summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/nspawn/nspawn-seccomp.c1
-rw-r--r--src/shared/seccomp-util.c30
2 files changed, 19 insertions, 12 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 196766dc98..92d8103ad5 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -136,7 +136,6 @@ static int seccomp_add_default_syscall_filter(
{ 0, "syncfs" },
{ 0, "sysinfo" },
{ 0, "tee" },
- { 0, "ugetrlimit" },
{ 0, "umask" },
{ 0, "uname" },
{ 0, "userfaultfd" },
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 41e0070b12..73dc571b6b 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -306,6 +306,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"membarrier\0"
"nanosleep\0"
"pause\0"
+ "prlimit64\0"
"restart_syscall\0"
"rt_sigreturn\0"
"sched_yield\0"
@@ -314,6 +315,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"set_tid_address\0"
"sigreturn\0"
"time\0"
+ "ugetrlimit\0"
},
[SYSCALL_FILTER_SET_BASIC_IO] = {
.name = "@basic-io",
@@ -693,7 +695,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"migrate_pages\0"
"move_pages\0"
"nice\0"
- "prlimit64\0"
"sched_setaffinity\0"
"sched_setattr\0"
"sched_setparam\0"
@@ -806,8 +807,8 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
id = seccomp_syscall_resolve_name(name);
if (id == __NR_SCMP_ERROR) {
- log_debug("System call %s is not known!", name);
- return -EINVAL; /* Not known at all? Then that's a real error */
+ log_debug("System call %s is not known, ignoring.", name);
+ return 0;
}
r = seccomp_rule_add_exact(seccomp, action, id, 0);
@@ -1186,7 +1187,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0)
break;
}
-
if (r < 0) {
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue;
@@ -1211,7 +1211,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0)
break;
}
-
if (r < 0) {
log_debug_errno(r, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
continue;
@@ -1452,7 +1451,13 @@ int seccomp_restrict_archs(Set *archs) {
if (r < 0)
return r;
- return seccomp_load(seccomp);
+ r = seccomp_load(seccomp);
+ if (IN_SET(r, -EPERM, -EACCES))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
+
+ return 0;
}
int parse_syscall_archs(char **l, Set **archs) {
@@ -1500,7 +1505,6 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
if (!more)
return -ENXIO;
-
r = seccomp_filter_set_add(filter, add, more);
if (r < 0)
return r;
@@ -1508,8 +1512,10 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) {
int id;
id = seccomp_syscall_resolve_name(i);
- if (id == __NR_SCMP_ERROR)
- return -ENXIO;
+ if (id == __NR_SCMP_ERROR) {
+ log_debug("Couldn't resolve system call, ignoring: %s", i);
+ continue;
+ }
if (add) {
r = set_put(filter, INT_TO_PTR(id + 1));
@@ -1543,8 +1549,10 @@ int seccomp_lock_personality(unsigned long personality) {
SCMP_SYS(personality),
1,
SCMP_A0(SCMP_CMP_NE, personality));
- if (r < 0)
- return r;
+ if (r < 0) {
+ log_debug_errno(r, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ continue;
+ }
r = seccomp_load(seccomp);
if (IN_SET(r, -EPERM, -EACCES))