diff options
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 14 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 26 |
2 files changed, 21 insertions, 19 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index b56c5b04a8..e7ef80f7d6 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -140,7 +140,7 @@ static int seccomp_add_default_syscall_filter( */ }; - int r, c = 0; + int r; size_t i; char **p; @@ -150,21 +150,17 @@ static int seccomp_add_default_syscall_filter( r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false); if (r < 0) - /* If the system call is not known on this architecture, then that's fine, let's ignore it */ - log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch)); - else - c++; + return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name); } STRV_FOREACH(p, syscall_whitelist) { r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false); if (r < 0) - log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch)); - else - c++; + log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", + *p, seccomp_arch_to_string(arch)); } - return c; + return 0; } int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) { diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c69b0e82c6..ca55441466 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -891,9 +891,13 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, r = seccomp_rule_add_exact(seccomp, action, id, 0); if (r < 0) { /* If the system call is not known on this architecture, then that's fine, let's ignore it */ - if (log_missing) - log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", - name, id); + bool ignore = r == -EDOM; + + if (!ignore || log_missing) + log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m", + name, id, ignore ? ", ignoring" : ""); + if (!ignore) + return r; } return 0; @@ -941,10 +945,8 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter return r; r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing); - if (r < 0) { - log_debug_errno(r, "Failed to add filter set, ignoring: %m"); - continue; - } + if (r < 0) + return log_debug_errno(r, "Failed to add filter set: %m"); r = seccomp_load(seccomp); if (IN_SET(r, -EPERM, -EACCES)) @@ -989,11 +991,15 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u if (r < 0) { /* If the system call is not known on this architecture, then that's fine, let's ignore it */ _cleanup_free_ char *n = NULL; + bool ignore; n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id); - if (log_missing) - log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", - strna(n), id); + ignore = r == -EDOM; + if (!ignore || log_missing) + log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m", + strna(n), id, ignore ? ", ignoring" : ""); + if (!ignore) + return r; } } |