mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
seccomp: permit specifying multiple errnos for a syscall
If more than one errno is specified for a syscall in SystemCallFilter=, use the last one instead of reporting an error. This is especially useful when used with system call sets: SystemCallFilter=@privileged:EPERM @reboot This will block any system call requiring super-user capabilities with EPERM, except for attempts to reboot the system, which will immediately terminate the process. (@reboot is included in @privileged.) This also effectively fixes #9939, since specifying different errnos for “the same syscall” (same pseudo syscall number) is no longer an error.
This commit is contained in:
parent
851ee70a3d
commit
9d7fe7c65a
@ -1061,10 +1061,8 @@ int seccomp_parse_syscall_filter_full(
|
||||
case -ENOMEM:
|
||||
return flags & SECCOMP_PARSE_LOG ? log_oom() : -ENOMEM;
|
||||
case -EEXIST:
|
||||
if (flags & SECCOMP_PARSE_LOG)
|
||||
log_warning("System call %s already blocked with different errno: %d",
|
||||
name, PTR_TO_INT(hashmap_get(filter, INT_TO_PTR(id + 1))));
|
||||
return -EINVAL;
|
||||
assert_se(hashmap_update(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num)) == 0);
|
||||
break;
|
||||
default:
|
||||
return r;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user