From 192c8ad8f7d49a1fa75b8c777dd2ca564140be16 Mon Sep 17 00:00:00 2001 From: desbma Date: Sat, 12 Oct 2024 19:07:59 +0200 Subject: [PATCH] refactor: replace lazy_static by LazyLock --- Cargo.lock | 1 - Cargo.toml | 1 - src/summarize.rs | 59 ++- src/systemd/options.rs | 1052 +++++++++++++++++++--------------------- 4 files changed, 545 insertions(+), 568 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d21fb3d..e09a46a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -675,7 +675,6 @@ dependencies = [ "fastrand", "function_name", "itertools", - "lazy_static", "log", "nix", "nom", diff --git a/Cargo.toml b/Cargo.toml index 25b61d3..f557946 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,6 @@ bincode = { version = "1.3.3", default-features = false } clap = { version = "4.3.17", default-features = false, features = ["std", "color", "help", "usage", "error-context", "suggestions", "derive"] } function_name = { version = "0.3.0", default-features = false, optional = true } itertools = { version = "0.11.0", default-features = false, features = ["use_std"] } -lazy_static = { version = "1.4.0", default-features = false } log = { version = "0.4.19", default-features = false, features = ["max_level_trace", "release_max_level_info"] } nix = { version = "0.26.2", default-features = false, features = ["fs"] } nom = { version = "7.1.3", default-features = false, features = ["std"], optional = true } diff --git a/src/summarize.rs b/src/summarize.rs index e719985..f1afd40 100644 --- a/src/summarize.rs +++ b/src/summarize.rs @@ -5,10 +5,9 @@ use std::{ ffi::OsStr, os::unix::ffi::OsStrExt, path::{Path, PathBuf}, + sync::LazyLock, }; -use lazy_static::lazy_static; - use crate::{ strace::{ BufferExpression, BufferType, Expression, IntegerExpression, IntegerExpressionValue, @@ -117,21 +116,20 @@ enum SyscallInfo { }, } -lazy_static! { - // - // For some reference on syscalls, see: - // - https://man7.org/linux/man-pages/man2/syscalls.2.html - // - https://filippo.io/linux-syscall-table/ - // - https://linasm.sourceforge.net/docs/syscalls/filesystem.php - // - static ref SYSCALL_MAP: HashMap<&'static str, SyscallInfo> = HashMap::from([ +// +// For some reference on syscalls, see: +// - https://man7.org/linux/man-pages/man2/syscalls.2.html +// - https://filippo.io/linux-syscall-table/ +// - https://linasm.sourceforge.net/docs/syscalls/filesystem.php +// +static SYSCALL_MAP: LazyLock> = LazyLock::new(|| { + HashMap::from([ // mmap ("mmap", SyscallInfo::Mmap { prot_idx: 2 }), ("mmap2", SyscallInfo::Mmap { prot_idx: 2 }), ("shmat", SyscallInfo::Mmap { prot_idx: 2 }), ("mprotect", SyscallInfo::Mmap { prot_idx: 2 }), ("pkey_mprotect", SyscallInfo::Mmap { prot_idx: 2 }), - // network ("connect", SyscallInfo::Network { sockaddr_idx: 1 }), ("bind", SyscallInfo::Network { sockaddr_idx: 1 }), @@ -156,7 +154,6 @@ lazy_static! { flags_idx: 2, }, ), - // rename ( "rename", @@ -188,23 +185,37 @@ lazy_static! { flags_idx: Some(4), }, ), - // set scheduler ("sched_setscheduler", SyscallInfo::SetScheduler), - // socket ("socket", SyscallInfo::Socket), - // stat fd ("fstat", SyscallInfo::StatFd { fd_idx: 0 }), ("getdents", SyscallInfo::StatFd { fd_idx: 0 }), - // stat path - ("stat", SyscallInfo::StatPath { relfd_idx: None, path_idx: 0 }), - ("lstat", SyscallInfo::StatPath { relfd_idx: None, path_idx: 0 }), - ("newfstatat", SyscallInfo::StatPath { relfd_idx: Some(0), path_idx: 1 }), - ]); -} + ( + "stat", + SyscallInfo::StatPath { + relfd_idx: None, + path_idx: 0, + }, + ), + ( + "lstat", + SyscallInfo::StatPath { + relfd_idx: None, + path_idx: 0, + }, + ), + ( + "newfstatat", + SyscallInfo::StatPath { + relfd_idx: Some(0), + path_idx: 1, + }, + ), + ]) +}); /// Resolve relative path if possible, and normalize it fn resolve_path(path: &Path, relfd_idx: Option, syscall: &Syscall) -> Option { @@ -230,10 +241,8 @@ fn resolve_path(path: &Path, relfd_idx: Option, syscall: &Syscall) -> Opt Some(path.canonicalize().unwrap_or(path)) } -lazy_static! { - static ref FD_PSEUDO_PATH_REGEX: regex::bytes::Regex = - regex::bytes::Regex::new(r"^[a-z]+:\[[0-9a-z]+\]/?$").unwrap(); -} +static FD_PSEUDO_PATH_REGEX: LazyLock = + LazyLock::new(|| regex::bytes::Regex::new(r"^[a-z]+:\[[0-9a-z]+\]/?$").unwrap()); fn is_fd_pseudo_path(path: &[u8]) -> bool { FD_PSEUDO_PATH_REGEX.is_match(path) diff --git a/src/systemd/options.rs b/src/systemd/options.rs index 32e416b..b7744e3 100644 --- a/src/systemd/options.rs +++ b/src/systemd/options.rs @@ -6,10 +6,10 @@ use std::{ os::unix::ffi::OsStrExt, path::{Path, PathBuf}, str::FromStr, + sync::LazyLock, }; use itertools::Itertools; -use lazy_static::lazy_static; use strum::IntoEnumIterator; use crate::{ @@ -281,553 +281,523 @@ impl fmt::Display for OptionWithValue { } } -lazy_static! { - static ref SYSCALL_CLASSES: HashMap<& 'static str, HashSet<& 'static str>> = HashMap::from([ - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L374 - "aio", - HashSet::from([ - "io_cancel", - "io_destroy", - "io_getevents", - "io_pgetevents", - "io_pgetevents_time64", - "io_setup", - "io_submit", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L389 - "basic-io", - HashSet::from([ - "_llseek", - "close", - "close_range", - "dup", - "dup2", - "dup3", - "lseek", - "pread64", - "preadv", - "preadv2", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readv", - "write", - "writev", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L411 - "chown", - HashSet::from([ +static SYSCALL_CLASSES: LazyLock>> = + LazyLock::new(|| { + HashMap::from([ + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L374 + "aio", + HashSet::from([ + "io_cancel", + "io_destroy", + "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L389 + "basic-io", + HashSet::from([ + "_llseek", + "close", + "close_range", + "dup", + "dup2", + "dup3", + "lseek", + "pread64", + "preadv", + "preadv2", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readv", + "write", + "writev", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L411 "chown", - "chown32", - "fchown", - "fchown32", - "fchownat", - "lchown", - "lchown32", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L423 - "clock", - HashSet::from([ - "adjtimex", - "clock_adjtime", - "clock_adjtime64", - "clock_settime", - "clock_settime64", - "settimeofday", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L434 - "cpu-emulation", - HashSet::from([ - "modify_ldt", - "subpage_prot", - "switch_endian", - "vm86", - "vm86old", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L444 - "debug", - HashSet::from([ - "lookup_dcookie", - "perf_event_open", - "pidfd_getfd", - "ptrace", - "rtas", - "s390_runtime_instr", - "sys_debug_setcontext", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L456 - "file-system", - HashSet::from([ - "access", - "chdir", - "chmod", - "close", - "creat", - "faccessat", - "faccessat2", - "fallocate", - "fchdir", - "fchmod", - "fchmodat", - "fcntl", - "fcntl64", - "fgetxattr", - "flistxattr", - "fremovexattr", - "fsetxattr", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "ftruncate", - "ftruncate64", - "futimesat", - "getcwd", - "getdents", - "getdents64", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "lgetxattr", - "link", - "linkat", - "listxattr", - "llistxattr", - "lremovexattr", - "lsetxattr", - "lstat", - "lstat64", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "newfstatat", - "oldfstat", - "oldlstat", - "oldstat", - "open", - "openat", - "openat2", - "readlink", - "readlinkat", - "removexattr", - "rename", - "renameat", - "renameat2", - "rmdir", - "setxattr", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "truncate", - "truncate64", - "unlink", - "unlinkat", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L537 - "io-event", - HashSet::from([ - "_newselect", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "poll", - "ppoll", - "ppoll_time64", - "pselect6", - "pselect6_time64", - "select", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L559 - "ipc", - HashSet::from([ + HashSet::from([ + "chown", "chown32", "fchown", "fchown32", "fchownat", "lchown", "lchown32", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L423 + "clock", + HashSet::from([ + "adjtimex", + "clock_adjtime", + "clock_adjtime64", + "clock_settime", + "clock_settime64", + "settimeofday", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L434 + "cpu-emulation", + HashSet::from([ + "modify_ldt", + "subpage_prot", + "switch_endian", + "vm86", + "vm86old", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L444 + "debug", + HashSet::from([ + "lookup_dcookie", + "perf_event_open", + "pidfd_getfd", + "ptrace", + "rtas", + "s390_runtime_instr", + "sys_debug_setcontext", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L456 + "file-system", + HashSet::from([ + "access", + "chdir", + "chmod", + "close", + "creat", + "faccessat", + "faccessat2", + "fallocate", + "fchdir", + "fchmod", + "fchmodat", + "fcntl", + "fcntl64", + "fgetxattr", + "flistxattr", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "ftruncate", + "ftruncate64", + "futimesat", + "getcwd", + "getdents", + "getdents64", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "lgetxattr", + "link", + "linkat", + "listxattr", + "llistxattr", + "lremovexattr", + "lsetxattr", + "lstat", + "lstat64", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "newfstatat", + "oldfstat", + "oldlstat", + "oldstat", + "open", + "openat", + "openat2", + "readlink", + "readlinkat", + "removexattr", + "rename", + "renameat", + "renameat2", + "rmdir", + "setxattr", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "truncate", + "truncate64", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L537 + "io-event", + HashSet::from([ + "_newselect", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "poll", + "ppoll", + "ppoll_time64", + "pselect6", + "pselect6_time64", + "select", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L559 "ipc", - "memfd_create", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "pipe", - "pipe2", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "shmat", - "shmctl", - "shmdt", - "shmget", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L592 - "keyring", - HashSet::from([ - "add_key", - "keyctl", - "request_key", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L600 - "memlock", - HashSet::from([ - "mlock", - "mlock2", - "mlockall", - "munlock", - "munlockall", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L610 - "module", - HashSet::from([ - "delete_module", - "finit_module", - "init_module", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L618 - "mount", - HashSet::from([ - "chroot", - "fsconfig", - "fsmount", - "fsopen", - "fspick", + HashSet::from([ + "ipc", + "memfd_create", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "pipe", + "pipe2", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "shmat", + "shmctl", + "shmdt", + "shmget", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L592 + "keyring", + HashSet::from(["add_key", "keyctl", "request_key"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L600 + "memlock", + HashSet::from(["mlock", "mlock2", "mlockall", "munlock", "munlockall"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L610 + "module", + HashSet::from(["delete_module", "finit_module", "init_module"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L618 "mount", - "mount_setattr", - "move_mount", - "open_tree", - "pivot_root", - "umount", - "umount2", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L635 - "network-io", - HashSet::from([ - "accept", - "accept4", - "bind", - "connect", - "getpeername", - "getsockname", - "getsockopt", - "listen", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "send", - "sendmmsg", - "sendmsg", - "sendto", - "setsockopt", - "shutdown", - "socket", - "socketcall", - "socketpair", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L662 - "obsolete", - HashSet::from([ - "_sysctl", - "afs_syscall", - "bdflush", - "break", - "create_module", - "ftime", - "get_kernel_syms", - "getpmsg", - "gtty", - "idle", - "lock", - "mpx", - "prof", - "profil", - "putpmsg", - "query_module", - "security", - "sgetmask", - "ssetmask", - "stime", - "stty", - "sysfs", - "tuxcall", - "ulimit", - "uselib", - "ustat", - "vserver", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L695 - "pkey", - HashSet::from([ - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L703 - "privileged", - HashSet::from([ - "@chown", - "@clock", - "@module", - "@raw-io", - "@reboot", - "@swap", - "_sysctl", - "acct", - "bpf", - "capset", - "chroot", - "fanotify_init", - "fanotify_mark", - "nfsservctl", - "open_by_handle_at", - "pivot_root", - "quotactl", - "quotactl_fd", - "setdomainname", - "setfsuid", - "setfsuid32", - "setgroups", - "setgroups32", - "sethostname", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setuid", - "setuid32", - "vhangup", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L739 - "process", - HashSet::from([ - "capget", - "clone", - "clone3", - "execveat", - "fork", - "getrusage", - "kill", - "pidfd_open", - "pidfd_send_signal", - "prctl", - "rt_sigqueueinfo", - "rt_tgsigqueueinfo", - "setns", - "swapcontext", - "tgkill", - "times", - "tkill", - "unshare", - "vfork", - "wait4", - "waitid", - "waitpid", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L769 - "raw-io", - HashSet::from([ - "ioperm", - "iopl", - "pciconfig_iobase", - "pciconfig_read", - "pciconfig_write", - "s390_pci_mmio_read", - "s390_pci_mmio_write", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L781 - "reboot", - HashSet::from([ - "kexec_file_load", - "kexec_load", + HashSet::from([ + "chroot", + "fsconfig", + "fsmount", + "fsopen", + "fspick", + "mount", + "mount_setattr", + "move_mount", + "open_tree", + "pivot_root", + "umount", + "umount2", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L635 + "network-io", + HashSet::from([ + "accept", + "accept4", + "bind", + "connect", + "getpeername", + "getsockname", + "getsockopt", + "listen", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "send", + "sendmmsg", + "sendmsg", + "sendto", + "setsockopt", + "shutdown", + "socket", + "socketcall", + "socketpair", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L662 + "obsolete", + HashSet::from([ + "_sysctl", + "afs_syscall", + "bdflush", + "break", + "create_module", + "ftime", + "get_kernel_syms", + "getpmsg", + "gtty", + "idle", + "lock", + "mpx", + "prof", + "profil", + "putpmsg", + "query_module", + "security", + "sgetmask", + "ssetmask", + "stime", + "stty", + "sysfs", + "tuxcall", + "ulimit", + "uselib", + "ustat", + "vserver", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L695 + "pkey", + HashSet::from(["pkey_alloc", "pkey_free", "pkey_mprotect"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L703 + "privileged", + HashSet::from([ + "@chown", + "@clock", + "@module", + "@raw-io", + "@reboot", + "@swap", + "_sysctl", + "acct", + "bpf", + "capset", + "chroot", + "fanotify_init", + "fanotify_mark", + "nfsservctl", + "open_by_handle_at", + "pivot_root", + "quotactl", + "quotactl_fd", + "setdomainname", + "setfsuid", + "setfsuid32", + "setgroups", + "setgroups32", + "sethostname", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setuid", + "setuid32", + "vhangup", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L739 + "process", + HashSet::from([ + "capget", + "clone", + "clone3", + "execveat", + "fork", + "getrusage", + "kill", + "pidfd_open", + "pidfd_send_signal", + "prctl", + "rt_sigqueueinfo", + "rt_tgsigqueueinfo", + "setns", + "swapcontext", + "tgkill", + "times", + "tkill", + "unshare", + "vfork", + "wait4", + "waitid", + "waitpid", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L769 + "raw-io", + HashSet::from([ + "ioperm", + "iopl", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "s390_pci_mmio_read", + "s390_pci_mmio_write", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L781 "reboot", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L789 - "resources", - HashSet::from([ - "ioprio_set", - "mbind", - "migrate_pages", - "move_pages", - "nice", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "set_mempolicy", - "set_mempolicy_home_node", - "setpriority", - "setrlimit", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L807 - "sandbox", - HashSet::from([ - "landlock_add_rule", - "landlock_create_ruleset", - "landlock_restrict_self", - "seccomp", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L816 - "setuid", - HashSet::from([ - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", + HashSet::from(["kexec_file_load", "kexec_load", "reboot"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L789 + "resources", + HashSet::from([ + "ioprio_set", + "mbind", + "migrate_pages", + "move_pages", + "nice", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "set_mempolicy", + "set_mempolicy_home_node", + "setpriority", + "setrlimit", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L807 + "sandbox", + HashSet::from([ + "landlock_add_rule", + "landlock_create_ruleset", + "landlock_restrict_self", + "seccomp", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L816 "setuid", - "setuid32", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L835 - "signal", - HashSet::from([ - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "sigaction", - "sigaltstack", + HashSet::from([ + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setuid", + "setuid32", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L835 "signal", - "signalfd", - "signalfd4", - "sigpending", - "sigprocmask", - "sigsuspend", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L854 - "swap", - HashSet::from([ - "swapoff", - "swapon", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L861 - "sync", - HashSet::from([ - "fdatasync", - "fsync", - "msync", + HashSet::from([ + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "sigaction", + "sigaltstack", + "signal", + "signalfd", + "signalfd4", + "sigpending", + "sigprocmask", + "sigsuspend", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L854 + "swap", + HashSet::from(["swapoff", "swapon"]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L861 "sync", - "sync_file_range", - "sync_file_range2", - "syncfs", - ]) - ), - ( - // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L939 - "timer", - HashSet::from([ - "alarm", - "getitimer", - "setitimer", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - ]) - ), - ]); -} + HashSet::from([ + "fdatasync", + "fsync", + "msync", + "sync", + "sync_file_range", + "sync_file_range2", + "syncfs", + ]), + ), + ( + // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L939 + "timer", + HashSet::from([ + "alarm", + "getitimer", + "setitimer", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + ]), + ), + ]) + }); #[allow(clippy::vec_init_then_push)] pub fn build_options(