diff options
| author | Luca Bruno <lucab@debian.org> | 2016-07-12 11:55:26 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-07-12 11:55:26 +0200 |
| commit | 391b81cd03f0829e8a5c45b0eaefad4ef41f1285 (patch) | |
| tree | d837aab5eb1c69892ad8bf59cae58169519de37a | |
| parent | e18ec3c71d6450de898cd46e659b560e18ee8430 (diff) | |
seccomp: only abort on syscall name resolution failures (#3701)
seccomp_syscall_resolve_name() can return a mix of positive and negative
(pseudo-) syscall numbers, while errors are signaled via __NR_SCMP_ERROR.
This commit lets the syscall filter parser only abort on real parsing
failures, letting libseccomp handle pseudo-syscall number on its own
and allowing proper multiplexed syscalls filtering.
| -rw-r--r-- | src/core/load-fragment.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 61b333b506..782e420e4c 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2429,7 +2429,7 @@ static int syscall_filter_parse_one( int id; id = seccomp_syscall_resolve_name(t); - if (id < 0) { + if (id == __NR_SCMP_ERROR) { if (warn) log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse system call, ignoring: %s", t); return 0; |