picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

core: sync SeccompParseFlags between dbus-execute and load-fragment 

9e48626571 added some new syscalls to the
filter lists. However, on systems that do not yet support the new calls,
running systemd-run with the filter set results in error:

```
$ sudo systemd-run -t -r -p "SystemCallFilter=~@mount" /bin/true
Failed to start transient service unit: Invalid argument
```

Having the same properties in a unit file will start the service
without issue. This is because the load-fragment code will parse the
syscall filters in permissive mode:
https://github.com/systemd/systemd/blob/master/src/core/load-fragment.c#L2909
whereas the dbus-execute equivalent of the code does not.

Since the permissive mode appears to be the right setting to support
older kernels/libseccomp, this will update the dbus-execute parsing
to also be permissive.
This commit is contained in:
Anita Zhang 2020-02-06 15:34:17 -08:00 committed by Yu Watanabe
parent 6e55b9b758
commit 72545ae057
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/core/dbus-execute.c
View File

@ -1587,6 +1587,7 @@ int bus_exec_context_set_transient_property(
r = seccomp_parse_syscall_filter("@default",
-1,
c->syscall_filter,
SECCOMP_PARSE_PERMISSIVE |
SECCOMP_PARSE_WHITELIST | invert_flag,
u->id,
NULL, 0);
@ -1606,7 +1607,9 @@ int bus_exec_context_set_transient_property(
r = seccomp_parse_syscall_filter(n,
e,
c->syscall_filter,
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
invert_flag |
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
u->id,
NULL, 0);
if (r < 0)