diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-01-17 23:10:46 -0500 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-01-17 23:10:46 -0500 |
commit | 5b3637b44a28d3fb2ba8b272905c64d9dbae4d26 (patch) | |
tree | b56cafde107131f78b7202325ed713d442828c22 /src/core/main.c | |
parent | 70dd455c8e97ba60ab9f8983a4b98372c9ec615e (diff) | |
parent | 4d5bd50ab26f6233206c08364430270876c37b63 (diff) |
Merge pull request #4991 from poettering/seccomp-fix
Diffstat (limited to 'src/core/main.c')
-rw-r--r-- | src/core/main.c | 34 |
1 files changed, 3 insertions, 31 deletions
diff --git a/src/core/main.c b/src/core/main.c index 56a81ab94a..ad2ce1330e 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1231,44 +1231,16 @@ oom: static int enforce_syscall_archs(Set *archs) { #ifdef HAVE_SECCOMP - scmp_filter_ctx *seccomp; - Iterator i; - void *id; int r; if (!is_seccomp_available()) return 0; - seccomp = seccomp_init(SCMP_ACT_ALLOW); - if (!seccomp) - return log_oom(); - - SET_FOREACH(id, arg_syscall_archs, i) { - r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1); - if (r == -EEXIST) - continue; - if (r < 0) { - log_error_errno(r, "Failed to add architecture to seccomp: %m"); - goto finish; - } - } - - r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); - if (r < 0) { - log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m"); - goto finish; - } - - r = seccomp_load(seccomp); + r = seccomp_restrict_archs(arg_syscall_archs); if (r < 0) - log_error_errno(r, "Failed to add install architecture seccomp: %m"); - -finish: - seccomp_release(seccomp); - return r; -#else - return 0; + return log_error_errno(r, "Failed to enforce system call architecture restrication: %m"); #endif + return 0; } static int status_welcome(void) { |