search

seccomp / libseccomp

The main libseccomp repository
GNU Lesser General Public License v2.1
791 stars 170 forks source link

BUG: fix check for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag #427

Closed edliaw closed 4 months ago

edliaw commented 5 months ago

Testing for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag without also having the SECCOMP_FILTER_FLAG_NEW_LISTENER flag will return EINVAL instead of EFAULT.

The specific line in kernel/seccomp.c is:

    if ((flags & SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) &&
        ((flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) == 0))
        return -EINVAL;

When checking for the seccomp api level, this will mean that level 7 will not be reached unless SECCOMP_FILTER_FLAG_NEW_LISTENER is included in the test.

Fixes: 96989965042a ("api: add the SCMP_FLTATR_CTL_WAITKILL filter attribute")

edliaw commented 5 months ago

Oops, I only just saw that https://github.com/seccomp/libseccomp/pull/419 was open. This is a duplicate of that I guess.

pcmoore commented 4 months ago

Oops, I only just saw that #419 was open. This is a duplicate of that I guess.

No worries on the dup, but I am going to go ahead and close this, if you've got any additional comments, etc. please make them in #419 - thanks!