diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 9b3648065b..04a034f273 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2800,7 +2800,16 @@ setup_seccomp (FlatpakBwrap *bwrap, r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); else r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) + + /* EFAULT means "internal libseccomp error", but in practice we get + * this for syscall numbers added via flatpak-syscalls-private.h + * when trying to filter them on a non-native architecture, because + * libseccomp cannot map the syscall number to a name and back to a + * number for the non-native architecture. */ + if (r == -EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); } @@ -2818,7 +2827,11 @@ setup_seccomp (FlatpakBwrap *bwrap, else r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) + /* See above for the meaning of EFAULT. */ + if (errno == EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); } }