Merge pull request #28907 from poettering/have-seccomp-tweaks

reduce HAVE_SECCOMP ifdeffery

src/analyze/analyze-security.c

@@ -27,9 +27,7 @@
 #include "parse-util.h"
 #include "path-util.h"
 #include "pretty-print.h"
-#if HAVE_SECCOMP
-#  include "seccomp-util.h"
-#endif
+#include "seccomp-util.h"
 #include "service.h"
 #include "set.h"
 #include "stdio-util.h"

src/core/dbus-execute.c

@@ -2,11 +2,6 @@
 
 #include <sys/mount.h>
 #include <sys/prctl.h>
-
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "af-list.h"
 #include "alloc-util.h"
 #include "bus-get-properties.h"
@@ -37,9 +32,7 @@
 #include "pcre2-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "specifier.h"
 #include "stat-util.h"

src/core/execute.c

@@ -26,10 +26,6 @@
 #include <selinux/selinux.h>
 #endif
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #if HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
@@ -93,9 +89,7 @@
 #include "recurse-dir.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "selinux-util.h"
 #include "signal-util.h"

src/core/load-fragment.c

@@ -7,9 +7,6 @@
 #include <fcntl.h>
 #include <linux/fs.h>
 #include <linux/oom.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 #include <sched.h>
 #include <sys/resource.h>
 
@@ -56,9 +53,7 @@
 #include "pcre2-util.h"
 #include "percent-util.h"
 #include "process-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "selinux-util.h"
 #include "signal-util.h"

src/core/main.c

@@ -8,9 +8,6 @@
 #include <sys/prctl.h>
 #include <sys/utsname.h>
 #include <unistd.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 #if HAVE_VALGRIND_VALGRIND_H
 #  include <valgrind/valgrind.h>
 #endif
@@ -82,9 +79,7 @@
 #include "psi-util.h"
 #include "random-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "selinux-setup.h"
 #include "selinux-util.h"
 #include "signal-util.h"

src/nspawn/nspawn-oci.c

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <linux/oom.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 
 #include "bus-util.h"
 #include "cap-list.h"
@@ -19,9 +16,7 @@
 #include "nspawn-oci.h"
 #include "path-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "stdio-util.h"
 #include "string-util.h"
 #include "strv.h"

src/nspawn/nspawn-seccomp.c

@@ -6,16 +6,10 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "alloc-util.h"
 #include "log.h"
 #include "nspawn-seccomp.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "string-util.h"
 #include "strv.h"
 

src/nspawn/nspawn-settings.h

@@ -4,10 +4,6 @@
 #include <sched.h>
 #include <stdio.h>
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "sd-bus.h"
 #include "sd-id128.h"
 
@@ -18,6 +14,7 @@
 #include "missing_resource.h"
 #include "nspawn-expose-ports.h"
 #include "nspawn-mount.h"
+#include "seccomp-util.h"
 #include "time-util.h"
 
 typedef enum StartMode {

src/nspawn/nspawn.c

@@ -96,9 +96,7 @@
 #include "resolve-util.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "selinux-util.h"
 #include "signal-util.h"
 #include "socket-util.h"

src/shared/bus-unit-util.c

@@ -37,9 +37,7 @@
 #include "percent-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "signal-util.h"
 #include "socket-util.h"
@@ -117,9 +115,6 @@ DEFINE_BUS_APPEND_PARSE("i", ioprio_class_from_string);
 DEFINE_BUS_APPEND_PARSE("i", ip_tos_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_facility_unshifted_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_level_from_string);
-#if !HAVE_SECCOMP
-static inline int seccomp_parse_errno_or_action(const char *eq) { return -EINVAL; }
-#endif
 DEFINE_BUS_APPEND_PARSE("i", seccomp_parse_errno_or_action);
 DEFINE_BUS_APPEND_PARSE("i", sched_policy_from_string);
 DEFINE_BUS_APPEND_PARSE("i", secure_bits_from_string);

src/shared/seccomp-util.h

@@ -2,8 +2,8 @@
 #pragma once
 
 #if HAVE_SECCOMP
-
 #include <seccomp.h>
+#endif
 #include <stdbool.h>
 #include <stdint.h>
 
@@ -13,6 +13,8 @@
 #include "set.h"
 #include "string-util.h"
 
+#if HAVE_SECCOMP
+
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
 
@@ -143,6 +145,18 @@ int parse_syscall_archs(char **l, Set **ret_archs);
 
 uint32_t scmp_act_kill_process(void);
 
+int parse_syscall_and_errno(const char *in, char **name, int *error);
+
+int seccomp_suppress_sync(void);
+
+#else
+
+static inline bool is_seccomp_available(void) {
+        return false;
+}
+
+#endif
+
 /* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
    replaced with real seccomp action. */
 enum {
@@ -164,15 +178,3 @@ static inline const char *seccomp_errno_or_action_to_string(int num) {
                 return "kill";
         return errno_to_name(num);
 }
-
-int parse_syscall_and_errno(const char *in, char **name, int *error);
-
-int seccomp_suppress_sync(void);
-
-#else
-
-static inline bool is_seccomp_available(void) {
-        return false;
-}
-
-#endif

src/test/test-execute.c

@@ -23,9 +23,7 @@
 #include "path-util.h"
 #include "process-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "service.h"
 #include "signal-util.h"
 #include "static-destruct.h"