mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-27 20:23:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12198 from keszybz/seccomp-parsing-logging

Browse Source 
Seccomp parsing logging cleanup
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-04-03 17:19:14 +02:00 committed by GitHub
commit b3e8032bb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 69 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/basic/log.c
View File

@ -1231,16 +1231,34 @@ int log_syntax_internal(
if (unit)
unit_fmt = getpid_cached() == 1 ? "UNIT=%s" : "USER_UNIT=%s";
return log_struct_internal(
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
error,
file, line, func,
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
"CONFIG_FILE=%s", config_file,
"CONFIG_LINE=%u", config_line,
LOG_MESSAGE("%s:%u: %s", config_file, config_line, buffer),
unit_fmt, unit,
NULL);
if (config_file)
return log_struct_internal(
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
error,
file, line, func,
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
"CONFIG_FILE=%s", config_file,
"CONFIG_LINE=%u", config_line,
LOG_MESSAGE("%s:%u: %s", config_file, config_line, buffer),
unit_fmt, unit,
NULL);
else if (unit)
return log_struct_internal(
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
error,
file, line, func,
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
LOG_MESSAGE("%s: %s", unit, buffer),
unit_fmt, unit,
NULL);
else
return log_struct_internal(
LOG_REALM_PLUS_LEVEL(LOG_REALM_SYSTEMD, level),
error,
file, line, func,
"MESSAGE_ID=" SD_MESSAGE_INVALID_CONFIGURATION_STR,
LOG_MESSAGE("%s", buffer),
NULL);
}
int log_syntax_invalid_utf8_internal(

19
src/core/dbus-execute.c
View File

@ -1395,7 +1395,7 @@ int bus_exec_context_set_transient_property(
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
_cleanup_free_ char *joined = NULL;
bool invert = !whitelist;
SeccompParseFlags invert_flag = whitelist ? 0 : SECCOMP_PARSE_INVERT;
char **s;
if (strv_isempty(l)) {
@ -1414,7 +1414,12 @@ int bus_exec_context_set_transient_property(
c->syscall_whitelist = whitelist;
if (c->syscall_whitelist) {
r = seccomp_parse_syscall_filter("@default", -1, c->syscall_filter, SECCOMP_PARSE_WHITELIST | (invert ? SECCOMP_PARSE_INVERT : 0));
r = seccomp_parse_syscall_filter("@default",
-1,
c->syscall_filter,
SECCOMP_PARSE_WHITELIST | invert_flag,
u->id,
NULL, 0);
if (r < 0)
return r;
}
@ -1428,7 +1433,12 @@ int bus_exec_context_set_transient_property(
if (r < 0)
return r;
r = seccomp_parse_syscall_filter(n, e, c->syscall_filter, (invert ? SECCOMP_PARSE_INVERT : 0) | (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0));
r = seccomp_parse_syscall_filter(n,
e,
c->syscall_filter,
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
u->id,
NULL, 0);
if (r < 0)
return r;
}
@ -1506,7 +1516,6 @@ int bus_exec_context_set_transient_property(
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
_cleanup_free_ char *joined = NULL;
bool invert = !whitelist;
char **s;
if (strv_isempty(l)) {
@ -1532,7 +1541,7 @@ int bus_exec_context_set_transient_property(
if (af < 0)
return af;
if (!invert == c->address_families_whitelist) {
if (whitelist == c->address_families_whitelist) {
r = set_put(c->address_families, INT_TO_PTR(af));
if (r < 0)
return r;

6
src/core/load-fragment.c
View File

@ -2735,7 +2735,9 @@ int config_parse_syscall_filter(
/* Accept default syscalls if we are on a whitelist */
r = seccomp_parse_syscall_filter(
"@default", -1, c->syscall_filter,
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST);
SECCOMP_PARSE_PERMISSIVE|SECCOMP_PARSE_WHITELIST,
unit,
NULL, 0);
if (r < 0)
return r;
}
@ -2762,7 +2764,7 @@ int config_parse_syscall_filter(
continue;
}
r = seccomp_parse_syscall_filter_full(
r = seccomp_parse_syscall_filter(
name, num, c->syscall_filter,
SECCOMP_PARSE_LOG|SECCOMP_PARSE_PERMISSIVE|
(invert ? SECCOMP_PARSE_INVERT : 0)|

4
src/shared/seccomp-util.c
View File

@ -1016,7 +1016,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
return 0;
}
int seccomp_parse_syscall_filter_full(
int seccomp_parse_syscall_filter(
const char *name,
int errno_num,
Hashmap *filter,
@ -1049,7 +1049,7 @@ int seccomp_parse_syscall_filter_full(
* away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
* not a problem in user configuration data and we shouldn't pretend otherwise by complaining
* about them. */
r = seccomp_parse_syscall_filter_full(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
if (r < 0)
return r;
}

14
src/shared/seccomp-util.h
View File

@ -70,13 +70,13 @@ typedef enum SeccompParseFlags {
SECCOMP_PARSE_PERMISSIVE = 1 << 3,
} SeccompParseFlags;
int seccomp_parse_syscall_filter_full(
const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags,
const char *unit, const char *filename, unsigned line);
static inline int seccomp_parse_syscall_filter(const char *name, int errno_num, Hashmap *filter, SeccompParseFlags flags) {
return seccomp_parse_syscall_filter_full(name, errno_num, filter, flags, NULL, NULL, 0);
}
int seccomp_parse_syscall_filter(
const char *name,
int errno_num,
Hashmap *filter,
SeccompParseFlags flags,
const char *unit,
const char *filename, unsigned line);
int seccomp_restrict_archs(Set *archs);
int seccomp_restrict_namespaces(unsigned long retain);

6
test/TEST-20-MAINPIDGAMES/testsuite.sh
View File

@ -4,8 +4,8 @@
set -ex
set -o pipefail
systemd-analyze set-log-level debug
systemd-analyze set-log-target console
systemd-analyze log-level debug
systemd-analyze log-target console
test `systemctl show -p MainPID --value testsuite.service` -eq $$
@ -134,7 +134,7 @@ chmod 755 /dev/shm/mainpid3.sh
# Test that this failed due to timeout, and not some other error
test `systemctl show -p Result --value mainpidsh3.service` = timeout
systemd-analyze set-log-level info
systemd-analyze log-level info
echo OK > /testok

6
test/TEST-23-TYPE-EXEC/testsuite.sh
View File

@ -4,8 +4,8 @@
set -ex
set -o pipefail
systemd-analyze set-log-level debug
systemd-analyze set-log-target console
systemd-analyze log-level debug
systemd-analyze log-target console
# Create a binary for which execve() will fail
touch /tmp/brokenbinary
@ -21,7 +21,7 @@ systemd-run --unit=four -p Type=exec /bin/sleep infinity
! systemd-run --unit=five -p Type=exec -p User=idontexist /bin/sleep infinity
! systemd-run --unit=six -p Type=exec /tmp/brokenbinary
systemd-analyze set-log-level info
systemd-analyze log-level info
echo OK > /testok

6
test/TEST-27-STDOUTFILE/testsuite.sh
View File

@ -4,8 +4,8 @@
set -ex
set -o pipefail
systemd-analyze set-log-level debug
systemd-analyze set-log-target console
systemd-analyze log-level debug
systemd-analyze log-target console
systemd-run --wait --unit=one -p StandardOutput=file:/tmp/stdout -p StandardError=file:/tmp/stderr -p Type=exec sh -c 'echo x ; echo y >&2'
cmp /tmp/stdout <<EOF
@ -33,7 +33,7 @@ a
c
EOF
systemd-analyze set-log-level info
systemd-analyze log-level info
echo OK > /testok

6
test/TEST-30-ONCLOCKCHANGE/testsuite.sh
View File

@ -4,8 +4,8 @@
set -ex
set -o pipefail
systemd-analyze set-log-level debug
systemd-analyze set-log-target console
systemd-analyze log-level debug
systemd-analyze log-target console
systemctl disable --now systemd-timesyncd.service
@ -26,7 +26,7 @@ timedatectl set-time 2018-1-1
while ! test -f /tmp/clock-changed ; do sleep .5 ; done
systemd-analyze set-log-level info
systemd-analyze log-level info
echo OK > /testok

4
test/networkd-test.py
View File

@ -283,11 +283,11 @@ class ClientTestBase(NetworkdTestingUtilities):
klass.orig_log_level = subprocess.check_output(
['systemctl', 'show', '--value', '--property', 'LogLevel'],
universal_newlines=True).strip()
subprocess.check_call(['systemd-analyze', 'set-log-level', 'debug'])
subprocess.check_call(['systemd-analyze', 'log-level', 'debug'])
@classmethod
def tearDownClass(klass):
subprocess.check_call(['systemd-analyze', 'set-log-level', klass.orig_log_level])
subprocess.check_call(['systemd-analyze', 'log-level', klass.orig_log_level])
def setUp(self):
self.iface = 'test_eth42'