From: Lennart Poettering Date: Thu, 5 Oct 2017 09:24:51 +0000 (+0200) Subject: seccomp: always handle seccomp_load() failing the same way X-Git-Tag: v235~15^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c6af69b2d25af90e210bc21cc378fb4a6c96316;p=thirdparty%2Fsystemd.git seccomp: always handle seccomp_load() failing the same way Unfortunately libseccomp doesn't return (nor document) clean error codes, hence until then only check for specific error codes that we propagate, but ignore (but debug log) all others. Do this at one more place, we are already doing that at all others. --- diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 64ea86a6779..a3728ff7b2f 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1187,7 +1187,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) break; } - if (r < 0) { log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); continue; @@ -1212,7 +1211,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) break; } - if (r < 0) { log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); continue; @@ -1453,7 +1451,13 @@ int seccomp_restrict_archs(Set *archs) { if (r < 0) return r; - return seccomp_load(seccomp); + r = seccomp_load(seccomp); + if (IN_SET(r, -EPERM, -EACCES)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); + + return 0; } int parse_syscall_archs(char **l, Set **archs) {