]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4c3a917)
seccomp: react gracefully if we can't translate a syscall name
authorLennart Poettering <lennart@poettering.net>
Thu, 5 Oct 2017 09:23:07 +0000 (11:23 +0200)
committerLennart Poettering <lennart@poettering.net>
Thu, 5 Oct 2017 09:27:34 +0000 (11:27 +0200)
When a libseccomp implementation doesn't know a syscall yet, that's no
reason for us to fail completely. Instead, debug log, and proceed.

This hopefully fixes the preadv2/pwritev2 issues pointed out here:

https://github.com/systemd/systemd/pull/6952#issuecomment-334302923

src/shared/seccomp-util.c patch | blob | blame | history

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 6a4d30bac163b4183bafe577362cb0b1e356b8e7..64ea86a677988d609c8f19d8c7ad6c4602b394cd 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -807,8 +807,8 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
 
                 id = seccomp_syscall_resolve_name(name);
                 if (id == __NR_SCMP_ERROR) {
-                        log_debug("System call %s is not known!", name);
-                        return -EINVAL; /* Not known at all? Then that's a real error */
+                        log_debug("System call %s is not known, ignoring.", name);
+                        return 0;
                 }
 
                 r = seccomp_rule_add_exact(seccomp, action, id, 0);
@@ -1501,7 +1501,6 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
                         if (!more)
                                 return -ENXIO;
 
-
                         r = seccomp_filter_set_add(filter, add, more);
                         if (r < 0)
                                 return r;
@@ -1509,8 +1508,10 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
                         int id;
 
                         id = seccomp_syscall_resolve_name(i);
-                        if (id == __NR_SCMP_ERROR)
-                                return -ENXIO;
+                        if (id == __NR_SCMP_ERROR) {
+                                log_debug("Couldn't resolve system call, ignoring: %s", i);
+                                continue;
+                        }
 
                         if (add) {
                                 r = set_put(filter, INT_TO_PTR(id + 1));
Unnamed repository; edit this file 'description' to name the repository.