9e486265716963439fb0fd7f2a97abf109f24f75 added some new syscalls to the
filter lists. However, on systems that do not yet support the new calls,
running systemd-run with the filter set results in error:
```
$ sudo systemd-run -t -r -p "SystemCallFilter=~@mount" /bin/true
Failed to start transient service unit: Invalid argument
```
Having the same properties in a unit file will start the service
without issue. This is because the load-fragment code will parse the
syscall filters in permissive mode:
https://github.com/systemd/systemd/blob/master/src/core/load-fragment.c#L2909
whereas the dbus-execute equivalent of the code does not.
Since the permissive mode appears to be the right setting to support
older kernels/libseccomp, this will update the dbus-execute parsing
to also be permissive.
r = seccomp_parse_syscall_filter("@default",
-1,
c->syscall_filter,
+ SECCOMP_PARSE_PERMISSIVE |
SECCOMP_PARSE_WHITELIST | invert_flag,
u->id,
NULL, 0);
r = seccomp_parse_syscall_filter(n,
e,
c->syscall_filter,
- (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
+ SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
+ invert_flag |
+ (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
u->id,
NULL, 0);
if (r < 0)
projects / thirdparty / systemd.git / commitdiff
