From 777b647a59a089612c4eb354c67ecc0bbe70cb9a Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Sat, 30 May 2020 18:51:00 -0400
Subject: api: don't allow the TSYNC and NEW_LISTENER flags at the same time

Because TSYNC and NEW_LISTENER send information back via the
seccomp(...) return value, they can not be used at the same time. It
seems like the right thing to do is to always set the NEW_LISTENER
flag (as long as the API level supports it) unless the caller
explicitly sets TSYNC.

Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 src/system.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/system.c b/src/system.c
index bcd7e3c..87f2ebe 100644
--- a/src/system.c
+++ b/src/system.c
@@ -319,12 +319,12 @@ int sys_filter_load(struct db_filter_col *col)
 		int flgs = 0;
 		if (col->attr.tsync_enable)
 			flgs |= SECCOMP_FILTER_FLAG_TSYNC;
+		else if (_support_seccomp_user_notif > 0)
+			flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
 		if (col->attr.log_enable)
 			flgs |= SECCOMP_FILTER_FLAG_LOG;
 		if (col->attr.spec_allow)
 			flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
-		if (_support_seccomp_user_notif > 0)
-			flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
 		rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
 		if (rc > 0 && col->attr.tsync_enable)
 			/* always return -ESRCH if we fail to sync threads */
-- 
cgit v1.2.1