picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

seccomp: we should control NO_NEW_PRIVS on our own, not let seccomp do this for us

This commit is contained in:
Lennart Poettering 2014-02-25 20:32:27 +01:00
parent fe6b2d55bc
commit 7c66bae2ff
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/core/execute.c
View File

@ -969,30 +969,30 @@ static int apply_seccomp(ExecContext *c) {
r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST)
continue;
if (r < 0) {
seccomp_release(seccomp);
return r;
}
if (r < 0)
goto finish;
}
} else {
} else {
r = seccomp_add_secondary_archs(seccomp);
if (r < 0) {
seccomp_release(seccomp);
return r;
}
if (r < 0)
goto finish;
}
action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
SET_FOREACH(id, c->syscall_filter, i) {
r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
if (r < 0) {
seccomp_release(seccomp);
return r;
}
if (r < 0)
goto finish;
}
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
if (r < 0)
goto finish;
r = seccomp_load(seccomp);
finish:
seccomp_release(seccomp);
return r;