From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 9 Oct 2025 18:23:39 +0000 (+0200)
Subject: sandbox: Add error handling for libseccomp
X-Git-Tag: v26~75^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2695529dd631acd65388af748e7d390e261e5e84;p=thirdparty%2Fmkosi.git

sandbox: Add error handling for libseccomp
---

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 3376e9a79..558aa6b85 100755
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -133,11 +133,12 @@ def is_main() -> bool:
     return __name__ == "__main__"
 
 
-def oserror(syscall: str, filename: str = "") -> None:
-    if ctypes.get_errno() == ENOSYS and is_main():
+def oserror(syscall: str, filename: str = "", errno: int = 0) -> None:
+    errno = abs(errno) or ctypes.get_errno()
+    if errno == ENOSYS and is_main():
         print(ENOSYS_MSG.format(syscall=syscall, kver=os.uname().version), file=sys.stderr)
 
-    raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno()), filename or None)
+    raise OSError(ctypes.get_errno(), os.strerror(errno), filename or None)
 
 
 def unshare(flags: int) -> None:
@@ -270,9 +271,16 @@ def seccomp_suppress(*, chown: bool = False, sync: bool = False) -> None:
     try:
         for syscall in suppress:
             id = libseccomp.seccomp_syscall_resolve_name(syscall)
-            libseccomp.seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO, id, 0)
+            if id < 0:
+                continue
+
+            r = libseccomp.seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO, id, 0)
+            if r < 0:
+                oserror("seccomp_rule_add_exact", errno=r)
 
-            libseccomp.seccomp_load(seccomp)
+            r = libseccomp.seccomp_load(seccomp)
+            if r < 0:
+                oserror("seccomp_load", errno=r)
     finally:
         libseccomp.seccomp_release(seccomp)