diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-07-30 17:31:16 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-30 17:31:16 +0200 |
| commit | 167338529b31ac2878c0d122dba8f4712775d33f (patch) | |
| tree | ad3d4cd4633594d850fb396225a877c8dc1d2782 /src | |
| parent | network: ndisc - Honour CurHopLimit (diff) | |
| parent | nspawn,shared: cleanup use of ERRNO_IS_SECCOMP_FATAL() (diff) | |
| download | systemd-167338529b31ac2878c0d122dba8f4712775d33f.tar.xz systemd-167338529b31ac2878c0d122dba8f4712775d33f.zip | |
Merge pull request #28428 from ldv-alt/ERRNO_IS
treewide: cleanup use of ERRNO_IS_*(r)
Diffstat (limited to 'src')
| -rw-r--r-- | src/boot/bootctl-status.c | 11 | ||||
| -rw-r--r-- | src/core/core-varlink.c | 11 | ||||
| -rw-r--r-- | src/core/execute.c | 22 | ||||
| -rw-r--r-- | src/core/socket.c | 29 | ||||
| -rw-r--r-- | src/coredump/coredumpctl.c | 15 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup.c | 7 | ||||
| -rw-r--r-- | src/home/homework-directory.c | 7 | ||||
| -rw-r--r-- | src/home/homework-luks.c | 18 | ||||
| -rw-r--r-- | src/login/logind-core.c | 13 | ||||
| -rw-r--r-- | src/nspawn/nspawn-seccomp.c | 14 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 34 | ||||
| -rw-r--r-- | src/partition/repart.c | 14 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 2 | ||||
| -rw-r--r-- | src/shared/btrfs-util.c | 16 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 91 | ||||
| -rw-r--r-- | src/shared/userdb-dropin.c | 30 | ||||
| -rw-r--r-- | src/test/test-procfs-util.c | 4 | ||||
| -rw-r--r-- | src/tmpfiles/tmpfiles.c | 2 |
18 files changed, 189 insertions, 151 deletions
diff --git a/src/boot/bootctl-status.c b/src/boot/bootctl-status.c index 0f2e9204b7..65f351031d 100644 --- a/src/boot/bootctl-status.c +++ b/src/boot/bootctl-status.c @@ -43,11 +43,12 @@ static int boot_config_load_and_select( _cleanup_strv_free_ char **efi_entries = NULL; r = efi_loader_get_entries(&efi_entries); - if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) - log_debug_errno(r, "Boot loader reported no entries."); - else if (r < 0) - log_warning_errno(r, "Failed to determine entries reported by boot loader, ignoring: %m"); - else + if (r < 0) { + if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) + log_debug_errno(r, "Boot loader reported no entries."); + else + log_warning_errno(r, "Failed to determine entries reported by boot loader, ignoring: %m"); + } else (void) boot_config_augment_from_loader(config, efi_entries, /* only_auto= */ false); } diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c index aa4c047418..1ff4a93cce 100644 --- a/src/core/core-varlink.c +++ b/src/core/core-varlink.c @@ -561,12 +561,13 @@ static int manager_varlink_init_user(Manager *m) { return 0; r = varlink_connect_address(&link, VARLINK_ADDR_PATH_MANAGED_OOM_USER); - if (r == -ENOENT || ERRNO_IS_DISCONNECT(r)) { - log_debug("systemd-oomd varlink unix socket not found, skipping user manager varlink setup"); - return 0; - } - if (r < 0) + if (r < 0) { + if (r == -ENOENT || ERRNO_IS_DISCONNECT(r)) { + log_debug("systemd-oomd varlink unix socket not found, skipping user manager varlink setup"); + return 0; + } return log_error_errno(r, "Failed to connect to %s: %m", VARLINK_ADDR_PATH_MANAGED_OOM_USER); + } varlink_set_userdata(link, m); diff --git a/src/core/execute.c b/src/core/execute.c index 167657a0ae..3707d8ac62 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -5098,20 +5098,24 @@ static int exec_child( /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces * prohibit write access to this file, and we shouldn't trip up over that. */ r = set_oom_score_adjust(context->oom_score_adjust); - if (ERRNO_IS_PRIVILEGE(r)) - log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); - else if (r < 0) { - *exit_status = EXIT_OOM_ADJUST; - return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m"); + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) + log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); + else { + *exit_status = EXIT_OOM_ADJUST; + return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m"); + } } } if (context->coredump_filter_set) { r = set_coredump_filter(context->coredump_filter); - if (ERRNO_IS_PRIVILEGE(r)) - log_unit_debug_errno(unit, r, "Failed to adjust coredump_filter, ignoring: %m"); - else if (r < 0) - return log_unit_error_errno(unit, r, "Failed to adjust coredump_filter: %m"); + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) + log_unit_debug_errno(unit, r, "Failed to adjust coredump_filter, ignoring: %m"); + else + return log_unit_error_errno(unit, r, "Failed to adjust coredump_filter: %m"); + } } if (context->nice_set) { diff --git a/src/core/socket.c b/src/core/socket.c index 03b8cbd164..aaa443432b 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1386,14 +1386,15 @@ int socket_load_service_unit(Socket *s, int cfd, Unit **ret) { if (cfd >= 0) { r = instance_from_socket(cfd, s->n_accepted, &instance); - if (ERRNO_IS_DISCONNECT(r)) - /* ENOTCONN is legitimate if TCP RST was received. Other socket families might return - * different errors. This connection is over, but the socket unit lives on. */ - return log_unit_debug_errno(UNIT(s), r, - "Got %s on incoming socket, assuming aborted connection attempt, ignoring.", - errno_to_name(r)); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_DISCONNECT(r)) + /* ENOTCONN is legitimate if TCP RST was received. Other socket families might return + * different errors. This connection is over, but the socket unit lives on. */ + return log_unit_debug_errno(UNIT(s), r, + "Got %s on incoming socket, assuming aborted connection attempt, ignoring.", + errno_to_name(r)); return r; + } } /* For accepting sockets, we don't know how the instance will be called until we get a connection and @@ -2377,10 +2378,11 @@ static void socket_enter_running(Socket *s, int cfd_in) { } r = socket_load_service_unit(s, cfd, &service); - if (ERRNO_IS_DISCONNECT(r)) - return; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_DISCONNECT(r)) + return; goto fail; + } r = unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service, false, UNIT_DEPENDENCY_IMPLICIT); @@ -2390,10 +2392,11 @@ static void socket_enter_running(Socket *s, int cfd_in) { s->n_accepted++; r = service_set_socket_fd(SERVICE(service), cfd, s, p, s->selinux_context_from_net); - if (ERRNO_IS_DISCONNECT(r)) - return; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_DISCONNECT(r)) + return; goto fail; + } TAKE_FD(cfd); /* We passed ownership of the fd to the service now. Forget it here. */ s->n_connections++; diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c index e34d74765e..16abb8f62a 100644 --- a/src/coredump/coredumpctl.c +++ b/src/coredump/coredumpctl.c @@ -483,14 +483,15 @@ static void analyze_coredump_file( r = -errno; } else r = access_fd(fd, R_OK); - if (ERRNO_IS_PRIVILEGE(r)) { - *ret_state = "inaccessible"; - *ret_color = ansi_highlight_yellow(); - *ret_size = UINT64_MAX; - return; - } - if (r < 0) + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) { + *ret_state = "inaccessible"; + *ret_color = ansi_highlight_yellow(); + *ret_size = UINT64_MAX; + return; + } goto error; + } if (fstat(fd, &st) < 0) goto error; diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 31dff24b57..f62401b9bc 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1728,10 +1728,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( found_some ? "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking." : "No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking."); - if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */ - return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking."); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */ + return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking."); return r; + } found_some = true; diff --git a/src/home/homework-directory.c b/src/home/homework-directory.c index 6668edb749..575ac52551 100644 --- a/src/home/homework-directory.c +++ b/src/home/homework-directory.c @@ -285,10 +285,11 @@ int home_resize_directory( return r; r = home_update_quota_auto(h, NULL); - if (ERRNO_IS_NOT_SUPPORTED(r)) - return -ESOCKTNOSUPPORT; /* make recognizable */ - if (r < 0) + if (r < 0) { + if (ERRNO_IS_NOT_SUPPORTED(r)) + return -ESOCKTNOSUPPORT; /* make recognizable */ return r; + } r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home); if (r < 0) diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c index 06e346e1e0..7946e6c120 100644 --- a/src/home/homework-luks.c +++ b/src/home/homework-luks.c @@ -498,10 +498,11 @@ static int acquire_open_luks_device( return r; r = sym_crypt_init_by_name(&cd, setup->dm_name); - if ((ERRNO_IS_DEVICE_ABSENT(r) || r == -EINVAL) && graceful) - return 0; - if (r < 0) + if (r < 0) { + if ((ERRNO_IS_DEVICE_ABSENT(r) || r == -EINVAL) && graceful) + return 0; return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", setup->dm_name); + } cryptsetup_enable_logging(cd); @@ -1638,11 +1639,12 @@ int home_deactivate_luks(UserRecord *h, HomeSetup *setup) { cryptsetup_enable_logging(setup->crypt_device); r = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0); - if (ERRNO_IS_DEVICE_ABSENT(r) || r == -EINVAL) - log_debug_errno(r, "LUKS device %s is already detached.", setup->dm_node); - else if (r < 0) - return log_info_errno(r, "LUKS device %s couldn't be deactivated: %m", setup->dm_node); - else { + if (r < 0) { + if (ERRNO_IS_DEVICE_ABSENT(r) || r == -EINVAL) + log_debug_errno(r, "LUKS device %s is already detached.", setup->dm_node); + else + return log_info_errno(r, "LUKS device %s couldn't be deactivated: %m", setup->dm_node); + } else { log_info("LUKS device detaching completed."); we_detached = true; } diff --git a/src/login/logind-core.c b/src/login/logind-core.c index af86e92c01..e7f1d6c8e4 100644 --- a/src/login/logind-core.c +++ b/src/login/logind-core.c @@ -828,13 +828,14 @@ int manager_read_efi_boot_loader_entries(Manager *m) { return 0; r = efi_loader_get_entries(&m->efi_boot_loader_entries); - if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) { - log_debug_errno(r, "Boot loader reported no entries."); - m->efi_boot_loader_entries_set = true; - return 0; - } - if (r < 0) + if (r < 0) { + if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) { + log_debug_errno(r, "Boot loader reported no entries."); + m->efi_boot_loader_entries_set = true; + return 0; + } return log_error_errno(r, "Failed to determine entries reported by boot loader: %m"); + } m->efi_boot_loader_entries_set = true; return 1; diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 3d666eeb79..f26bcf829f 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -206,10 +206,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy return r; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } SECCOMP_FOREACH_LOCAL_ARCH(arch) { @@ -242,10 +243,11 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp audit filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp audit filter: %m"); log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index e170958fc5..7eac4ca0bb 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3412,10 +3412,11 @@ static int inner_child( if (is_seccomp_available()) { r = seccomp_load(arg_seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return log_error_errno(r, "Failed to install seccomp filter: %m"); - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return log_error_errno(r, "Failed to install seccomp filter: %m"); log_debug_errno(r, "Failed to install seccomp filter: %m"); + } } } else #endif @@ -3825,19 +3826,20 @@ static int outer_child( arg_uid_shift != 0) { r = remount_idmap(directory, arg_uid_shift, arg_uid_range, UID_INVALID, REMOUNT_IDMAPPING_HOST_ROOT); - if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) { - /* This might fail because the kernel or file system doesn't support idmapping. We - * can't really distinguish this nicely, nor do we have any guarantees about the - * error codes we see, could be EOPNOTSUPP or EINVAL. */ - if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_AUTO) - return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), - "ID mapped mounts are apparently not available, sorry."); - - log_debug("ID mapped mounts are apparently not available on this kernel or for the selected file system, reverting to recursive chown()ing."); - arg_userns_ownership = USER_NAMESPACE_OWNERSHIP_CHOWN; - } else if (r < 0) - return log_error_errno(r, "Failed to set up ID mapped mounts: %m"); - else { + if (r < 0) { + if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) { + /* This might fail because the kernel or file system doesn't support idmapping. We + * can't really distinguish this nicely, nor do we have any guarantees about the + * error codes we see, could be EOPNOTSUPP or EINVAL. */ + if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_AUTO) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "ID mapped mounts are apparently not available, sorry."); + + log_debug("ID mapped mounts are apparently not available on this kernel or for the selected file system, reverting to recursive chown()ing."); + arg_userns_ownership = USER_NAMESPACE_OWNERSHIP_CHOWN; + } else + return log_error_errno(r, "Failed to set up ID mapped mounts: %m"); + } else { log_debug("ID mapped mounts available, making use of them."); idmap = true; } diff --git a/src/partition/repart.c b/src/partition/repart.c index f68918a731..6c39ee804c 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -6484,10 +6484,11 @@ static int parse_efi_variable_factory_reset(void) { return 0; r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(FactoryReset), &value); - if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) - return 0; - if (r < 0) + if (r < 0) { + if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) + return 0; return log_error_errno(r, "Failed to read EFI variable FactoryReset: %m"); + } r = parse_boolean(value); if (r < 0) @@ -6504,10 +6505,11 @@ static int remove_efi_variable_factory_reset(void) { int r; r = efi_set_variable(EFI_SYSTEMD_VARIABLE(FactoryReset), NULL, 0); - if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) - return 0; - if (r < 0) + if (r < 0) { + if (r == -ENOENT || ERRNO_IS_NOT_SUPPORTED(r)) + return 0; return log_error_errno(r, "Failed to remove EFI variable FactoryReset: %m"); + } log_info("Successfully unset EFI variable FactoryReset."); return 0; diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 323786896b..1ff452264a 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2079,7 +2079,7 @@ int dns_transaction_go(DnsTransaction *t) { dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED); return 0; } - if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(r)) { + if (t->scope->protocol == DNS_PROTOCOL_LLMNR && r < 0 && ERRNO_IS_DISCONNECT(r)) { /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot * answer this request with this protocol. */ dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND); diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c index 5128b308ab..cd340073cf 100644 --- a/src/shared/btrfs-util.c +++ b/src/shared/btrfs-util.c @@ -1565,14 +1565,16 @@ int btrfs_subvol_snapshot_at_full( return -EISDIR; r = btrfs_subvol_make_fd(new_fd, subvolume); - if (ERRNO_IS_NOT_SUPPORTED(r) && (flags & BTRFS_SNAPSHOT_FALLBACK_DIRECTORY)) { - /* If the destination doesn't support subvolumes, then use a plain directory, if that's requested. */ - if (mkdirat(new_fd, subvolume, 0755) < 0) - return -errno; + if (r < 0) { + if (ERRNO_IS_NOT_SUPPORTED(r) && (flags & BTRFS_SNAPSHOT_FALLBACK_DIRECTORY)) { + /* If the destination doesn't support subvolumes, then use a plain directory, if that's requested. */ + if (mkdirat(new_fd, subvolume, 0755) < 0) + return -errno; - plain_directory = true; - } else if (r < 0) - return r; + plain_directory = true; + } else + return r; + } if (FLAGS_SET(flags, BTRFS_SNAPSHOT_LOCK_BSD)) { subvolume_fd = xopenat_lock(new_fd, subvolume, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index bd9660cb35..6dc10f2f3a 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1092,10 +1092,11 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter return log_debug_errno(r, "Failed to add filter set: %m"); r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1153,11 +1154,12 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install system call filter for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1358,10 +1360,11 @@ int seccomp_restrict_namespaces(unsigned long retain) { continue; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1401,10 +1404,11 @@ int seccomp_protect_sysctl(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1433,10 +1437,11 @@ int seccomp_protect_syslog(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1603,10 +1608,11 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1682,10 +1688,11 @@ int seccomp_restrict_realtime_full(int error_code) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -1816,11 +1823,12 @@ int seccomp_memory_deny_write_execute(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } loaded++; } @@ -1889,10 +1897,11 @@ int seccomp_restrict_archs(Set *archs) { return r; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to restrict system call architectures, skipping: %m"); + } return 0; } @@ -1984,10 +1993,11 @@ int seccomp_lock_personality(unsigned long personality) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2025,10 +2035,11 @@ int seccomp_protect_hostname(void) { } r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2203,10 +2214,11 @@ int seccomp_restrict_suid_sgid(void) { continue; r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; @@ -2348,10 +2360,11 @@ int seccomp_suppress_sync(void) { #endif r = seccomp_load(seccomp); - if (ERRNO_IS_SECCOMP_FATAL(r)) - return r; - if (r < 0) + if (r < 0) { + if (ERRNO_IS_SECCOMP_FATAL(r)) + return r; log_debug_errno(r, "Failed to apply sync() suppression for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } } return 0; diff --git a/src/shared/userdb-dropin.c b/src/shared/userdb-dropin.c index 5d79f4688a..309f33b5b5 100644 --- a/src/shared/userdb-dropin.c +++ b/src/shared/userdb-dropin.c @@ -57,13 +57,14 @@ static int load_user( } r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL); - if (ERRNO_IS_PRIVILEGE(r)) - have_privileged = false; - else if (r == -ENOENT) - have_privileged = true; /* if the privileged file doesn't exist, we are complete */ - else if (r < 0) - return r; - else { + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) + have_privileged = false; + else if (r == -ENOENT) + have_privileged = true; /* if the privileged file doesn't exist, we are complete */ + else + return r; + } else { r = json_variant_merge(&v, privileged_v); if (r < 0) return r; @@ -201,13 +202,14 @@ static int load_group( } r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL); - if (ERRNO_IS_PRIVILEGE(r)) - have_privileged = false; - else if (r == -ENOENT) - have_privileged = true; /* if the privileged file doesn't exist, we are complete */ - else if (r < 0) - return r; - else { + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) + have_privileged = false; + else if (r == -ENOENT) + have_privileged = true; /* if the privileged file doesn't exist, we are complete */ + else + return r; + } else { r = json_variant_merge(&v, privileged_v); if (r < 0) return r; diff --git a/src/test/test-procfs-util.c b/src/test/test-procfs-util.c index 7c3aa21d65..5427e1bec3 100644 --- a/src/test/test-procfs-util.c +++ b/src/test/test-procfs-util.c @@ -28,14 +28,14 @@ int main(int argc, char *argv[]) { pid_max = TASKS_MAX; r = procfs_get_pid_max(&pid_max); - if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r)) + if (r == -ENOENT || (r < 0 && ERRNO_IS_PRIVILEGE(r))) return log_tests_skipped_errno(r, "can't get pid max"); assert(r >= 0); log_info("kernel.pid_max: %"PRIu64, pid_max); threads_max = TASKS_MAX; r = procfs_get_threads_max(&threads_max); - if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r)) + if (r == -ENOENT || (r < 0 && ERRNO_IS_PRIVILEGE(r))) return log_tests_skipped_errno(r, "can't get threads max"); assert(r >= 0); log_info("kernel.threads-max: %"PRIu64, threads_max); diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index a7de3c87fe..978d371268 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -1883,7 +1883,7 @@ static int create_directory_or_subvolume( } else r = 0; - if (!subvol || ERRNO_IS_NOT_SUPPORTED(r)) + if (!subvol || (r < 0 && ERRNO_IS_NOT_SUPPORTED(r))) WITH_UMASK(0000) r = mkdirat_label(pfd, bn, mode); |