From: Dmitry V. Levin Date: Fri, 14 Jul 2023 08:00:00 +0000 (+0000) Subject: nspawn,shared: cleanup use of ERRNO_IS_SECCOMP_FATAL() X-Git-Tag: v255-rc1~886^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F28428%2Fhead;p=thirdparty%2Fsystemd.git nspawn,shared: cleanup use of ERRNO_IS_SECCOMP_FATAL() Given that ERRNO_IS_SECCOMP_FATAL() also matches positive values, make sure this macro is not called with arguments that do not have errno semantics. In this case the arguments passed to ERRNO_IS_SECCOMP_FATAL() are the values returned by external libseccomp function seccomp_load() which is not expected to return any positive values, but let's be consistent anyway and move ERRNO_IS_SECCOMP_FATAL() invocations to the branches where the return values are known to be negative. --- diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 3d666eeb796..f26bcf829fa 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -206,10 +206,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy return r; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } SECCOMP_FOREACH_LOCAL_ARCH(arch) { @@ -242,10 +243,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp audit filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp audit filter: %m"); log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index d5b04865436..7eac4ca0bba 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3412,10 +3412,11 @@ static int inner_child( if (is_seccomp_available()) { r = seccomp_load(arg_seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); log_debug_errno(r, "Failed to install seccomp filter: %m"); + } } } else #endif diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index bd9660cb356..6dc10f2f3ad 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1092,10 +1092,11 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter return log_debug_errno(r, "Failed to add filter set: %m"); r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1153,11 +1154,12 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1358,10 +1360,11 @@ int seccomp_restrict_namespaces(unsigned long retain) { continue; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1401,10 +1404,11 @@ int seccomp_protect_sysctl(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1433,10 +1437,11 @@ int seccomp_protect_syslog(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1603,10 +1608,11 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1682,10 +1688,11 @@ int seccomp_restrict_realtime_full(int error_code) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1816,11 +1823,12 @@ int seccomp_memory_deny_write_execute(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } loaded++; } @@ -1889,10 +1897,11 @@ int seccomp_restrict_archs(Set *archs) { return r; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); + } return 0; } @@ -1984,10 +1993,11 @@ int seccomp_lock_personality(unsigned long personality) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2025,10 +2035,11 @@ int seccomp_protect_hostname(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2203,10 +2214,11 @@ int seccomp_restrict_suid_sgid(void) { continue; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2348,10 +2360,11 @@ int seccomp_suppress_sync(void) { #endif r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0;