From: Zbigniew Jędrzejewski-Szmek Date: Wed, 18 Jan 2017 04:10:46 +0000 (-0500) Subject: Merge pull request #4991 from poettering/seccomp-fix X-Git-Tag: v233~227 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b3637b44a28d3fb2ba8b272905c64d9dbae4d26;p=thirdparty%2Fsystemd.git Merge pull request #4991 from poettering/seccomp-fix --- 5b3637b44a28d3fb2ba8b272905c64d9dbae4d26 diff --cc src/core/execute.c index 3a7f997522c,a77edbb162e..06a291fd394 --- a/src/core/execute.c +++ b/src/core/execute.c @@@ -2942,31 -2691,22 +2729,25 @@@ static int exec_child } #ifdef HAVE_SECCOMP - if (context_has_address_families(context)) { - r = apply_address_families(unit, context); - if (r < 0) { - *exit_status = EXIT_ADDRESS_FAMILIES; - *error_message = strdup("Failed to restrict address families"); - return r; - } + r = apply_address_families(unit, context); + if (r < 0) { + *exit_status = EXIT_ADDRESS_FAMILIES; ++ *error_message = strdup("Failed to restrict address families"); + return r; } - if (context->memory_deny_write_execute) { - r = apply_memory_deny_write_execute(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to disable writing to executable memory"); - return r; - } + r = apply_memory_deny_write_execute(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to disable writing to executable memory"); + return r; } - if (context->restrict_realtime) { - r = apply_restrict_realtime(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to apply realtime restrictions"); - return r; - } + r = apply_restrict_realtime(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to apply realtime restrictions"); + return r; } r = apply_restrict_namespaces(unit, context); @@@ -2976,42 -2715,36 +2757,41 @@@ return r; } - if (context->protect_kernel_tunables) { - r = apply_protect_sysctl(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to apply sysctl restrictions"); - return r; - } + r = apply_protect_sysctl(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to apply sysctl restrictions"); + return r; } - if (context->protect_kernel_modules) { - r = apply_protect_kernel_modules(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to apply module loading restrictions"); - return r; - } + r = apply_protect_kernel_modules(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to apply module loading restrictions"); + return r; } - if (context->private_devices) { - r = apply_private_devices(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to set up private devices"); - return r; - } + r = apply_private_devices(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to set up private devices"); + return r; + } + + r = apply_syscall_archs(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to apply syscall architecture restrictions"); + return r; } /* This really should remain the last step before the execve(), to make sure our own code is unaffected * by the filter as little as possible. */ - if (context_has_syscall_filters(context)) { - r = apply_seccomp(unit, context); - if (r < 0) { - *exit_status = EXIT_SECCOMP; - *error_message = strdup("Failed to apply syscall filters"); - return r; - } + r = apply_syscall_filter(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; ++ *error_message = strdup("Failed to apply syscall filters"); + return r; } #endif }