.name = "@sync",
.help = "Synchronize files and memory to storage",
.value =
+ /* Please also update the list in seccomp_suppress_sync(). */
"fdatasync\0"
"fsync\0"
"msync\0"
uint32_t arch;
int r;
- /* This is mostly identical to SystemCallFilter=~@sync:0, but simpler to use, and separately
- * manageable, and also masks O_SYNC/O_DSYNC */
+ /* This behaves slightly differently from SystemCallFilter=~@sync:0, in that negative fds (which
+ * we can determine to be invalid) are still refused with EBADF. See #34478.
+ *
+ * Additionally, O_SYNC/O_DSYNC are masked. */
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
continue;
}
- r = seccomp_rule_add_exact(
- seccomp,
- SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
- id,
- 0);
+ if (STR_IN_SET(c, "fdatasync", "fsync", "sync_file_range", "sync_file_range2", "syncfs"))
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+ id,
+ 1,
+ SCMP_A0(SCMP_CMP_LE, INT_MAX)); /* The rule handles arguments in unsigned. Hence, this
+ * means non-negative fd matches the rule, and the negative
+ * fd passed to the syscall (then it fails with EBADF). */
+ else
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+ id,
+ 0);
if (r < 0)
log_debug_errno(r, "Failed to add filter for system call %s, ignoring: %m", c);
}
projects / thirdparty / systemd.git / commitdiff
