summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-25 20:32:27 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-26 02:19:28 +0100
commit7c66bae2ff5cb674612f84637cb98f9478ed26a8 (patch)
tree8d7ae28626d6a154751964efe11c4c54556be081
parentfe6b2d55bcb379d01664ed28cea40634cb6b52e3 (diff)
seccomp: we should control NO_NEW_PRIVS on our own, not let seccomp do this for us
-rw-r--r--src/core/execute.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index a328fc265f..aeddd2e412 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -969,30 +969,30 @@ static int apply_seccomp(ExecContext *c) {
r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
if (r == -EEXIST)
continue;
- if (r < 0) {
- seccomp_release(seccomp);
- return r;
- }
+ if (r < 0)
+ goto finish;
}
- } else {
+ } else {
r = seccomp_add_secondary_archs(seccomp);
- if (r < 0) {
- seccomp_release(seccomp);
- return r;
- }
+ if (r < 0)
+ goto finish;
}
action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
SET_FOREACH(id, c->syscall_filter, i) {
r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
- if (r < 0) {
- seccomp_release(seccomp);
- return r;
- }
+ if (r < 0)
+ goto finish;
}
+ r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+ if (r < 0)
+ goto finish;
+
r = seccomp_load(seccomp);
+
+finish:
seccomp_release(seccomp);
return r;