-I $(top_srcdir)/src/libsystemd/sd-bus \
-I $(top_srcdir)/src/libsystemd/sd-event \
-I $(top_srcdir)/src/libsystemd/sd-rtnl \
- $(SECCOMP_CFLAGS) \
$(OUR_CPPFLAGS)
AM_CFLAGS = $(OUR_CFLAGS)
src/shared/errno-from-name.h \
src/shared/errno-to-name.h
-if HAVE_SECCOMP
-libsystemd_shared_la_SOURCES += \
- src/shared/seccomp-util.h \
- src/shared/seccomp-util.c
-endif
-
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-units.la
libsystemd_label_la_LIBADD = \
$(SELINUX_LIBS)
+# ------------------------------------------------------------------------------
+
+if HAVE_SECCOMP
+
+noinst_LTLIBRARIES += \
+ libsystemd-seccomp.la
+
+libsystemd_seccomp_la_SOURCES = \
+ src/shared/seccomp-util.h \
+ src/shared/seccomp-util.c
+
+libsystemd_seccomp_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(SECCOMP_CFLAGS)
+
+libsystemd_seccomp_la_LIBADD = \
+ $(SECCOMP_LIBS)
+
+endif
+
# ------------------------------------------------------------------------------
noinst_LTLIBRARIES += \
libsystemd-logs.la
$(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
+ $(CAP_CFLAGS) \
$(KMOD_CFLAGS) \
$(SECCOMP_CFLAGS) \
-pthread
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
- $(SECCOMP_LIBS) \
- $(KMOD_LIBS)
+ $(KMOD_LIBS) \
+ $(SECCOMP_LIBS)
+
+if HAVE_SECCOMP
+libsystemd_core_la_LIBADD += \
+ libsystemd-seccomp.la
+endif
src/core/load-fragment-gperf-nulstr.c: src/core/load-fragment-gperf.gperf
$(AM_V_at)$(MKDIR_P) $(dir $@)
src/core/loopback-setup.c \
src/core/loopback-setup.h
+systemd_nspawn_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(SECCOMP_CFLAGS)
+
systemd_nspawn_LDADD = \
libsystemd-label.la \
libsystemd-capability.la \
libsystemd-daemon-internal.la \
libudev-internal.la \
libsystemd-shared.la \
+ libsystemd-seccomp.la \
$(SECCOMP_LIBS)
# ------------------------------------------------------------------------------
<function>write</function> will be
removed from the set.)
</para></listitem>
-
- <para>Note that setting
- <varname>SystemCallFilter=</varname>
- implies a
- <varname>SystemCallArchitectures=</varname>
- setting of <literal>native</literal>
- (see below), unless that option is
- configured otherwise.</para>
</varlistentry>
<varlistentry>
unit. This is an effective way to
disable compatibility with non-native
architectures for processes, for
- example to prohibit execution of 32-bit
- x86 binaries on 64-bit x86-64
+ example to prohibit execution of
+ 32-bit x86 binaries on 64-bit x86-64
systems. The special
<literal>native</literal> identifier
implicitly maps to the native
<literal>native</literal> is included
too. By default, this option is set to
the empty list, i.e. no architecture
- system call filtering is applied. Note
- that configuring a system call filter
- with
- <varname>SystemCallFilter=</varname>
- (above) implies a
- <literal>native</literal> architecture
- list, unless configured
- otherwise.</para></listitem>
+ system call filtering is
+ applied.</para></listitem>
</varlistentry>
</variablelist>
if (!seccomp)
return -ENOMEM;
- SET_FOREACH(id, c->syscall_archs, i) {
- r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
- if (r == -EEXIST)
- continue;
+ if (c->syscall_archs) {
+
+ SET_FOREACH(id, c->syscall_archs, i) {
+ r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+ if (r == -EEXIST)
+ continue;
+ if (r < 0) {
+ seccomp_release(seccomp);
+ return r;
+ }
+ }
+ } else {
+
+ r = seccomp_add_secondary_archs(seccomp);
if (r < 0) {
seccomp_release(seccomp);
return r;
#include "rtnl-util.h"
#include "udev-util.h"
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
if (!seccomp)
return log_oom();
+ r = seccomp_add_secondary_archs(seccomp);
+ if (r < 0 && r != -EEXIST) {
+ log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
goto finish;
}
-#ifdef __x86_64__
- r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
- if (r < 0 && r != -EEXIST) {
- log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
- goto finish;
- }
-#endif
-
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r));
return 0;
}
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
+
+#if defined(__i386__) || defined(__x86_64__)
+ int r;
+
+ /* Add in all possible secondary archs we are aware of that
+ * this kernel might support. */
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X86);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+ r = seccomp_arch_add(c, SCMP_ARCH_X32);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+#endif
+
+ return 0;
+
+}
const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c);