This code
|
default_action = get_seccomp_action (def_action, default_errno_value, err); |
|
if (UNLIKELY (err && *err != NULL)) |
|
return -1; |
assumes that
*err == NULL before calling get_seccomp_action()
It seems that is not a valid assumption.
See this code path:
libcrun_generate_seccomp() is called in
seccomp_generation()
|
static int |
|
seccomp_generation (int seccomp_fd, const char *seccomp_bpf_data, |
|
struct libcrun_seccomp_gen_ctx_s *seccomp_gen_ctx, libcrun_error_t *err) |
|
{ |
|
int ret; |
|
|
|
if (seccomp_fd >= 0) |
|
{ |
|
if (seccomp_bpf_data != NULL) |
|
{ |
|
ret = libcrun_copy_seccomp (seccomp_gen_ctx, seccomp_bpf_data, err); |
|
if (UNLIKELY (ret < 0)) |
|
return ret; |
|
} |
|
else |
|
{ |
|
ret = libcrun_generate_seccomp (seccomp_gen_ctx, err); |
which is called in libcrun_container_run_internal()
|
ret = seccomp_generation (seccomp_fd, seccomp_bpf_data, &seccomp_gen_ctx, err); |
which is called in libcrun_container_run()
|
ret = libcrun_container_run_internal (container, context, NULL, err); |
which is called in the python integration code
|
libcrun_error_t err; |
|
PyObject *ctx_obj = NULL; |
|
PyObject *ctr_obj = NULL; |
|
libcrun_container_t *ctr; |
|
libcrun_context_t *ctx; |
|
int ret; |
|
|
|
if (!PyArg_ParseTuple (args, "OO", &ctx_obj, &ctr_obj)) |
|
return NULL; |
|
|
|
ctx = PyCapsule_GetPointer (ctx_obj, CONTEXT_OBJ_TAG); |
|
if (ctx == NULL) |
|
return NULL; |
|
|
|
ctr = PyCapsule_GetPointer (ctr_obj, CONTAINER_OBJ_TAG); |
|
if (ctr == NULL) |
|
return NULL; |
|
|
|
Py_BEGIN_ALLOW_THREADS; |
|
ret = libcrun_container_run (ctx, ctr, 0, &err); |
Note that err is not initialized on line 149 in crun_python.c
I noticed this when reading the source code.
