Skip to content

Commit ebaf282

Browse files
blucabluca
authored
Merge pull request #30291 from keszybz/seccomp-unknown-syscall
Backwardscompatibly handle syscalls unknown to us or libseccomp
2 parents a8aed6a + e6c5386 commit ebaf282

File tree

3 files changed

+31
-5
lines changed

3 files changed

+31
-5
lines changed

src/core/exec-invoke.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5119,7 +5119,7 @@ int exec_invoke(
51195119
#endif
51205120

51215121
#if HAVE_SECCOMP
5122-
/* This really should remain as close to the execve() as possible, to make sure our own code is unaffected
5122+
/* This really should remain as close to the execve() as possible, to make sure our own code is affected
51235123
* by the filter as little as possible. */
51245124
r = apply_syscall_filter(context, params, needs_ambient_hack);
51255125
if (r < 0) {

src/nspawn/nspawn-seccomp.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ static int add_syscall_filters(
169169
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
170170
r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
171171
if (r < 0)
172-
return r;
172+
log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
173173
#endif
174174

175175
return 0;

src/shared/seccomp-util.c

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1129,7 +1129,9 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
11291129

11301130
log_trace("Operating on architecture: %s", seccomp_arch_to_string(arch));
11311131

1132-
r = seccomp_init_for_arch(&seccomp, arch, default_action);
1132+
/* We install ENOSYS as the default action, but it will only apply to syscalls which are not
1133+
* in the @known set. */
1134+
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
11331135
if (r < 0)
11341136
return r;
11351137

@@ -1164,6 +1166,30 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
11641166
}
11651167
}
11661168

1169+
NULSTR_FOREACH(name, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value) {
1170+
int id;
1171+
1172+
id = seccomp_syscall_resolve_name(name);
1173+
if (id < 0)
1174+
continue;
1175+
1176+
/* Ignore the syscall if it was already handled above */
1177+
if (hashmap_contains(filter, INT_TO_PTR(id + 1)))
1178+
continue;
1179+
1180+
r = seccomp_rule_add_exact(seccomp, default_action, id, 0);
1181+
if (r < 0 && r != -EDOM) /* EDOM means that the syscall is not available for arch */
1182+
return log_debug_errno(r, "Failed to add rule for system call %s() / %d: %m",
1183+
name, id);
1184+
}
1185+
1186+
#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
1187+
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
1188+
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
1189+
if (r < 0)
1190+
log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
1191+
#endif
1192+
11671193
r = seccomp_load(seccomp);
11681194
if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
11691195
return r;
@@ -1223,7 +1249,7 @@ int seccomp_parse_syscall_filter(
12231249
return -EINVAL;
12241250

12251251
log_syntax(unit, FLAGS_SET(flags, SECCOMP_PARSE_LOG) ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
1226-
"Failed to parse system call, ignoring: %s", name);
1252+
"System call %s is not known, ignoring.", name);
12271253
return 0;
12281254
}
12291255

@@ -1981,7 +2007,7 @@ int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *se
19812007

19822008
id = seccomp_syscall_resolve_name(i);
19832009
if (id == __NR_SCMP_ERROR) {
1984-
log_debug("Couldn't resolve system call, ignoring: %s", i);
2010+
log_debug("System call %s is not known, ignoring.", i);
19852011
continue;
19862012
}
19872013

0 commit comments

Comments
 (0)