seccomp: react gracefully if we can't translate a syscall name

When a libseccomp implementation doesn't know a syscall yet, that's no reason for us to fail completely. Instead, debug log, and proceed. This hopefully fixes the preadv2/pwritev2 issues pointed out here: https://github.com/systemd/systemd/pull/6952#issuecomment-334302923
author: Lennart Poettering <lennart@poettering.net> 2017-10-05 11:23:07 +0200
committer: Lennart Poettering <lennart@poettering.net> 2017-10-05 11:27:34 +0200
commit: ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1 (patch)
tree: 69230f38ecc937035e176329973273c2f09a1a63 /src/shared/seccomp-util.c
parent: seccomp: include prlimit64 and ugetrlimit in @default (diff)
download: systemd-ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1.tar.xz
systemd-ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 6a4d30bac1..64ea86a677 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -807,8 +807,8 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
 
                 id = seccomp_syscall_resolve_name(name);
                 if (id == __NR_SCMP_ERROR) {
-                        log_debug("System call %s is not known!", name);
-                        return -EINVAL; /* Not known at all? Then that's a real error */
+                        log_debug("System call %s is not known, ignoring.", name);
+                        return 0;
                 }
 
                 r = seccomp_rule_add_exact(seccomp, action, id, 0);
@@ -1501,7 +1501,6 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
                         if (!more)
                                 return -ENXIO;
 
-
                         r = seccomp_filter_set_add(filter, add, more);
                         if (r < 0)
                                 return r;
@@ -1509,8 +1508,10 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
                         int id;
 
                         id = seccomp_syscall_resolve_name(i);
-                        if (id == __NR_SCMP_ERROR)
-                                return -ENXIO;
+                        if (id == __NR_SCMP_ERROR) {
+                                log_debug("Couldn't resolve system call, ignoring: %s", i);
+                                continue;
+                        }
 
                         if (add) {
                                 r = set_put(filter, INT_TO_PTR(id + 1));
author	Lennart Poettering <lennart@poettering.net>	2017-10-05 11:23:07 +0200
committer	Lennart Poettering <lennart@poettering.net>	2017-10-05 11:27:34 +0200
commit	ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1 (patch)
tree	69230f38ecc937035e176329973273c2f09a1a63 /src/shared/seccomp-util.c
parent	seccomp: include prlimit64 and ugetrlimit in @default (diff)
download	systemd-ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1.tar.xz systemd-ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1.zip