From 1c6af69b2d25af90e210bc21cc378fb4a6c96316 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 5 Oct 2017 11:24:51 +0200 Subject: [PATCH] seccomp: always handle seccomp_load() failing the same way Unfortunately libseccomp doesn't return (nor document) clean error codes, hence until then only check for specific error codes that we propagate, but ignore (but debug log) all others. Do this at one more place, we are already doing that at all others. --- src/shared/seccomp-util.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 64ea86a..a3728ff 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1187,7 +1187,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) break; } - if (r < 0) { log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); continue; @@ -1212,7 +1211,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) break; } - if (r < 0) { log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); continue; @@ -1453,7 +1451,13 @@ int seccomp_restrict_archs(Set *archs) { if (r < 0) return r; - return seccomp_load(seccomp); + r = seccomp_load(seccomp); + if (IN_SET(r, -EPERM, -EACCES)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); + + return 0; } int parse_syscall_archs(char **l, Set **archs) { -- 2.7.4