Attempt to clarify error message for missing CONFIG_SECCOMP_FILTER

General-purpose desktop distributions are compiled with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER, but vendor kernels for phones and other assorted embedded devices don't necessarily enable these options. These kernels are unsuitable for running Flatpak, or anything else that relies on `bwrap --seccomp` or `bwrap --add-seccomp-fd`. Missing CONFIG_SECCOMP or CONFIG_SECCOMP_FILTER is not the *only* reason why we could get EINVAL here: I think we'd also get EINVAL if the seccomp program is syntatically invalid. However, it's a relatively likely reason, so it seems worth providing a hint. Helps: flatpak/flatpak#3069 Signed-off-by: Simon McVittie <smcv@collabora.com>
2023-01-23 11:28:50 +00:00
parent 41fd02ad14
commit 2f873fa8ae
1 changed files with 9 additions and 1 deletions
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -288,7 +288,15 @@ seccomp_programs_apply (void)
  for (program = seccomp_programs; program != NULL; program = program->next)
    {
      if (prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program->program) != 0)
-        die_with_error ("prctl(PR_SET_SECCOMP)");
+        {
+          if (errno == EINVAL)
+            die ("Unable to set up system call filtering as requested: "
+                 "prctl(PR_SET_SECCOMP) reported EINVAL. "
+                 "(Hint: this requires a kernel configured with "
+                 "CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER.)");
+
+          die_with_error ("prctl(PR_SET_SECCOMP)");
+        }
    }
 }