summaryrefslogtreecommitdiff
path: root/src/shared
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-25 20:37:03 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-26 02:19:28 +0100
commit4298d0b5128326621c8f537107c4c8b459490721 (patch)
tree38ed9f6806b45d153f39ea9da61eae5d34530523 /src/shared
parent9875fd7875d433eea5c6e3319916e1be18722086 (diff)
downloadsystemd-4298d0b5128326621c8f537107c4c8b459490721.tar.gz
systemd-4298d0b5128326621c8f537107c4c8b459490721.tar.bz2
systemd-4298d0b5128326621c8f537107c4c8b459490721.zip
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'src/shared')
-rw-r--r--src/shared/.gitignore4
-rw-r--r--src/shared/af-list.c58
-rw-r--r--src/shared/af-list.h27
-rw-r--r--src/shared/exit-status.c3
-rw-r--r--src/shared/exit-status.h3
5 files changed, 94 insertions, 1 deletions
diff --git a/src/shared/.gitignore b/src/shared/.gitignore
index c9b5f81719..9f4ec9f9c6 100644
--- a/src/shared/.gitignore
+++ b/src/shared/.gitignore
@@ -2,3 +2,7 @@
/errno-from-name.h
/errno-list.txt
/errno-to-name.h
+/af-from-name.gperf
+/af-from-name.h
+/af-list.txt
+/af-to-name.h
diff --git a/src/shared/af-list.c b/src/shared/af-list.c
new file mode 100644
index 0000000000..f396115a34
--- /dev/null
+++ b/src/shared/af-list.c
@@ -0,0 +1,58 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2013 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sys/socket.h>
+#include <string.h>
+
+#include "util.h"
+#include "af-list.h"
+
+static const struct af_name* lookup_af(register const char *str, register unsigned int len);
+
+#include "af-to-name.h"
+#include "af-from-name.h"
+
+const char *af_to_name(int id) {
+
+ if (id <= 0)
+ return NULL;
+
+ if (id >= (int) ELEMENTSOF(af_names))
+ return NULL;
+
+ return af_names[id];
+}
+
+int af_from_name(const char *name) {
+ const struct af_name *sc;
+
+ assert(name);
+
+ sc = lookup_af(name, strlen(name));
+ if (!sc)
+ return AF_UNSPEC;
+
+ return sc->id;
+}
+
+int af_max(void) {
+ return ELEMENTSOF(af_names);
+}
diff --git a/src/shared/af-list.h b/src/shared/af-list.h
new file mode 100644
index 0000000000..e346ab87f5
--- /dev/null
+++ b/src/shared/af-list.h
@@ -0,0 +1,27 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2014 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+const char *af_to_name(int id);
+int af_from_name(const char *name);
+
+int af_max(void);
diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c
index 902f55ac65..c1b04a3868 100644
--- a/src/shared/exit-status.c
+++ b/src/shared/exit-status.c
@@ -139,6 +139,9 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
case EXIT_APPARMOR_PROFILE:
return "APPARMOR";
+
+ case EXIT_ADDRESS_FAMILIES:
+ return "ADDRESS_FAMILIES";
}
}
diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h
index de379f1aa0..e7f12032ec 100644
--- a/src/shared/exit-status.h
+++ b/src/shared/exit-status.h
@@ -70,7 +70,8 @@ typedef enum ExitStatus {
EXIT_SECCOMP,
EXIT_SELINUX_CONTEXT,
EXIT_PERSONALITY, /* 230 */
- EXIT_APPARMOR_PROFILE
+ EXIT_APPARMOR_PROFILE,
+ EXIT_ADDRESS_FAMILIES,
} ExitStatus;
typedef enum ExitStatusLevel {