morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 08:56:15 +09:00
Code Issues Packages Projects Releases Wiki Activity

nspawn: only copy syscall filters from settings if actually configured

Browse Source 
As in the previous commit, let's not copy settings that aren#t
configured, so that --settings=override with an empty .nspawn file is
truly a NOP.
This commit is contained in:
Lennart Poettering
2021-11-09 18:26:53 +01:00
parent 0cc3c9f997
commit 2d09ea44fc
1 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/nspawn/nspawn.c
View File

@@ -4462,19 +4462,23 @@ static int merge_settings(Settings *settings, const char *path) {
if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) {
if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list))
log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path);
else {
strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list);
strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list);
if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) {
if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list))
log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path);
else {
strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list);
strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list);
}
}
#if HAVE_SECCOMP
if (!arg_settings_trusted && settings->seccomp)
log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
else {
seccomp_release(arg_seccomp);
arg_seccomp = TAKE_PTR(settings->seccomp);
if (settings->seccomp) {
if (!arg_settings_trusted)
log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
else {
seccomp_release(arg_seccomp);
arg_seccomp = TAKE_PTR(settings->seccomp);
}
}
#endif
}