Skip to content
Commit 270701f9 authored by Simon McVittie's avatar Simon McVittie Committed by Alexander Larsson
Browse files

run: Handle unknown syscalls as intended 

The error-handling here was

    if (r < 0 && r == -EFAULT)

but Alex says it was almost certainly intended to be

    if (r < 0 && r != -EFAULT)

so that syscalls not known to libseccomp are not a fatal error.

Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.

This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.

Resolves: https://github.com/flatpak/flatpak/issues/4458


Signed-off-by: default avatarSimon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8)
parent 0cfd7244
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment