DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-03 17:35:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

sys: specify context for syscall filter

Browse Source 
Specify a context to enable different processes using different (more
restrictive) syscall filters.
This commit is contained in:
Miroslav Lichvar
2019-11-26 14:10:24 +01:00
parent 3e537416a9
commit e6848b1e3f
5 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
main.c
View File

@@ -596,7 +596,7 @@ int main
CAM_OpenUnixSocket(); CAM_OpenUnixSocket();
if (scfilter_level) if (scfilter_level)
SYS_EnableSystemCallFilter(scfilter_level); SYS_EnableSystemCallFilter(scfilter_level, SYS_MAIN_PROCESS);
if (ref_mode == REF_ModeNormal && CNF_GetInitSources() > 0) { if (ref_mode == REF_ModeNormal && CNF_GetInitSources() > 0) {
ref_mode = REF_ModeInitStepSlew; ref_mode = REF_ModeInitStepSlew;

4
sys.c
View File

@@ -114,10 +114,10 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
/* ================================================== */ /* ================================================== */
void SYS_EnableSystemCallFilter(int level) void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
{ {
#if defined(LINUX) && defined(FEAT_SCFILTER) #if defined(LINUX) && defined(FEAT_SCFILTER)
SYS_Linux_EnableSystemCallFilter(level); SYS_Linux_EnableSystemCallFilter(level, context);
#else #else
LOG_FATAL("system call filter not supported"); LOG_FATAL("system call filter not supported");
#endif #endif

6
sys.h
View File

@@ -38,9 +38,13 @@ extern void SYS_Finalise(void);
/* Drop root privileges to the specified user and group */ /* Drop root privileges to the specified user and group */
extern void SYS_DropRoot(uid_t uid, gid_t gid); extern void SYS_DropRoot(uid_t uid, gid_t gid);
typedef enum {
SYS_MAIN_PROCESS,
} SYS_SystemCallContext;
/* Enable a system call filter to allow only system calls /* Enable a system call filter to allow only system calls
which chronyd normally needs after initialization */ which chronyd normally needs after initialization */
extern void SYS_EnableSystemCallFilter(int level); extern void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context);
extern void SYS_SetScheduler(int SchedPriority); extern void SYS_SetScheduler(int SchedPriority);
extern void SYS_LockMemory(void); extern void SYS_LockMemory(void);

2
sys_linux.c
View File

@@ -474,7 +474,7 @@ void check_seccomp_applicability(void)
/* ================================================== */ /* ================================================== */
void void
SYS_Linux_EnableSystemCallFilter(int level) SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
{ {
const int syscalls[] = { const int syscalls[] = {
/* Clock */ /* Clock */

4
sys_linux.h
View File

@@ -27,13 +27,15 @@
#ifndef GOT_SYS_LINUX_H #ifndef GOT_SYS_LINUX_H
#define GOT_SYS_LINUX_H #define GOT_SYS_LINUX_H
#include "sys.h"
extern void SYS_Linux_Initialise(void); extern void SYS_Linux_Initialise(void);
extern void SYS_Linux_Finalise(void); extern void SYS_Linux_Finalise(void);
extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control); extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control);
extern void SYS_Linux_EnableSystemCallFilter(int level); extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context);
extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor); extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor);