analyze: add syscall-filter verb

This should make it easier for users to understand what each filter means as the list of syscalls is updated in subsequent systemd versions.
2024-11-27 12:13:33 +08:00 · 2016-11-02 11:58:18 -04:00 · 2016-11-02 11:58:18 -04:00 · 869feb3388
commit 869feb3388
parent 7fa6328cc4
5 changed files with 101 additions and 25 deletions
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@ -101,6 +101,12 @@
      <arg choice="plain">set-log-target</arg>
      <arg choice="plain"><replaceable>TARGET</replaceable></arg>
    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>systemd-analyze</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
+      <arg choice="plain">syscall-filter</arg>
+      <arg choice="opt"><replaceable>SET</replaceable>...</arg>
+    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-analyze</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
@ -181,6 +187,11 @@
    <option>--log-target=</option>, described in
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>

+    <para><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command>
+    will list system calls contained in the specified system call set <replaceable>SET</replaceable>,
+    or all known sets if no sets are specified. Argument <replaceable>SET</replaceable> must include
+    the <literal>@</literal> prefix.</para>
+
    <para><command>systemd-analyze verify</command> will load unit files and print
    warnings if any errors are detected. Files specified on the command line will be
    loaded, but also any other units referenced by them. The full unit search path is
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1373,8 +1373,13 @@
          </tgroup>
        </table>

-        Note that as new system calls are added to the kernel, additional system calls might be added to the groups
-        above, so the contents of the sets may change between systemd versions.</para>
+        Note, that as new system calls are added to the kernel, additional system calls might be
+        added to the groups above. Contents of the sets may also change between systemd
+        versions. In addition, the list of system calls depends on the kernel version and
+        architecture for which systemd was compiled. Use
+        <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in
+        each filter.
+      </para>

        <para>It is recommended to combine the file system namespacing related options with
        <varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the
@ -1844,6 +1849,7 @@
      <para>
        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
--- a/shell-completion/bash/systemd-analyze
+++ b/shell-completion/bash/systemd-analyze
@ -45,6 +45,7 @@ _systemd_analyze() {
                [DOT]='dot'
                [LOG_LEVEL]='set-log-level'
                [VERIFY]='verify'
+                [SECCOMP_FILTER]='syscall-filter'
        )

        _init_completion || return
@ -100,6 +101,11 @@ _systemd_analyze() {
                        comps='debug info notice warning err crit alert emerg'
                fi

+        elif __contains_word "$verb" ${VERBS[SECCOMP_FILTER]}; then
+                if [[ $cur = -* ]]; then
+                        comps='--help --version'
+                fi
+
        elif __contains_word "$verb" ${VERBS[VERIFY]}; then
                if [[ $cur = -* ]]; then
                        comps='--help --version --system --user --man'
--- a/shell-completion/zsh/_systemd-analyze
+++ b/shell-completion/zsh/_systemd-analyze
@ -21,6 +21,7 @@ _systemd_analyze_command(){
        'dot:Dump dependency graph (in dot(1) format)'
        'dump:Dump server status'
        'set-log-level:Set systemd log threshold'
+        'syscall-filter:List syscalls in seccomp filter'
        'verify:Check unit files for correctness'
    )

--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@ -36,6 +36,7 @@
 #include "log.h"
 #include "pager.h"
 #include "parse-util.h"
+#include "seccomp-util.h"
 #include "special.h"
 #include "strv.h"
 #include "strxcpyx.h"
@ -1275,36 +1276,85 @@ static int set_log_target(sd_bus *bus, char **args) {
        return 0;
 }

+static void dump_syscall_filter(const SyscallFilterSet *set) {
+        const char *syscall;
+
+        printf("%s\n", set->name);
+        NULSTR_FOREACH(syscall, set->value)
+                printf("    %s\n", syscall);
+}
+
+static int dump_syscall_filters(char** names) {
+        bool first = true;
+
+        pager_open(arg_no_pager, false);
+
+        if (strv_isempty(names)) {
+                int i;
+
+                for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
+                        if (!first)
+                                puts("");
+                        dump_syscall_filter(syscall_filter_sets + i);
+                        first = false;
+                }
+        } else {
+                char **name;
+
+                STRV_FOREACH(name, names) {
+                        const SyscallFilterSet *set;
+
+                        if (!first)
+                                puts("");
+
+                        set = syscall_filter_set_find(*name);
+                        if (!set) {
+                                /* make sure the error appears below normal output */
+                                fflush(stdout);
+
+                                log_error("Filter set \"%s\" not found.", *name);
+                                return -ENOENT;
+                        }
+
+                        dump_syscall_filter(set);
+                        first = false;
+                }
+        }
+
+        return 0;
+}
+
 static void help(void) {

        pager_open(arg_no_pager, false);

        printf("%s [OPTIONS...] {COMMAND} ...\n\n"
               "Profile systemd, show unit dependencies, check unit files.\n\n"
-               "  -h --help               Show this help\n"
-               "     --version            Show package version\n"
-               "     --no-pager           Do not pipe output into a pager\n"
-               "     --system             Operate on system systemd instance\n"
-               "     --user               Operate on user systemd instance\n"
-               "  -H --host=[USER@]HOST   Operate on remote host\n"
-               "  -M --machine=CONTAINER  Operate on local container\n"
-               "     --order              Show only order in the graph\n"
-               "     --require            Show only requirement in the graph\n"
-               "     --from-pattern=GLOB  Show only origins in the graph\n"
-               "     --to-pattern=GLOB    Show only destinations in the graph\n"
-               "     --fuzz=SECONDS       Also print also services which finished SECONDS\n"
-               "                          earlier than the latest in the branch\n"
-               "     --man[=BOOL]         Do [not] check for existence of man pages\n\n"
+               "  -h --help                Show this help\n"
+               "     --version             Show package version\n"
+               "     --no-pager            Do not pipe output into a pager\n"
+               "     --system              Operate on system systemd instance\n"
+               "     --user                Operate on user systemd instance\n"
+               "  -H --host=[USER@]HOST    Operate on remote host\n"
+               "  -M --machine=CONTAINER   Operate on local container\n"
+               "     --order               Show only order in the graph\n"
+               "     --require             Show only requirement in the graph\n"
+               "     --from-pattern=GLOB   Show only origins in the graph\n"
+               "     --to-pattern=GLOB     Show only destinations in the graph\n"
+               "     --fuzz=SECONDS        Also print also services which finished SECONDS\n"
+               "                           earlier than the latest in the branch\n"
+               "     --man[=BOOL]          Do [not] check for existence of man pages\n\n"
               "Commands:\n"
-               "  time                    Print time spent in the kernel\n"
-               "  blame                   Print list of running units ordered by time to init\n"
-               "  critical-chain          Print a tree of the time critical chain of units\n"
-               "  plot                    Output SVG graphic showing service initialization\n"
-               "  dot                     Output dependency graph in dot(1) format\n"
-               "  set-log-level LEVEL     Set logging threshold for manager\n"
-               "  set-log-target TARGET   Set logging target for manager\n"
-               "  dump                    Output state serialization of service manager\n"
-               "  verify FILE...          Check unit files for correctness\n"
+               "  time                     Print time spent in the kernel\n"
+               "  blame                    Print list of running units ordered by time to init\n"
+               "  critical-chain           Print a tree of the time critical chain of units\n"
+               "  plot                     Output SVG graphic showing service initialization\n"
+               "  dot                      Output dependency graph in dot(1) format\n"
+               "  set-log-level LEVEL      Set logging threshold for manager\n"
+               "  set-log-target TARGET    Set logging target for manager\n"
+               "  dump                     Output state serialization of service manager\n"
+               "  syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
+               "  verify FILE...           Check unit files for correctness\n"
               , program_invocation_short_name);

        /* When updating this list, including descriptions, apply
@ -1471,6 +1521,8 @@ int main(int argc, char *argv[]) {
                        r = set_log_level(bus, argv+optind+1);
                else if (streq(argv[optind], "set-log-target"))
                        r = set_log_target(bus, argv+optind+1);
+                else if (streq(argv[optind], "syscall-filter"))
+                        r = dump_syscall_filters(argv+optind+1);
                else
                        log_error("Unknown operation '%s'.", argv[optind]);
        }