return log_debug_errno(r, "Failed to add filter set: %m");
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
- }
}
return 0;
}
NULSTR_FOREACH(i, set->value) {
- /* Call ourselves again, for the group to parse. Note that we downgrade logging here (i.e. take
- * away the SECCOMP_PARSE_LOG flag) since any issues in the group table are our own problem,
- * not a problem in user configuration data and we shouldn't pretend otherwise by complaining
- * about them. */
+ /* Call ourselves again, for the group to parse. Note that we downgrade logging here
+ * (i.e. take away the SECCOMP_PARSE_LOG flag) since any issues in the group table
+ * are our own problem, not a problem in user configuration data and we shouldn't
+ * pretend otherwise by complaining about them. */
r = seccomp_parse_syscall_filter(i, errno_num, filter, flags &~ SECCOMP_PARSE_LOG, unit, filename, line);
if (r < 0)
return r;
return 0;
}
- /* If we previously wanted to forbid a syscall and now we want to allow it, then remove
- * it from the list. The entries in allow-list with non-negative error value will be
- * handled with SCMP_ACT_ERRNO() instead of the default action. */
+ /* If we previously wanted to forbid a syscall and now we want to allow it, then remove it
+ * from the list. The entries in allow-list with non-negative error value will be handled
+ * with SCMP_ACT_ERRNO() instead of the default action. */
if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) == FLAGS_SET(flags, SECCOMP_PARSE_ALLOW_LIST) ||
(FLAGS_SET(flags, SECCOMP_PARSE_INVERT | SECCOMP_PARSE_ALLOW_LIST) && errno_num >= 0)) {
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
SCMP_SYS(clone3),
0);
if (r < 0)
- log_debug_errno(r, "Failed to add clone3() rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add clone3() rule for architecture %s, ignoring: %m",
+ seccomp_arch_to_string(arch));
if ((retain & NAMESPACE_FLAGS_ALL) == 0)
- /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
- * altogether. */
+ /* If every single kind of namespace shall be prohibited, then let's block the whole
+ * setns() syscall altogether. */
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(setns),
0);
else
- /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
- * special invocation with a zero flags argument, right here. */
+ /* Otherwise, block only the invocations with the appropriate flags in the loop
+ * below, but also the special invocation with a zero flags argument, right here. */
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EPERM),
1,
SCMP_A1(SCMP_CMP_EQ, 0));
if (r < 0) {
- log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
1,
SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
if (r < 0) {
- log_debug_errno(r, "Failed to add unshare() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add unshare() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
break;
}
1,
SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
if (r < 0) {
- log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
break;
}
1,
SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
if (r < 0) {
- log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add setns() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
break;
}
}
continue;
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
SCMP_SYS(_sysctl),
0);
if (r < 0) {
- log_debug_errno(r, "Failed to add _sysctl() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add _sysctl() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m",
+ seccomp_arch_to_string(arch));
}
return 0;
SCMP_SYS(socket),
0);
if (r < 0) {
- log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
1,
SCMP_A0(SCMP_CMP_LT, first));
if (r < 0) {
- log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
1,
SCMP_A0(SCMP_CMP_GT, last));
if (r < 0) {
- log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
break;
}
if (r < 0) {
- log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
}
break;
}
if (r < 0) {
- log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
1,
SCMP_A1(SCMP_CMP_EQ, p));
if (r < 0) {
- log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
}
1,
SCMP_A1(SCMP_CMP_GT, max_policy));
if (r < 0) {
- log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
- }
loaded++;
}
return r;
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
- }
return 0;
}
1,
SCMP_A0(SCMP_CMP_NE, personality));
if (r < 0) {
- log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
SCMP_SYS(sethostname),
0);
if (r < 0) {
- log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
SCMP_SYS(setdomainname),
0);
if (r < 0) {
- log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
continue;
}
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
r = seccomp_restrict_sxid(seccomp, S_ISUID);
if (r < 0)
- log_debug_errno(r, "Failed to add suid rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add suid rule for architecture %s, ignoring: %m",
+ seccomp_arch_to_string(arch));
k = seccomp_restrict_sxid(seccomp, S_ISGID);
if (k < 0)
- log_debug_errno(r, "Failed to add sgid rule for architecture %s, ignoring: %m", seccomp_arch_to_string(arch));
+ log_debug_errno(r, "Failed to add sgid rule for architecture %s, ignoring: %m",
+ seccomp_arch_to_string(arch));
if (r < 0 && k < 0)
continue;
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
#endif
r = seccomp_load(seccomp);
- if (r < 0) {
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
- }
+ if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m",
+ seccomp_arch_to_string(arch));
}
return 0;
projects / thirdparty / systemd.git / commitdiff
