diff options
| author | Simon McVittie <smcv@collabora.com> | 2023-01-23 11:28:50 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2023-01-23 11:29:13 +0000 |
| commit | 2f873fa8ae7b36f2d12974363d488fbc2baee51b (patch) | |
| tree | d06eaaf91bb8e0b7d4a277aab1e7640b0b95dc51 | |
| parent | 41fd02ad147907cedf88a7f7488ac18667adc919 (diff) | |
| download | bubblewrap-2f873fa8ae7b36f2d12974363d488fbc2baee51b.tar.gz | |
Attempt to clarify error message for missing CONFIG_SECCOMP_FILTER
General-purpose desktop distributions are compiled with CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER, but vendor kernels for phones and other
assorted embedded devices don't necessarily enable these options. These
kernels are unsuitable for running Flatpak, or anything else that relies
on `bwrap --seccomp` or `bwrap --add-seccomp-fd`.
Missing CONFIG_SECCOMP or CONFIG_SECCOMP_FILTER is not the *only* reason
why we could get EINVAL here: I think we'd also get EINVAL if the seccomp
program is syntatically invalid. However, it's a relatively likely reason,
so it seems worth providing a hint.
Helps: flatpak/flatpak#3069
Signed-off-by: Simon McVittie <smcv@collabora.com>
| -rw-r--r-- | bubblewrap.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index be02004..8322ea0 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -288,7 +288,15 @@ seccomp_programs_apply (void) for (program = seccomp_programs; program != NULL; program = program->next) { if (prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program->program) != 0) - die_with_error ("prctl(PR_SET_SECCOMP)"); + { + if (errno == EINVAL) + die ("Unable to set up system call filtering as requested: " + "prctl(PR_SET_SECCOMP) reported EINVAL. " + "(Hint: this requires a kernel configured with " + "CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER.)"); + + die_with_error ("prctl(PR_SET_SECCOMP)"); + } } } |