morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 16:37:19 +09:00
Code Issues Packages Projects Releases Wiki Activity

nspawn,shared: cleanup use of ERRNO_IS_SECCOMP_FATAL()

Browse Source 
Given that ERRNO_IS_SECCOMP_FATAL() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.

In this case the arguments passed to ERRNO_IS_SECCOMP_FATAL() are the
values returned by external libseccomp function seccomp_load() which is
not expected to return any positive values, but let's be consistent
anyway and move ERRNO_IS_SECCOMP_FATAL() invocations to the branches
where the return values are known to be negative.
This commit is contained in:
Dmitry V. Levin
2023-07-14 08:00:00 +00:00
parent 0d16fab986
commit 5cfc190520
3 changed files with 64 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/nspawn/nspawn-seccomp.c
View File

@@ -206,10 +206,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
return r;
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp filter: %m");
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp filter: %m");
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
@@ -242,10 +243,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp audit filter: %m");
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp audit filter: %m");
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;

7
src/nspawn/nspawn.c
View File

@@ -3412,10 +3412,11 @@ static int inner_child(
if (is_seccomp_available()) {
r = seccomp_load(arg_seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp filter: %m");
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return log_error_errno(r, "Failed to install seccomp filter: %m");
log_debug_errno(r, "Failed to install seccomp filter: %m");
}
}
} else
#endif

91
src/shared/seccomp-util.c
View File

@@ -1092,10 +1092,11 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
return log_debug_errno(r, "Failed to add filter set: %m");
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1153,11 +1154,12 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1358,10 +1360,11 @@ int seccomp_restrict_namespaces(unsigned long retain) {
continue;
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1401,10 +1404,11 @@ int seccomp_protect_sysctl(void) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1433,10 +1437,11 @@ int seccomp_protect_syslog(void) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1603,10 +1608,11 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1682,10 +1688,11 @@ int seccomp_restrict_realtime_full(int error_code) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -1816,11 +1823,12 @@ int seccomp_memory_deny_write_execute(void) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m",
seccomp_arch_to_string(arch));
}
loaded++;
}
@@ -1889,10 +1897,11 @@ int seccomp_restrict_archs(Set *archs) {
return r;
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m");
}
return 0;
}
@@ -1984,10 +1993,11 @@ int seccomp_lock_personality(unsigned long personality) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -2025,10 +2035,11 @@ int seccomp_protect_hostname(void) {
}
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -2203,10 +2214,11 @@ int seccomp_restrict_suid_sgid(void) {
continue;
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;
@@ -2348,10 +2360,11 @@ int seccomp_suppress_sync(void) {
#endif
r = seccomp_load(seccomp);
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_SECCOMP_FATAL(r))
return r;
log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
}
return 0;