picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

shared/seccomp: use _cleanup_ in one more place 

(cherry picked from commit 27605d6a836d85563faf41db9f7a72883d44c0ff)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2020-08-18 17:06:28 +02:00
parent 6da432fd54
commit b4eaa6cc99
2 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/nspawn/nspawn-seccomp.h
View File

@ -3,4 +3,4 @@
#include <sys/types.h>
int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_ist, char **syscall_deny_list);
int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list);

16
src/shared/seccomp-util.c
View File

@ -187,7 +187,7 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
}
int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action) {
scmp_filter_ctx seccomp;
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
int r;
/* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
@ -202,11 +202,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
r = seccomp_arch_remove(seccomp, seccomp_arch_native());
if (r < 0)
goto finish;
return r;
r = seccomp_arch_add(seccomp, arch);
if (r < 0)
goto finish;
return r;
assert(seccomp_arch_exist(seccomp, arch) >= 0);
assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
@ -218,18 +218,14 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
if (r < 0)
goto finish;
return r;
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
if (r < 0)
goto finish;
return r;
*ret = seccomp;
*ret = TAKE_PTR(seccomp);
return 0;
finish:
seccomp_release(seccomp);
return r;
}
static bool is_basic_seccomp_available(void) {