diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-10-05 11:23:07 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-10-05 11:27:34 +0200 |
| commit | ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1 (patch) | |
| tree | 69230f38ecc937035e176329973273c2f09a1a63 /src | |
| parent | 4c3a917617260956faeb4eceb606c316f6bea407 (diff) | |
| download | systemd-ff217dc3afe95504e48aeb8d8ad7fb7f53ce9cb1.tar.gz | |
seccomp: react gracefully if we can't translate a syscall name
When a libseccomp implementation doesn't know a syscall yet, that's no
reason for us to fail completely. Instead, debug log, and proceed.
This hopefully fixes the preadv2/pwritev2 issues pointed out here:
https://github.com/systemd/systemd/pull/6952#issuecomment-334302923
Diffstat (limited to 'src')
| -rw-r--r-- | src/shared/seccomp-util.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 6a4d30bac1..64ea86a677 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -807,8 +807,8 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, id = seccomp_syscall_resolve_name(name); if (id == __NR_SCMP_ERROR) { - log_debug("System call %s is not known!", name); - return -EINVAL; /* Not known at all? Then that's a real error */ + log_debug("System call %s is not known, ignoring.", name); + return 0; } r = seccomp_rule_add_exact(seccomp, action, id, 0); @@ -1501,7 +1501,6 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) { if (!more) return -ENXIO; - r = seccomp_filter_set_add(filter, add, more); if (r < 0) return r; @@ -1509,8 +1508,10 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) { int id; id = seccomp_syscall_resolve_name(i); - if (id == __NR_SCMP_ERROR) - return -ENXIO; + if (id == __NR_SCMP_ERROR) { + log_debug("Couldn't resolve system call, ignoring: %s", i); + continue; + } if (add) { r = set_put(filter, INT_TO_PTR(id + 1)); |