@@ -1080,8 +1080,24 @@ static int add_syscall_filter_set(
10801080 return 0 ;
10811081}
10821082
1083+ static uint32_t override_default_action (uint32_t default_action ) {
1084+ /* When the requested filter is an allow-list, and the default action is something critical, we
1085+ * install ENOSYS as the default action, but it will only apply to syscalls which are not in the
1086+ * @known set. */
1087+
1088+ if (default_action == SCMP_ACT_ALLOW )
1089+ return default_action ;
1090+
1091+ #ifdef SCMP_ACT_LOG
1092+ if (default_action == SCMP_ACT_LOG )
1093+ return default_action ;
1094+ #endif
1095+
1096+ return SCMP_ACT_ERRNO (ENOSYS );
1097+ }
1098+
10831099int seccomp_load_syscall_filter_set (uint32_t default_action , const SyscallFilterSet * set , uint32_t action , bool log_missing ) {
1084- uint32_t arch ;
1100+ uint32_t arch , default_action_override ;
10851101 int r ;
10861102
10871103 assert (set );
@@ -1114,7 +1130,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
11141130}
11151131
11161132int seccomp_load_syscall_filter_set_raw (uint32_t default_action , Hashmap * filter , uint32_t action , bool log_missing ) {
1117- uint32_t arch ;
1133+ uint32_t arch , default_action_override ;
11181134 int r ;
11191135
11201136 /* Similar to seccomp_load_syscall_filter_set(), but takes a raw Hashmap* of syscalls, instead
@@ -1123,15 +1139,15 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
11231139 if (hashmap_isempty (filter ) && default_action == SCMP_ACT_ALLOW )
11241140 return 0 ;
11251141
1142+ default_action_override = override_default_action (default_action );
1143+
11261144 SECCOMP_FOREACH_LOCAL_ARCH (arch ) {
11271145 _cleanup_ (seccomp_releasep ) scmp_filter_ctx seccomp = NULL ;
11281146 void * syscall_id , * val ;
11291147
11301148 log_trace ("Operating on architecture: %s" , seccomp_arch_to_string (arch ));
11311149
1132- /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
1133- * in the @known set. */
1134- r = seccomp_init_for_arch (& seccomp , arch , SCMP_ACT_ERRNO (ENOSYS ));
1150+ r = seccomp_init_for_arch (& seccomp , arch , default_action_override );
11351151 if (r < 0 )
11361152 return r ;
11371153
@@ -1166,22 +1182,23 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
11661182 }
11671183 }
11681184
1169- NULSTR_FOREACH (name , syscall_filter_sets [SYSCALL_FILTER_SET_KNOWN ].value ) {
1170- int id ;
1185+ if (default_action != default_action_override )
1186+ NULSTR_FOREACH (name , syscall_filter_sets [SYSCALL_FILTER_SET_KNOWN ].value ) {
1187+ int id ;
11711188
1172- id = seccomp_syscall_resolve_name (name );
1173- if (id < 0 )
1174- continue ;
1189+ id = seccomp_syscall_resolve_name (name );
1190+ if (id < 0 )
1191+ continue ;
11751192
1176- /* Ignore the syscall if it was already handled above */
1177- if (hashmap_contains (filter , INT_TO_PTR (id + 1 )))
1178- continue ;
1193+ /* Ignore the syscall if it was already handled above */
1194+ if (hashmap_contains (filter , INT_TO_PTR (id + 1 )))
1195+ continue ;
11791196
1180- r = seccomp_rule_add_exact (seccomp , default_action , id , 0 );
1181- if (r < 0 && r != - EDOM ) /* EDOM means that the syscall is not available for arch */
1182- return log_debug_errno (r , "Failed to add rule for system call %s() / %d: %m" ,
1183- name , id );
1184- }
1197+ r = seccomp_rule_add_exact (seccomp , default_action , id , 0 );
1198+ if (r < 0 && r != - EDOM ) /* EDOM means that the syscall is not available for arch */
1199+ return log_debug_errno (r , "Failed to add rule for system call %s() / %d: %m" ,
1200+ name , id );
1201+ }
11851202
11861203#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5 ) || SCMP_VER_MAJOR > 2
11871204 /* We have a large filter here, so let's turn on the binary tree mode if possible. */
0 commit comments