core: sync SeccompParseFlags between dbus-execute and load-fragment
9e48626571
added some new syscalls to the
filter lists. However, on systems that do not yet support the new calls,
running systemd-run with the filter set results in error:
```
$ sudo systemd-run -t -r -p "SystemCallFilter=~@mount" /bin/true
Failed to start transient service unit: Invalid argument
```
Having the same properties in a unit file will start the service
without issue. This is because the load-fragment code will parse the
syscall filters in permissive mode:
https://github.com/systemd/systemd/blob/master/src/core/load-fragment.c#L2909
whereas the dbus-execute equivalent of the code does not.
Since the permissive mode appears to be the right setting to support
older kernels/libseccomp, this will update the dbus-execute parsing
to also be permissive.
This commit is contained in:
parent
6e55b9b758
commit
72545ae057
|
@ -1587,6 +1587,7 @@ int bus_exec_context_set_transient_property(
|
|||
r = seccomp_parse_syscall_filter("@default",
|
||||
-1,
|
||||
c->syscall_filter,
|
||||
SECCOMP_PARSE_PERMISSIVE |
|
||||
SECCOMP_PARSE_WHITELIST | invert_flag,
|
||||
u->id,
|
||||
NULL, 0);
|
||||
|
@ -1606,7 +1607,9 @@ int bus_exec_context_set_transient_property(
|
|||
r = seccomp_parse_syscall_filter(n,
|
||||
e,
|
||||
c->syscall_filter,
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
|
||||
SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
|
||||
invert_flag |
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
|
||||
u->id,
|
||||
NULL, 0);
|
||||
if (r < 0)
|
||||
|
|
Loading…
Reference in New Issue