chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
seccomp: add helper call to add all secondary archs to a seccomp filter
[elogind.git]
/
src
/
nspawn
/
nspawn.c
diff --git
a/src/nspawn/nspawn.c
b/src/nspawn/nspawn.c
index 01e8611e86651d8943c9e2296af91dfd23650f1a..54f71877542538507a571068348473e0f22fc399 100644
(file)
--- a/
src/nspawn/nspawn.c
+++ b/
src/nspawn/nspawn.c
@@
-79,6
+79,10
@@
#include "rtnl-util.h"
#include "udev-util.h"
#include "rtnl-util.h"
#include "udev-util.h"
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
@@
-1303,7
+1307,7
@@
static int setup_veth(pid_t pid, char iface_name[]) {
return r;
}
return r;
}
- r = sd_rtnl_message_new_link(RTM_NEWLINK, 0, &m);
+ r = sd_rtnl_message_new_link(
rtnl,
RTM_NEWLINK, 0, &m);
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
@@
-1404,7
+1408,7
@@
static int setup_bridge(const char veth_name[]) {
return r;
}
return r;
}
- r = sd_rtnl_message_new_link(RTM_SETLINK, 0, &m);
+ r = sd_rtnl_message_new_link(
rtnl,
RTM_SETLINK, 0, &m);
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
@@
-1479,7
+1483,7
@@
static int move_network_interfaces(pid_t pid) {
return -EBUSY;
}
return -EBUSY;
}
- r = sd_rtnl_message_new_link(RTM_NEWLINK, ifi, &m);
+ r = sd_rtnl_message_new_link(
rtnl,
RTM_NEWLINK, ifi, &m);
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
@@
-1521,6
+1525,12
@@
static int audit_still_doesnt_work_in_containers(void) {
if (!seccomp)
return log_oom();
if (!seccomp)
return log_oom();
+ r = seccomp_add_secondary_archs(seccomp);
+ if (r < 0 && r != -EEXIST) {
+ log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@
-1554,7
+1564,7
@@
finish:
int main(int argc, char *argv[]) {
int main(int argc, char *argv[]) {
- _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1
, netns_fd = -1
;
+ _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1;
_cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 };
_cleanup_free_ char *kdbus_domain = NULL;
_cleanup_fdset_free_ FDSet *fds = NULL;
_cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 };
_cleanup_free_ char *kdbus_domain = NULL;
_cleanup_fdset_free_ FDSet *fds = NULL;