api: don't allow the TSYNC and NEW_LISTENER flags at the same time

Because TSYNC and NEW_LISTENER send information back via the seccomp(...) return value, they can not be used at the same time. It seems like the right thing to do is to always set the NEW_LISTENER flag (as long as the API level supports it) unless the caller explicitly sets TSYNC. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Paul Moore <paul@paul-moore.com> 2020-05-30 18:51:00 -0400
committer: Paul Moore <paul@paul-moore.com> 2020-06-01 14:31:21 -0400
commit: 777b647a59a089612c4eb354c67ecc0bbe70cb9a (patch)
tree: b9cef611558ccae4de90ab6ec52191b587b2db8d
parent: 88afa50ff7c97876aa4fd1b450c728aa8eef4605 (diff)
download: libseccomp-777b647a59a089612c4eb354c67ecc0bbe70cb9a.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/system.c b/src/system.c
index bcd7e3c..87f2ebe 100644
--- a/src/system.c
+++ b/src/system.c
@@ -319,12 +319,12 @@ int sys_filter_load(struct db_filter_col *col)
 		int flgs = 0;
 		if (col->attr.tsync_enable)
 			flgs |= SECCOMP_FILTER_FLAG_TSYNC;
+		else if (_support_seccomp_user_notif > 0)
+			flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
 		if (col->attr.log_enable)
 			flgs |= SECCOMP_FILTER_FLAG_LOG;
 		if (col->attr.spec_allow)
 			flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
-		if (_support_seccomp_user_notif > 0)
-			flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
 		rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
 		if (rc > 0 && col->attr.tsync_enable)
 			/* always return -ESRCH if we fail to sync threads */
author	Paul Moore <paul@paul-moore.com>	2020-05-30 18:51:00 -0400
committer	Paul Moore <paul@paul-moore.com>	2020-06-01 14:31:21 -0400
commit	777b647a59a089612c4eb354c67ecc0bbe70cb9a (patch)
tree	b9cef611558ccae4de90ab6ec52191b587b2db8d
parent	88afa50ff7c97876aa4fd1b450c728aa8eef4605 (diff)
download	libseccomp-777b647a59a089612c4eb354c67ecc0bbe70cb9a.tar.gz