core: sync SeccompParseFlags between dbus-execute and load-fragment

9e486265716963439fb0fd7f2a97abf109f24f75 added some new syscalls to the filter lists. However, on systems that do not yet support the new calls, running systemd-run with the filter set results in error: ``` $ sudo systemd-run -t -r -p "SystemCallFilter=~@mount" /bin/true Failed to start transient service unit: Invalid argument ``` Having the same properties in a unit file will start the service without issue. This is because the load-fragment code will parse the syscall filters in permissive mode: https://github.com/systemd/systemd/blob/master/src/core/load-fragment.c#L2909 whereas the dbus-execute equivalent of the code does not. Since the permissive mode appears to be the right setting to support older kernels/libseccomp, this will update the dbus-execute parsing to also be permissive.
author: Anita Zhang <the.anitazha@gmail.com> 2020-02-06 15:34:17 -0800
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2020-02-07 13:39:35 +0900
commit: 72545ae05745f99e194eb83e3fa865f276601378 (patch)
tree: b1904cbbcaea23dcd5477f55dfa7add1998bd386 /src/core
parent: 6e55b9b75839d257bfb430dac9900db18c956f0a (diff)
download: systemd-72545ae05745f99e194eb83e3fa865f276601378.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 9ff3f157f5..d8ba3e5d92 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -1587,6 +1587,7 @@ int bus_exec_context_set_transient_property(
                                         r = seccomp_parse_syscall_filter("@default",
                                                                          -1,
                                                                          c->syscall_filter,
+                                                                         SECCOMP_PARSE_PERMISSIVE |
                                                                          SECCOMP_PARSE_WHITELIST | invert_flag,
                                                                          u->id,
                                                                          NULL, 0);
@@ -1606,7 +1607,9 @@ int bus_exec_context_set_transient_property(
                                 r = seccomp_parse_syscall_filter(n,
                                                                  e,
                                                                  c->syscall_filter,
-                                                                 (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
+                                                                 SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
+                                                                 invert_flag |
+                                                                 (c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
                                                                  u->id,
                                                                  NULL, 0);
                                 if (r < 0)
author	Anita Zhang <the.anitazha@gmail.com>	2020-02-06 15:34:17 -0800
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2020-02-07 13:39:35 +0900
commit	72545ae05745f99e194eb83e3fa865f276601378 (patch)
tree	b1904cbbcaea23dcd5477f55dfa7add1998bd386 /src/core
parent	6e55b9b75839d257bfb430dac9900db18c956f0a (diff)
download	systemd-72545ae05745f99e194eb83e3fa865f276601378.tar.gz