Skip to content

Commit 72545ae

Browse files
anitazhayuwata
anitazha
authored and
yuwata
committed
core: sync SeccompParseFlags between dbus-execute and load-fragment
9e48626 added some new syscalls to the filter lists. However, on systems that do not yet support the new calls, running systemd-run with the filter set results in error: ``` $ sudo systemd-run -t -r -p "SystemCallFilter=~@mount" /bin/true Failed to start transient service unit: Invalid argument ``` Having the same properties in a unit file will start the service without issue. This is because the load-fragment code will parse the syscall filters in permissive mode: https://github.com/systemd/systemd/blob/master/src/core/load-fragment.c#L2909 whereas the dbus-execute equivalent of the code does not. Since the permissive mode appears to be the right setting to support older kernels/libseccomp, this will update the dbus-execute parsing to also be permissive.
1 parent 6e55b9b commit 72545ae

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

src/core/dbus-execute.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1587,6 +1587,7 @@ int bus_exec_context_set_transient_property(
15871587
r = seccomp_parse_syscall_filter("@default",
15881588
-1,
15891589
c->syscall_filter,
1590+
SECCOMP_PARSE_PERMISSIVE |
15901591
SECCOMP_PARSE_WHITELIST | invert_flag,
15911592
u->id,
15921593
NULL, 0);
@@ -1606,7 +1607,9 @@ int bus_exec_context_set_transient_property(
16061607
r = seccomp_parse_syscall_filter(n,
16071608
e,
16081609
c->syscall_filter,
1609-
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
1610+
SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
1611+
invert_flag |
1612+
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
16101613
u->id,
16111614
NULL, 0);
16121615
if (r < 0)

0 commit comments

Comments
 (0)