From: Lennart Poettering Date: Tue, 9 Nov 2021 17:26:53 +0000 (+0100) Subject: nspawn: only copy syscall filters from settings if actually configured X-Git-Tag: v250-rc1~321^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf;p=thirdparty%2Fsystemd.git nspawn: only copy syscall filters from settings if actually configured As in the previous commit, let's not copy settings that aren#t configured, so that --settings=override with an empty .nspawn file is truly a NOP. --- diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 3209b50417b..9adc166aa9c 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -4462,19 +4462,23 @@ static int merge_settings(Settings *settings, const char *path) { if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) { - if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) - log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); - else { - strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); - strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) { + if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) + log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); + else { + strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); + strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + } } #if HAVE_SECCOMP - if (!arg_settings_trusted && settings->seccomp) - log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); - else { - seccomp_release(arg_seccomp); - arg_seccomp = TAKE_PTR(settings->seccomp); + if (settings->seccomp) { + if (!arg_settings_trusted) + log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); + else { + seccomp_release(arg_seccomp); + arg_seccomp = TAKE_PTR(settings->seccomp); + } } #endif }