picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

seccomp: ensure rules are loaded in seccomp_memory_deny_write_execute 

If seccomp_memory_deny_write_execute was fatally failing to load rules it
already returned a bad retval.
But if any adding filters failed it skipped the subsequent seccomp_load and
always returned an rc of 0 even if no rule was loaded at all.

Lets fix this requiring to (non fatally-failing) load at least one rule set.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
Christian Ehrhardt 2019-11-27 09:57:55 +01:00
parent bed4668d1d
commit 903659e7b2
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/shared/seccomp-util.c
View File

@ -1584,6 +1584,7 @@ assert_cc(SCMP_SYS(shmdt) > 0);
int seccomp_memory_deny_write_execute(void) {
uint32_t arch;
int r;
int loaded = 0;
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
@ -1678,9 +1679,13 @@ int seccomp_memory_deny_write_execute(void) {
return r;
if (r < 0)
log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
loaded++;
}
return 0;
if (loaded == 0)
log_debug_errno(r, "Failed to install any seccomp rules for MemoryDenyWriteExecute=");
return loaded;
}
int seccomp_restrict_archs(Set *archs) {