diff options
author | Paul Moore <paul@paul-moore.com> | 2020-05-30 18:51:00 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2020-06-01 14:31:21 -0400 |
commit | 777b647a59a089612c4eb354c67ecc0bbe70cb9a (patch) | |
tree | b9cef611558ccae4de90ab6ec52191b587b2db8d /src | |
parent | 88afa50ff7c97876aa4fd1b450c728aa8eef4605 (diff) | |
download | libseccomp-777b647a59a089612c4eb354c67ecc0bbe70cb9a.tar.gz |
api: don't allow the TSYNC and NEW_LISTENER flags at the same time
Because TSYNC and NEW_LISTENER send information back via the
seccomp(...) return value, they can not be used at the same time. It
seems like the right thing to do is to always set the NEW_LISTENER
flag (as long as the API level supports it) unless the caller
explicitly sets TSYNC.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/system.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/system.c b/src/system.c index bcd7e3c..87f2ebe 100644 --- a/src/system.c +++ b/src/system.c @@ -319,12 +319,12 @@ int sys_filter_load(struct db_filter_col *col) int flgs = 0; if (col->attr.tsync_enable) flgs |= SECCOMP_FILTER_FLAG_TSYNC; + else if (_support_seccomp_user_notif > 0) + flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; if (col->attr.log_enable) flgs |= SECCOMP_FILTER_FLAG_LOG; if (col->attr.spec_allow) flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW; - if (_support_seccomp_user_notif > 0) - flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm); if (rc > 0 && col->attr.tsync_enable) /* always return -ESRCH if we fail to sync threads */ |