nspawn,shared: cleanup use of ERRNO_IS_SECCOMP_FATAL()

Given that ERRNO_IS_SECCOMP_FATAL() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.

In this case the arguments passed to ERRNO_IS_SECCOMP_FATAL() are the
values returned by external libseccomp function seccomp_load() which is
not expected to return any positive values, but let's be consistent
anyway and move ERRNO_IS_SECCOMP_FATAL() invocations to the branches
where the return values are known to be negative.

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 3d666eeb7966ea7dc74c38c61d77d127708fcb8d..f26bcf829fa2421c8d7025bb2f9fdd7531aa0305 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -206,10 +206,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
                         return r;
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return log_error_errno(r, "Failed to install seccomp filter: %m");
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return log_error_errno(r, "Failed to install seccomp filter: %m");
                         log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
@@ -242,10 +243,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return log_error_errno(r, "Failed to install seccomp audit filter: %m");
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return log_error_errno(r, "Failed to install seccomp audit filter: %m");
                         log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index d5b0486543620daa1f23b011db86bb01e40d4282..7eac4ca0bba5ff410e2596e8bb83dc0c8c580cd5 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3412,10 +3412,11 @@ static int inner_child(
                 if (is_seccomp_available()) {
 
                         r = seccomp_load(arg_seccomp);
-                        if (ERRNO_IS_SECCOMP_FATAL(r))
-                                return log_error_errno(r, "Failed to install seccomp filter: %m");
-                        if (r < 0)
+                        if (r < 0) {
+                                if (ERRNO_IS_SECCOMP_FATAL(r))
+                                        return log_error_errno(r, "Failed to install seccomp filter: %m");
                                 log_debug_errno(r, "Failed to install seccomp filter: %m");
+                        }
                 }
         } else
 #endif

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index bd9660cb356de817f0c8c34d5379dba151876ebd..6dc10f2f3ad94efe55d03d92b26f9eebbb19141b 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1092,10 +1092,11 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
                         return log_debug_errno(r, "Failed to add filter set: %m");
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1153,11 +1154,12 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m",
                                         seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1358,10 +1360,11 @@ int seccomp_restrict_namespaces(unsigned long retain) {
                         continue;
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1401,10 +1404,11 @@ int seccomp_protect_sysctl(void) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1433,10 +1437,11 @@ int seccomp_protect_syslog(void) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1603,10 +1608,11 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1682,10 +1688,11 @@ int seccomp_restrict_realtime_full(int error_code) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -1816,11 +1823,12 @@ int seccomp_memory_deny_write_execute(void) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m",
                                         seccomp_arch_to_string(arch));
+                }
                 loaded++;
         }
 
@@ -1889,10 +1897,11 @@ int seccomp_restrict_archs(Set *archs) {
                 return r;
 
         r = seccomp_load(seccomp);
-        if (ERRNO_IS_SECCOMP_FATAL(r))
-                return r;
-        if (r < 0)
+        if (r < 0) {
+                if (ERRNO_IS_SECCOMP_FATAL(r))
+                        return r;
                 log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
+        }
 
         return 0;
 }
@@ -1984,10 +1993,11 @@ int seccomp_lock_personality(unsigned long personality) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -2025,10 +2035,11 @@ int seccomp_protect_hostname(void) {
                 }
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -2203,10 +2214,11 @@ int seccomp_restrict_suid_sgid(void) {
                         continue;
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;
@@ -2348,10 +2360,11 @@ int seccomp_suppress_sync(void) {
 #endif
 
                 r = seccomp_load(seccomp);
-                if (ERRNO_IS_SECCOMP_FATAL(r))
-                        return r;
-                if (r < 0)
+                if (r < 0) {
+                        if (ERRNO_IS_SECCOMP_FATAL(r))
+                                return r;
                         log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                }
         }
 
         return 0;