diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-25 20:32:27 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:19:28 +0100 |
commit | 7c66bae2ff5cb674612f84637cb98f9478ed26a8 (patch) | |
tree | 8d7ae28626d6a154751964efe11c4c54556be081 /src/core/execute.c | |
parent | fe6b2d55bcb379d01664ed28cea40634cb6b52e3 (diff) |
seccomp: we should control NO_NEW_PRIVS on our own, not let seccomp do this for us
Diffstat (limited to 'src/core/execute.c')
-rw-r--r-- | src/core/execute.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index a328fc265f..aeddd2e412 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -969,30 +969,30 @@ static int apply_seccomp(ExecContext *c) { r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); if (r == -EEXIST) continue; - if (r < 0) { - seccomp_release(seccomp); - return r; - } + if (r < 0) + goto finish; } - } else { + } else { r = seccomp_add_secondary_archs(seccomp); - if (r < 0) { - seccomp_release(seccomp); - return r; - } + if (r < 0) + goto finish; } action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action; SET_FOREACH(id, c->syscall_filter, i) { r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0); - if (r < 0) { - seccomp_release(seccomp); - return r; - } + if (r < 0) + goto finish; } + r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); + if (r < 0) + goto finish; + r = seccomp_load(seccomp); + +finish: seccomp_release(seccomp); return r; |