From 084a46d7c56a3f5812bb63f3e1a860c8952e6e0d Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 8 Mar 2021 11:57:59 +0900
Subject: core,seccomp: refuse to specify errno for allow-listed syscalls

---
 src/core/dbus-execute.c   |  3 +++
 src/core/load-fragment.c  | 11 +++++++++--
 src/shared/seccomp-util.c |  3 +++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 399986db4a..4a1585f663 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -2252,6 +2252,9 @@ int bus_exec_context_set_transient_property(
                                 if (r < 0)
                                         return r;
 
+                                if (allow_list && e >= 0)
+                                        return -EINVAL;
+
                                 r = seccomp_parse_syscall_filter(n,
                                                                  e,
                                                                  c->syscall_filter,
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 41ee7b6438..c6fc4fe083 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3209,13 +3209,20 @@ int config_parse_syscall_filter(
                 if (r == -ENOMEM)
                         return log_oom();
                 if (r < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
+                                   "Invalid syntax, ignoring: %s", rvalue);
                         return 0;
                 }
 
                 r = parse_syscall_and_errno(word, &name, &num);
                 if (r < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse syscall:errno, ignoring: %s", word);
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
+                                   "Failed to parse syscall:errno, ignoring: %s", word);
+                        continue;
+                }
+                if (!invert && num >= 0) {
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                                   "Allow-listed system calls cannot take error number, ignoring: %s", word);
                         continue;
                 }
 
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 009992cfbf..3354f7bc08 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1135,6 +1135,9 @@ int seccomp_parse_syscall_filter(
         assert(name);
         assert(filter);
 
+        if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) && errno_num >= 0)
+                return -EINVAL;
+
         if (name[0] == '@') {
                 const SyscallFilterSet *set;
                 const char *i;
-- 
cgit v1.2.3