diff options
| author | Anita Zhang <the.anitazha@gmail.com> | 2019-04-10 16:08:41 -0700 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-04-12 10:23:07 +0200 |
| commit | 7bc5e0b12b7647ac203eeb81092c08724f9bbed3 (patch) | |
| tree | 03c607ebb1ff27d2fb3899401b3292b26fc01e12 /src/nspawn | |
| parent | 03abeb0baf7fe97c98a98d745b75c7d33e2f632e (diff) | |
| download | systemd-7bc5e0b12b7647ac203eeb81092c08724f9bbed3.tar.gz | |
seccomp: check more error codes from seccomp_load()
We noticed in our tests that occasionally SystemCallFilter= would
fail to set and the service would run with no syscall filtering.
Most of the time the same tests would apply the filter and fail
the service as expected. While it's not totally clear why this happens,
we noticed seccomp_load() in the systemd code base would fail open for
all errors except EPERM and EACCES.
ENOMEM, EINVAL, and EFAULT seem like reasonable values to add to the
error set based on what I gather from libseccomp code and man pages:
-ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant
-EINVAL: kernel isn't configured to support the operations, args are invalid (to seccomp_load(), seccomp(), or prctl())
-EFAULT: addresses passed as args are invalid
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 4 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 9b5eb011ae..9222f2bc84 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -187,7 +187,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys return r; r = seccomp_load(seccomp); - if (IN_SET(r, -EPERM, -EACCES)) + if (ERRNO_IS_SECCOMP_FATAL(r)) return log_error_errno(r, "Failed to install seccomp filter: %m"); if (r < 0) log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); @@ -223,7 +223,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys } r = seccomp_load(seccomp); - if (IN_SET(r, -EPERM, -EACCES)) + if (ERRNO_IS_SECCOMP_FATAL(r)) return log_error_errno(r, "Failed to install seccomp audit filter: %m"); if (r < 0) log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 3b0ecb1db9..e05fa3dbf2 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2948,7 +2948,7 @@ static int inner_child( if (is_seccomp_available()) { r = seccomp_load(arg_seccomp); - if (IN_SET(r, -EPERM, -EACCES)) + if (ERRNO_IS_SECCOMP_FATAL(r)) return log_error_errno(r, "Failed to install seccomp filter: %m"); if (r < 0) log_debug_errno(r, "Failed to install seccomp filter: %m"); |