From 65a57927ad803dc7eddc4ab68221c571638d6e2b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 21 Aug 2023 18:39:01 +0200
Subject: [PATCH 1/2] seccomp: move seccomp_parse_errno_or_action() into common
 definitions

Let's remove some HAVE_SECCOMP ifdeffery by simply defining the funcion
in question (seccomp_parse_errno_or_action() + related calls) into
common code that is also compiled if HAVE_SECCOMP is off.

This is generally the better approach anyway, since we want as much as
possible and easily feasible parsers work even if the code implementing
them is disabled. THis is easy to achieve here, hence do.
---
 src/shared/bus-unit-util.c |  3 ---
 src/shared/seccomp-util.h  | 28 +++++++++++++++-------------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index e7b44cc39b..6ea5e138e0 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -117,9 +117,6 @@ DEFINE_BUS_APPEND_PARSE("i", ioprio_class_from_string);
 DEFINE_BUS_APPEND_PARSE("i", ip_tos_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_facility_unshifted_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_level_from_string);
-#if !HAVE_SECCOMP
-static inline int seccomp_parse_errno_or_action(const char *eq) { return -EINVAL; }
-#endif
 DEFINE_BUS_APPEND_PARSE("i", seccomp_parse_errno_or_action);
 DEFINE_BUS_APPEND_PARSE("i", sched_policy_from_string);
 DEFINE_BUS_APPEND_PARSE("i", secure_bits_from_string);
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 9c6016449e..7583357e8a 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -2,8 +2,8 @@
 #pragma once
 
 #if HAVE_SECCOMP
-
 #include <seccomp.h>
+#endif
 #include <stdbool.h>
 #include <stdint.h>
 
@@ -13,6 +13,8 @@
 #include "set.h"
 #include "string-util.h"
 
+#if HAVE_SECCOMP
+
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
 
@@ -143,6 +145,18 @@ int parse_syscall_archs(char **l, Set **ret_archs);
 
 uint32_t scmp_act_kill_process(void);
 
+int parse_syscall_and_errno(const char *in, char **name, int *error);
+
+int seccomp_suppress_sync(void);
+
+#else
+
+static inline bool is_seccomp_available(void) {
+        return false;
+}
+
+#endif
+
 /* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
    replaced with real seccomp action. */
 enum {
@@ -164,15 +178,3 @@ static inline const char *seccomp_errno_or_action_to_string(int num) {
                 return "kill";
         return errno_to_name(num);
 }
-
-int parse_syscall_and_errno(const char *in, char **name, int *error);
-
-int seccomp_suppress_sync(void);
-
-#else
-
-static inline bool is_seccomp_available(void) {
-        return false;
-}
-
-#endif

From e2fc0a72223bf1b4b1e2de9e9aa8169ec93ef8f9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 21 Aug 2023 18:48:19 +0200
Subject: [PATCH 2/2] tree-wide: don't ifdef seccomp-util.h, drop seccomp.h
 inclusion everywhere

seccomp-util.h doesn't need ifdeffing, hence don't. It has worked since
quite a while with HAVE_SECCOMP is off, hence use it everywhere.

Also drop explicit seccomp.h inclusion everywhere (which needs
HAVE_SECCOMP ifdeffery everywhere). seccomp-util.h includes it anyway,
automatically, which we can just rely on, and it deals with HAVE_SECCOMP
at one central place.
---
 src/analyze/analyze-security.c | 4 +---
 src/core/dbus-execute.c        | 7 -------
 src/core/execute.c             | 6 ------
 src/core/load-fragment.c       | 5 -----
 src/core/main.c                | 5 -----
 src/nspawn/nspawn-oci.c        | 5 -----
 src/nspawn/nspawn-seccomp.c    | 6 ------
 src/nspawn/nspawn-settings.h   | 5 +----
 src/nspawn/nspawn.c            | 2 --
 src/shared/bus-unit-util.c     | 2 --
 src/test/test-execute.c        | 2 --
 11 files changed, 2 insertions(+), 47 deletions(-)

diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 5408cfdeaa..fb743a895f 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -27,9 +27,7 @@
 #include "parse-util.h"
 #include "path-util.h"
 #include "pretty-print.h"
-#if HAVE_SECCOMP
-#  include "seccomp-util.h"
-#endif
+#include "seccomp-util.h"
 #include "service.h"
 #include "set.h"
 #include "stdio-util.h"
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 52964390ae..395051e57f 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -2,11 +2,6 @@
 
 #include <sys/mount.h>
 #include <sys/prctl.h>
-
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "af-list.h"
 #include "alloc-util.h"
 #include "bus-get-properties.h"
@@ -37,9 +32,7 @@
 #include "pcre2-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "specifier.h"
 #include "stat-util.h"
diff --git a/src/core/execute.c b/src/core/execute.c
index f9761b7239..5ffb088aee 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -26,10 +26,6 @@
 #include <selinux/selinux.h>
 #endif
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #if HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
@@ -93,9 +89,7 @@
 #include "recurse-dir.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "selinux-util.h"
 #include "signal-util.h"
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index ceca070e79..9d1fd0f7a7 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -7,9 +7,6 @@
 #include <fcntl.h>
 #include <linux/fs.h>
 #include <linux/oom.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 #include <sched.h>
 #include <sys/resource.h>
 
@@ -56,9 +53,7 @@
 #include "pcre2-util.h"
 #include "percent-util.h"
 #include "process-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "selinux-util.h"
 #include "signal-util.h"
diff --git a/src/core/main.c b/src/core/main.c
index c09f922700..df9cfa21aa 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -8,9 +8,6 @@
 #include <sys/prctl.h>
 #include <sys/utsname.h>
 #include <unistd.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 #if HAVE_VALGRIND_VALGRIND_H
 #  include <valgrind/valgrind.h>
 #endif
@@ -82,9 +79,7 @@
 #include "psi-util.h"
 #include "random-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "selinux-setup.h"
 #include "selinux-util.h"
 #include "signal-util.h"
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index a4eda80ea0..5bdfebde78 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <linux/oom.h>
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
 
 #include "bus-util.h"
 #include "cap-list.h"
@@ -19,9 +16,7 @@
 #include "nspawn-oci.h"
 #include "path-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "stdio-util.h"
 #include "string-util.h"
 #include "strv.h"
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 5f45f367d0..34a8627848 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -6,16 +6,10 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "alloc-util.h"
 #include "log.h"
 #include "nspawn-seccomp.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "string-util.h"
 #include "strv.h"
 
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h
index 0a3d975364..8edf8a3552 100644
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@@ -4,10 +4,6 @@
 #include <sched.h>
 #include <stdio.h>
 
-#if HAVE_SECCOMP
-#include <seccomp.h>
-#endif
-
 #include "sd-bus.h"
 #include "sd-id128.h"
 
@@ -18,6 +14,7 @@
 #include "missing_resource.h"
 #include "nspawn-expose-ports.h"
 #include "nspawn-mount.h"
+#include "seccomp-util.h"
 #include "time-util.h"
 
 typedef enum StartMode {
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index e614b05c83..d3ae547746 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -96,9 +96,7 @@
 #include "resolve-util.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "selinux-util.h"
 #include "signal-util.h"
 #include "socket-util.h"
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index 6ea5e138e0..ad1957d9d7 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -37,9 +37,7 @@
 #include "percent-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "securebits-util.h"
 #include "signal-util.h"
 #include "socket-util.h"
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 2316d2b615..0be66c2c7b 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -23,9 +23,7 @@
 #include "path-util.h"
 #include "process-util.h"
 #include "rm-rf.h"
-#if HAVE_SECCOMP
 #include "seccomp-util.h"
-#endif
 #include "service.h"
 #include "signal-util.h"
 #include "static-destruct.h"