libseccomp has a bug where -EDOM is returned when seccomp_rule_add is
called for pseudo system calls (i.e. < -99). This was triggered by
adding the send() system call on my x86_64 machine. The bug seems to
have been recently (May 7th, 2013) reported and fixed on libseccomp
upstream but it will take a while to find its way to a release and
distributions.
Additionally, there was a bug on how libseccomp calls were error
handled: libseccomp functions don't actually set errno, but set errno
values in their return value instead. This resulted in the
seccomp_rule_add call above to print "could not add send to seccomp
filter: Success".
---
src/worker-privs.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/worker-privs.c b/src/worker-privs.c
index 4794525..2b3158d 100644
--- a/src/worker-privs.c
+++ b/src/worker-privs.c
@@ -26,7 +26,7 @@
int disable_system_calls(struct worker_st *ws)
{
- int ret, e;
+ int ret;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
@@ -37,9 +37,9 @@ int disable_system_calls(struct worker_st *ws)
#define ADD_SYSCALL(name) \
ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), 0); \
- if (ret < 0) { \
- e = errno; \
- oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(e)); \
+ /* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \
+ if (ret < 0 && ret != -EDOM) { \
+ oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
ret = -1; \
goto fail; \
}
--
1.7.2.5
