diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-01-03 03:47:27 +0900 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-01-04 16:24:48 +0100 |
| commit | c563e3ef7761f89ac4643df08ef59c054f2d0135 (patch) | |
| tree | 2f1e3d9a1917a6fe92a478695333114f25ad59be | |
| parent | cd88d010e862d26ce816eb3bd6735a80999ac41e (diff) | |
| download | systemd-c563e3ef7761f89ac4643df08ef59c054f2d0135.tar.gz | |
seccomp-util: include missing_syscall_def.h to make __SNR_foo mapped to __NR_foo
Fixes #21969.
(cherry picked from commit e83156c264d149e8f92f05b4d777317824a430f1)
| -rw-r--r-- | src/shared/seccomp-util.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 7d2c52e188..b70ad1f7ea 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -3,13 +3,16 @@ #include <errno.h> #include <fcntl.h> #include <linux/seccomp.h> -#include <seccomp.h> #include <stddef.h> #include <sys/mman.h> #include <sys/prctl.h> #include <sys/shm.h> #include <sys/stat.h> +/* include missing_syscall_def.h earlier to make __SNR_foo mapped to __NR_foo. */ +#include "missing_syscall_def.h" +#include <seccomp.h> + #include "af-list.h" #include "alloc-util.h" #include "env-util.h" @@ -1736,13 +1739,11 @@ int seccomp_memory_deny_write_execute(void) { if (r < 0) continue; -#ifdef __NR_pkey_mprotect r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); if (r < 0) continue; -#endif if (shmat_syscall > 0) { r = add_seccomp_syscall_filter(seccomp, arch, shmat_syscall, @@ -2063,7 +2064,6 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) { else any = true; -#if SCMP_SYS(open) > 0 r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EPERM), @@ -2075,7 +2075,6 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) { log_debug_errno(r, "Failed to add filter for open: %m"); else any = true; -#endif r = seccomp_rule_add_exact( seccomp, @@ -2213,7 +2212,6 @@ static int block_open_flag(scmp_filter_ctx seccomp, int flag) { /* Blocks open() with the specified flag, where flag is O_SYNC or so. This makes these calls return * EINVAL, in the hope the client code will retry without O_SYNC then. */ -#if SCMP_SYS(open) > 0 r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EINVAL), @@ -2224,7 +2222,6 @@ static int block_open_flag(scmp_filter_ctx seccomp, int flag) { log_debug_errno(r, "Failed to add filter for open: %m"); else any = true; -#endif r = seccomp_rule_add_exact( seccomp, |