From 2f873fa8ae7b36f2d12974363d488fbc2baee51b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 23 Jan 2023 11:28:50 +0000 Subject: Attempt to clarify error message for missing CONFIG_SECCOMP_FILTER General-purpose desktop distributions are compiled with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER, but vendor kernels for phones and other assorted embedded devices don't necessarily enable these options. These kernels are unsuitable for running Flatpak, or anything else that relies on `bwrap --seccomp` or `bwrap --add-seccomp-fd`. Missing CONFIG_SECCOMP or CONFIG_SECCOMP_FILTER is not the *only* reason why we could get EINVAL here: I think we'd also get EINVAL if the seccomp program is syntatically invalid. However, it's a relatively likely reason, so it seems worth providing a hint. Helps: flatpak/flatpak#3069 Signed-off-by: Simon McVittie --- bubblewrap.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/bubblewrap.c b/bubblewrap.c index be02004..8322ea0 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -288,7 +288,15 @@ seccomp_programs_apply (void) for (program = seccomp_programs; program != NULL; program = program->next) { if (prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program->program) != 0) - die_with_error ("prctl(PR_SET_SECCOMP)"); + { + if (errno == EINVAL) + die ("Unable to set up system call filtering as requested: " + "prctl(PR_SET_SECCOMP) reported EINVAL. " + "(Hint: this requires a kernel configured with " + "CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER.)"); + + die_with_error ("prctl(PR_SET_SECCOMP)"); + } } } -- cgit v1.2.1