[PATCH 1/2] Workaround libseccomp bug & fix error handling

Faidon Liambotis paravoid at debian.org
Thu May 16 10:16:35 EDT 2013


libseccomp has a bug where -EDOM is returned when seccomp_rule_add is
called for pseudo system calls (i.e. < -99). This was triggered by
adding the send() system call on my x86_64 machine. The bug seems to
have been recently (May 7th, 2013) reported and fixed on libseccomp
upstream but it will take a while to find its way to a release and
distributions.

Additionally, there was a bug on how libseccomp calls were error
handled: libseccomp functions don't actually set errno, but set errno
values in their return value instead. This resulted in the
seccomp_rule_add call above to print "could not add send to seccomp
filter: Success".
---
 src/worker-privs.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/worker-privs.c b/src/worker-privs.c
index 4794525..2b3158d 100644
--- a/src/worker-privs.c
+++ b/src/worker-privs.c
@@ -26,7 +26,7 @@
 
 int disable_system_calls(struct worker_st *ws)
 {
-	int ret, e;
+	int ret;
 	scmp_filter_ctx ctx;
 	
 	ctx = seccomp_init(SCMP_ACT_KILL);
@@ -37,9 +37,9 @@ int disable_system_calls(struct worker_st *ws)
 
 #define ADD_SYSCALL(name) \
 	ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), 0); \
-	if (ret < 0) { \
-		e = errno; \
-		oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(e)); \
+	/* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \
+	if (ret < 0 && ret != -EDOM) { \
+		oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
 		ret = -1; \
 		goto fail; \
 	}
-- 
1.7.2.5




More information about the openconnect-devel mailing list