(SECCOMP_CFLAGS) \
-pthread
libsystemd_core_la_LIBADD = \
@@ -1008,6 +1003,7 @@ libsystemd_core_la_LIBADD = \
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
+ $(SECCOMP_LIBS) \
$(KMOD_LIBS)
src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
@@ -1021,33 +1017,13 @@ CLEANFILES += \
src/core/load-fragment-gperf.gperf \
src/core/load-fragment-gperf.c \
src/core/load-fragment-gperf-nulstr.c \
- src/shared/syscall-list.txt \
- src/shared/syscall-from-name.gperf \
src/shared/errno-list.txt \
src/shared/errno-from-name.gperf
BUILT_SOURCES += \
- src/shared/syscall-from-name.h \
- src/shared/syscall-to-name.h \
src/shared/errno-from-name.h \
src/shared/errno-to-name.h
-src/shared/syscall-list.txt:
- $(AM_V_at)$(MKDIR_P) $(dir $@)
- $(AM_V_GEN)$(CPP) $(CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) -dM -include sys/syscall.h - < /dev/null | $(AWK) '/^#define[ \t]+__NR_[^ ]+[ \t]+[0-9(]/ { sub(/__NR_/, "", $$2); if ($$2 !~ /SYSCALL_BASE/) print $$2; }' > $@
-
-src/shared/syscall-from-name.gperf: src/shared/syscall-list.txt
- $(AM_V_at)$(MKDIR_P) $(dir $@)
- $(AM_V_GEN)$(AWK) 'BEGIN{ print "struct syscall_name { const char* name; int id; };"; print "%null-strings"; print "%%";} { printf "%s, __NR_%s\n", $$1, $$1 }' < $< > $@
-
-src/shared/syscall-from-name.h: src/shared/syscall-from-name.gperf
- $(AM_V_at)$(MKDIR_P) $(dir $@)
- $(AM_V_GPERF)$(GPERF) -L ANSI-C -t --ignore-case -N lookup_syscall -H hash_syscall_name -p -C < $< > $@
-
-src/shared/syscall-to-name.h: src/shared/syscall-list.txt
- $(AM_V_at)$(MKDIR_P) $(dir $@)
- $(AM_V_GEN)$(AWK) 'BEGIN{ print "static const char* const syscall_names[] = { "} { printf "[SYSCALL_TO_INDEX(__NR_%s)] = \"%s\",\n", $$1, $$1 } END{print "};"}' < $< > $@
-
src/shared/errno-list.txt:
$(AM_V_at)$(MKDIR_P) $(dir $@)
$(AM_V_GEN)$(CPP) $(CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) -dM -include errno.h - < /dev/null | $(AWK) '/^#define[ \t]+E[^ _]+[ \t]+[0-9]/ { print $$2; }' > $@
diff --git a/README b/README
index 0548e6a..d94fbb3 100644
--- a/README
+++ b/README
@@ -92,6 +92,7 @@ REQUIREMENTS:
glibc >= 2.14
libcap
+ libseccomp >= 1.0.0 (optional)
libblkid >= 2.20 (from util-linux) (optional)
libkmod >= 15 (optional)
PAM >= 1.1.2 (optional)
diff --git a/TODO b/TODO
index e5318d7..d2095c0 100644
--- a/TODO
+++ b/TODO
@@ -528,7 +528,6 @@ Features:
- syscall filter: add knowledge about compat syscalls
- syscall filter: don't enforce no new privs?
- syscall filter: option to return EPERM rather than SIGSYS?
- - syscall filter: port to libseccomp
- system-wide seccomp filter
* load-fragment: when loading a unit file via a chain of symlinks
diff --git a/configure.ac b/configure.ac
index 939ba6d..1f68f3e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -309,6 +309,19 @@ fi
AM_CONDITIONAL(HAVE_BLKID, [test "$have_blkid" = "yes"])
# ------------------------------------------------------------------------------
+have_seccomp=no
+AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support]))
+if test "x$enable_seccomp" != "xno"; then
+ PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 1.0.0],
+ [AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available]) have_seccomp=yes],
+ [have_seccomp=no])
+ if test "x$have_seccomp" = "xno" -a "x$enable_seccomp" = "xyes"; then
+ AC_MSG_ERROR([*** seccomp support requested but libraries not found])
+ fi
+fi
+AM_CONDITIONAL(HAVE_SECCOMP, [test "$have_seccomp" = "yes"])
+
+# ------------------------------------------------------------------------------
have_ima=yes
AC_ARG_ENABLE([ima], AS_HELP_STRING([--disable-ima],[Disable optional IMA support]),
[case "${enableval}" in
@@ -1076,6 +1089,7 @@ AC_MSG_RESULT([
AUDIT: ${have_audit}
IMA: ${have_ima}
SELinux: ${have_selinux}
+ SECCOMP: ${have_seccomp}
SMACK: ${have_smack}
XZ: ${have_xz}
ACL: ${have_acl}
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index edf84f8..6f7c8ea 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -25,7 +25,6 @@
#include "missing.h"
#include "ioprio.h"
#include "strv.h"
-#include "syscall-list.h"
#include "fileio.h"
#include "execute.h"
#include "dbus-execute.h"
@@ -353,10 +352,7 @@ static int property_get_syscall_filter(
assert(reply);
assert(c);
- if (c->syscall_filter)
- return sd_bus_message_append_array(reply, 'u', c->syscall_filter, (syscall_max() + 31) >> 4);
- else
- return sd_bus_message_append_array(reply, 'u', NULL, 0);
+ return sd_bus_message_append(reply, "s", c->syscall_filter_string);
}
const sd_bus_vtable bus_exec_vtable[] = {
@@ -420,7 +416,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("IgnoreSIGPIPE", "b", bus_property_get_bool, offsetof(ExecContext, ignore_sigpipe), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("NoNewPrivileges", "b", bus_property_get_bool, offsetof(ExecContext, no_new_privileges), SD_BUS_VTABLE_PROPERTY_CONST),
- SD_BUS_PROPERTY("SystemCallFilter", "au", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("SystemCallFilter", "s", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_VTABLE_END
};
diff --git a/src/core/execute.c b/src/core/execute.c
index 91e4352..47547c8 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -38,9 +38,11 @@
#include <linux/fs.h>
#include <linux/oom.h>
#include <sys/poll.h>
-#include <linux/seccomp-bpf.h>
#include <glob.h>
#include <libgen.h>
+#ifdef HAVE_SECCOMP
+#include <seccomp.h>
+#endif
#undef basename
#ifdef HAVE_PAM
@@ -63,7 +65,6 @@
#include "utmp-wtmp.h"
#include "def.h"
#include "path-util.h"
-#include "syscall-list.h"
#include "env-util.h"
#include "fileio.h"
#include "unit.h"
@@ -928,58 +929,6 @@ static void rename_process_from_path(const char *path) {
rename_process(process_name);
}
-static int apply_seccomp(uint32_t *syscall_filter) {
- static const struct sock_filter header[] = {
- VALIDATE_ARCHITECTURE,
- EXAMINE_SYSCALL
- };
- static const struct sock_filter footer[] = {
- _KILL_PROCESS
- };
-
- int i;
- unsigned n;
- struct sock_filter *f;
- struct sock_fprog prog = {};
-
- assert(syscall_filter);
-
- /* First: count the syscalls to check for */
- for (i = 0, n = 0; i < syscall_max(); i++)
- if (syscall_filter[i >> 4] & (1 << (i & 31)))
- n++;
-
- /* Second: build the filter program from a header the syscall
- * matches and the footer */
- f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
- memcpy(f, header, sizeof(header));
-
- for (i = 0, n = 0; i < syscall_max(); i++)
- if (syscall_filter[i >> 4] & (1 << (i & 31))) {
- struct sock_filter item[] = {
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
- };
-
- assert_cc(ELEMENTSOF(item) == 2);
-
- f[ELEMENTSOF(header) + 2*n] = item[0];
- f[ELEMENTSOF(header) + 2*n+1] = item[1];
-
- n++;
- }
-
- memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
-
- /* Third: install the filter */
- prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
- prog.filter = f;
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
- return -errno;
-
- return 0;
-}
-
static void do_idle_pipe_dance(int idle_pipe[4]) {
assert(idle_pipe);
@@ -1557,13 +1506,15 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
+#ifdef HAVE_SECCOMP
if (context->syscall_filter) {
- err = apply_seccomp(context->syscall_filter);
+ err = seccomp_load(context->syscall_filter);
if (err < 0) {
r = EXIT_SECCOMP;
goto fail_child;
}
}
+#endif
}
err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@@ -1722,8 +1673,15 @@ void exec_context_done(ExecContext *c) {
free(c->utmp_id);
c->utmp_id = NULL;
- free(c->syscall_filter);
- c->syscall_filter = NULL;
+ free(c->syscall_filter_string);
+ c->syscall_filter_string = NULL;
+
+#ifdef HAVE_SECCOMP
+ if (c->syscall_filter) {
+ seccomp_release(c->syscall_filter);
+ c->syscall_filter = NULL;
+ }
+#endif
}
void exec_command_done(ExecCommand *c) {
diff --git a/src/core/execute.h b/src/core/execute.h
index 4851152..00b7d9a 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -33,6 +33,9 @@ typedef struct ExecRuntime ExecRuntime;
#include <stdbool.h>
#include <stdio.h>
#include <sched.h>
+#ifdef HAVE_SECCOMP
+#include <seccomp.h>
+#endif
#include "list.h"
#include "util.h"
@@ -160,7 +163,10 @@ struct ExecContext {
* don't enter a trigger loop. */
bool same_pgrp;
- uint32_t *syscall_filter;
+#ifdef HAVE_SECCOMP
+ scmp_filter_ctx syscall_filter;
+#endif
+ char *syscall_filter_string;
bool oom_score_adjust_set:1;
bool nice_set:1;
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 7a2d32d..08fcc1b 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -33,6 +33,9 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
+#ifdef HAVE_SECCOMP
+#include <seccomp.h>
+#endif
#include "sd-messages.h"
#include "unit.h"
@@ -47,7 +50,6 @@
#include "unit-printf.h"
#include "utf8.h"
#include "path-util.h"
-#include "syscall-list.h"
#include "env-util.h"
#include "cgroup.h"
#include "bus-util.h"
@@ -1916,16 +1918,6 @@ int config_parse_documentation(const char *unit,
return r;
}
-static void syscall_set(uint32_t *p, int nr) {
- nr = SYSCALL_TO_INDEX(nr);
- p[nr >> 4] |= 1 << (nr & 31);
-}
-
-static void syscall_unset(uint32_t *p, int nr) {
- nr = SYSCALL_TO_INDEX(nr);
- p[nr >> 4] &= ~(1 << (nr & 31));
-}
-
int config_parse_syscall_filter(const char *unit,
const char *filename,
unsigned line,
@@ -1936,49 +1928,61 @@ int config_parse_syscall_filter(const char *unit,
const char *rvalue,
void *data,
void *userdata) {
+#ifdef HAVE_SECCOMP
+#define SECCOMP_RULE_ADD(ctx, action, id, name) \
+ do {\
+ r = seccomp_rule_add(ctx, action, id, 0);\
+ if (r < 0)\
+ log_syntax(unit, LOG_ERR, filename, line, -r,\
+ "Failed to add syscall filter, ignoring: %s", name);\
+ } while(0)
ExecContext *c = data;
Unit *u = userdata;
bool invert = false;
+ uint32_t action = SCMP_ACT_ALLOW;
char *w;
size_t l;
char *state;
+ int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
+
if (isempty(rvalue)) {
/* Empty assignment resets the list */
- free(c->syscall_filter);
+ seccomp_release(c->syscall_filter);
c->syscall_filter = NULL;
+ free(c->syscall_filter_string = NULL);
+ c->syscall_filter_string = NULL;
return 0;
}
+ c->syscall_filter_string = strdup(rvalue);
if (rvalue[0] == '~') {
+ action = SCMP_ACT_KILL;
invert = true;
rvalue++;
}
if (!c->syscall_filter) {
- size_t n;
+ if (invert)
+ c->syscall_filter = seccomp_init(SCMP_ACT_ALLOW);
+ else
+ c->syscall_filter = seccomp_init(SCMP_ACT_KILL);
- n = (syscall_max() + 31) >> 4;
- c->syscall_filter = new(uint32_t, n);
if (!c->syscall_filter)
- return log_oom();
-
- memset(c->syscall_filter, invert ? 0xFF : 0, n * sizeof(uint32_t));
+ return -1;
/* Add these by default */
- syscall_set(c->syscall_filter, __NR_execve);
- syscall_set(c->syscall_filter, __NR_rt_sigreturn);
-#ifdef __NR_sigreturn
- syscall_set(c->syscall_filter, __NR_sigreturn);
-#endif
- syscall_set(c->syscall_filter, __NR_exit_group);
- syscall_set(c->syscall_filter, __NR_exit);
+ SECCOMP_RULE_ADD(c->syscall_filter, SCMP_ACT_ALLOW, SCMP_SYS(execve), "execve");
+ SECCOMP_RULE_ADD(c->syscall_filter, SCMP_ACT_ALLOW, SCMP_SYS(exit), "exit");
+ SECCOMP_RULE_ADD(c->syscall_filter, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), "exit_group");
+ SECCOMP_RULE_ADD(c->syscall_filter, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), "rt_sigreturn");
+ SECCOMP_RULE_ADD(c->syscall_filter, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), "sigreturn");
}
FOREACH_WORD_QUOTED(w, l, rvalue, state) {
@@ -1989,20 +1993,19 @@ int config_parse_syscall_filter(const char *unit,
if (!t)
return log_oom();
- id = syscall_from_name(t);
+ id = seccomp_syscall_resolve_name(t);
if (id < 0) {
log_syntax(unit, LOG_ERR, filename, line, EINVAL,
"Failed to parse syscall, ignoring: %s", t);
continue;
}
- if (invert)
- syscall_unset(c->syscall_filter, id);
- else
- syscall_set(c->syscall_filter, id);
+ SECCOMP_RULE_ADD(c->syscall_filter, action, id, t);
}
c->no_new_privileges = true;
+#undef SECCOMP_RULE_ADD
+#endif
return 0;
}
diff --git a/src/shared/.gitignore b/src/shared/.gitignore
index 3820d19..c9b5f81 100644
--- a/src/shared/.gitignore
+++ b/src/shared/.gitignore
@@ -1,7 +1,3 @@
-/syscall-from-name.gperf
-/syscall-from-name.h
-/syscall-list.txt
-/syscall-to-name.h
/errno-from-name.gperf
/errno-from-name.h
/errno-list.txt
diff --git a/src/shared/linux/seccomp-bpf.h b/src/shared/linux/seccomp-bpf.h
deleted file mode 100644
index 1e3d136..0000000
--- a/src/shared/linux/seccomp-bpf.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * seccomp example for x86 (32-bit and 64-bit) with BPF macros
- *
- * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev at chromium.org>
- * Authors:
- * Will Drewry <wad at chromium.org>
- * Kees Cook <keescook at chromium.org>
- *
- * The code may be used by anyone for any purpose, and can serve as a
- * starting point for developing applications using mode 2 seccomp.
- */
-#ifndef _SECCOMP_BPF_H_
-#define _SECCOMP_BPF_H_
-
-#include <stdio.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <signal.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/prctl.h>
-
-#include <linux/unistd.h>
-#include <linux/audit.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-
-#ifndef SECCOMP_MODE_FILTER
-# define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
-# define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
-# define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
-# define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
-struct seccomp_data {
- int nr;
- __u32 arch;
- __u64 instruction_pointer;
- __u64 args[6];
-};
-#endif
-#ifndef SYS_SECCOMP
-# define SYS_SECCOMP 1
-#endif
-
-#define syscall_nr (offsetof(struct seccomp_data, nr))
-#define arch_nr (offsetof(struct seccomp_data, arch))
-
-#if defined(__i386__)
-# define REG_SYSCALL REG_EAX
-# define ARCH_NR AUDIT_ARCH_I386
-#elif defined(__x86_64__)
-# define REG_SYSCALL REG_RAX
-# define ARCH_NR AUDIT_ARCH_X86_64
-#else
-# warning "Platform does not support seccomp filter yet"
-# define REG_SYSCALL 0
-# define ARCH_NR 0
-#endif
-
-#define VALIDATE_ARCHITECTURE \
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
-
-#define EXAMINE_SYSCALL \
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
-
-#define ALLOW_SYSCALL(name) \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
-
-#define _KILL_PROCESS \
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
-
-#endif /* _SECCOMP_BPF_H_ */
diff --git a/src/shared/linux/seccomp.h b/src/shared/linux/seccomp.h
deleted file mode 100644
index 9c03683..0000000
--- a/src/shared/linux/seccomp.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef _LINUX_SECCOMP_H
-#define _LINUX_SECCOMP_H
-
-
-#include <linux/types.h>
-
-
-/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
-#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
-#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
-#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
-
-/*
- * All BPF programs must return a 32-bit value.
- * The bottom 16-bits are for optional return data.
- * The upper 16-bits are ordered from least permissive values to most.
- *
- * The ordering ensures that a min_t() over composed return values always
- * selects the least permissive choice.
- */
-#define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
-#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
-#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
-#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
-#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
-
-/* Masks for the return value sections. */
-#define SECCOMP_RET_ACTION 0x7fff0000U
-#define SECCOMP_RET_DATA 0x0000ffffU
-
-/**
- * struct seccomp_data - the format the BPF program executes over.
- * @nr: the system call number
- * @arch: indicates system call convention as an AUDIT_ARCH_* value
- * as defined in <linux/audit.h>.
- * @instruction_pointer: at the time of the system call.
- * @args: up to 6 system call arguments always stored as 64-bit values
- * regardless of the architecture.
- */
-struct seccomp_data {
- int nr;
- __u32 arch;
- __u64 instruction_pointer;
- __u64 args[6];
-};
-
-#endif /* _LINUX_SECCOMP_H */
diff --git a/src/shared/syscall-list.c b/src/shared/syscall-list.c
deleted file mode 100644
index dc84dca..0000000
--- a/src/shared/syscall-list.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-/***
- This file is part of systemd.
-
- Copyright 2012 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#include <sys/syscall.h>
-#include <string.h>
-
-#include "util.h"
-#include "syscall-list.h"
-
-static const struct syscall_name* lookup_syscall(register const char *str,
- register unsigned int len);
-
-#include "syscall-to-name.h"
-#include "syscall-from-name.h"
-
-const char *syscall_to_name(int id) {
- id = SYSCALL_TO_INDEX(id);
- if (id < 0 || id >= (int) ELEMENTSOF(syscall_names))
- return NULL;
-
- return syscall_names[id];
-}
-
-int syscall_from_name(const char *name) {
- const struct syscall_name *sc;
-
- assert(name);
-
- sc = lookup_syscall(name, strlen(name));
- if (!sc)
- return -1;
-
- return sc->id;
-}
-
-int syscall_max(void) {
- return ELEMENTSOF(syscall_names);
-}
diff --git a/src/shared/syscall-list.h b/src/shared/syscall-list.h
deleted file mode 100644
index 37efc56..0000000
--- a/src/shared/syscall-list.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-#pragma once
-
-/***
- This file is part of systemd.
-
- Copyright 2012 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#if defined __x86_64__ && defined __ILP32__
-/* The x32 ABI defines all of its syscalls with bit 30 set, which causes
- issues when attempting to use syscalls as simple indices into an array.
- Instead, use the syscall id & ~SYSCALL_MASK as the index, and | the
- internal id with the syscall mask as needed.
-*/
-#include <asm/unistd.h>
-#define SYSCALL_TO_INDEX(x) ((x) & ~__X32_SYSCALL_BIT)
-#define INDEX_TO_SYSCALL(x) ((x) | __X32_SYSCALL_BIT)
-#else
-#define SYSCALL_TO_INDEX(x) (x)
-#define INDEX_TO_SYSCALL(x) (x)
-#endif
-
-const char *syscall_to_name(int id);
-int syscall_from_name(const char *name);
-
-int syscall_max(void);
diff --git a/src/test/test-tables.c b/src/test/test-tables.c
index 3b7800c..dff6431 100644
--- a/src/test/test-tables.c
+++ b/src/test/test-tables.c
@@ -43,7 +43,6 @@
#include "unit-name.h"
#include "unit.h"
#include "util.h"
-#include "syscall-list.h"
#include "test-tables.h"
@@ -99,7 +98,5 @@ int main(int argc, char **argv) {
test_table(unit_load_state, UNIT_LOAD_STATE);
test_table(unit_type, UNIT_TYPE);
- _test_table("syscall", syscall_to_name, syscall_from_name, syscall_max(), true);
-
return EXIT_SUCCESS;
}
--
1.8.5.3
More information about the systemd-devel
mailing list