From: Luca Bruno <lucab@debian.org>
Date: Tue, 12 Jul 2016 09:55:26 +0000 (+0200)
Subject: seccomp: only abort on syscall name resolution failures (#3701)
X-Git-Tag: v231~71
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=391b81cd03f0829e8a5c45b0eaefad4ef41f1285;p=thirdparty%2Fsystemd.git

seccomp: only abort on syscall name resolution failures (#3701)

seccomp_syscall_resolve_name() can return a mix of positive and negative
(pseudo-) syscall numbers, while errors are signaled via __NR_SCMP_ERROR.
This commit lets the syscall filter parser only abort on real parsing
failures, letting libseccomp handle pseudo-syscall number on its own
and allowing proper multiplexed syscalls filtering.
---

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 61b333b506b..782e420e4ce 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2429,7 +2429,7 @@ static int syscall_filter_parse_one(
                 int id;
 
                 id = seccomp_syscall_resolve_name(t);
-                if (id < 0)  {
+                if (id == __NR_SCMP_ERROR)  {
                         if (warn)
                                 log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse system call, ignoring: %s", t);
                         return 0;