Given that ERRNO_IS_SECCOMP_FATAL() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the arguments passed to ERRNO_IS_SECCOMP_FATAL() are the
values returned by external libseccomp function seccomp_load() which is
not expected to return any positive values, but let's be consistent
anyway and move ERRNO_IS_SECCOMP_FATAL() invocations to the branches
where the return values are known to be negative.
return r;
r = seccomp_load(seccomp);
return r;
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return log_error_errno(r, "Failed to install seccomp filter: %m");
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return log_error_errno(r, "Failed to install seccomp filter: %m");
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
}
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return log_error_errno(r, "Failed to install seccomp audit filter: %m");
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return log_error_errno(r, "Failed to install seccomp audit filter: %m");
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
if (is_seccomp_available()) {
r = seccomp_load(arg_seccomp);
if (is_seccomp_available()) {
r = seccomp_load(arg_seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return log_error_errno(r, "Failed to install seccomp filter: %m");
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return log_error_errno(r, "Failed to install seccomp filter: %m");
log_debug_errno(r, "Failed to install seccomp filter: %m");
log_debug_errno(r, "Failed to install seccomp filter: %m");
return log_debug_errno(r, "Failed to add filter set: %m");
r = seccomp_load(seccomp);
return log_debug_errno(r, "Failed to add filter set: %m");
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
continue;
r = seccomp_load(seccomp);
continue;
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
return r;
r = seccomp_load(seccomp);
return r;
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
r = seccomp_load(seccomp);
}
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue;
r = seccomp_load(seccomp);
continue;
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
#endif
r = seccomp_load(seccomp);
#endif
r = seccomp_load(seccomp);
- if (ERRNO_IS_SECCOMP_FATAL(r))
- return r;
- if (r < 0)
+ if (r < 0) {
+ if (ERRNO_IS_SECCOMP_FATAL(r))
+ return r;
log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch));