seccomp: ensure rules are loaded in seccomp_memory_deny_write_execute

If seccomp_memory_deny_write_execute was fatally failing to load rules it
already returned a bad retval.
But if any adding filters failed it skipped the subsequent seccomp_load and
always returned an rc of 0 even if no rule was loaded at all.

Lets fix this requiring to (non fatally-failing) load at least one rule set.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
(cherry picked from commit 903659e7b242c3cc897e32835f1918d380b24e5f)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index fc813dd5150145f55d0f38058901953cd4b99900..cf086d22fbd0bf175e02b730b04087f64b613078 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1584,6 +1584,7 @@ assert_cc(SCMP_SYS(shmdt) > 0);
 int seccomp_memory_deny_write_execute(void) {
         uint32_t arch;
         int r;
+        int loaded = 0;
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
@@ -1678,9 +1679,13 @@ int seccomp_memory_deny_write_execute(void) {
                         return r;
                 if (r < 0)
                         log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                loaded++;
         }
 
-        return 0;
+        if (loaded == 0)
+                log_debug_errno(r, "Failed to install any seccomp rules for MemoryDenyWriteExecute=");
+
+        return loaded;
 }
 
 int seccomp_restrict_archs(Set *archs) {