summaryrefslogtreecommitdiff
path: root/src/nspawn
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2018-09-20 14:19:41 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2018-09-24 17:21:09 +0200
commit7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8 (patch)
tree89033936668e8ca342b36c0ae2f59965cf01411d /src/nspawn
parentb54f36c604472ffe08830ec4306fa2885b4a5424 (diff)
downloadsystemd-7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8.tar.gz
systemd-7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8.tar.bz2
systemd-7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8.zip
seccomp: tighten checking of seccomp filter creation
In seccomp code, the code is changed to propagate errors which are about anything other than unknown/unimplemented syscalls. I *think* such errors should not happen in normal usage, but so far we would summarilly ignore all errors, so that part is uncertain. If it turns out that other errors occur and should be ignored, this should be added later. In nspawn, we would count the number of added filters, but didn't use this for anything. Drop that part. The comments suggested that seccomp_add_syscall_filter_item() returned negative if the syscall is unknown, but this wasn't true: it returns 0. The error at this point can only be if the syscall was known but couldn't be added. If the error comes from our internal whitelist in nspawn, treat this as error, because it means that our internal table is wrong. If the error comes from user arguments, warn and ignore. (If some syscall is not known at current architecture, it is still silently ignored.)
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn-seccomp.c14
1 files changed, 5 insertions, 9 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index b56c5b04a8..e7ef80f7d6 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -140,7 +140,7 @@ static int seccomp_add_default_syscall_filter(
*/
};
- int r, c = 0;
+ int r;
size_t i;
char **p;
@@ -150,21 +150,17 @@ static int seccomp_add_default_syscall_filter(
r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
if (r < 0)
- /* If the system call is not known on this architecture, then that's fine, let's ignore it */
- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
- else
- c++;
+ return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
}
STRV_FOREACH(p, syscall_whitelist) {
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
if (r < 0)
- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
- else
- c++;
+ log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
+ *p, seccomp_arch_to_string(arch));
}
- return c;
+ return 0;
}
int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {