[lxc-devel] [PATCH 1/2] seccomp: warn but continue on unresolvable syscalls

Stéphane Graber stgraber at ubuntu.com
Wed Jun 18 20:41:47 UTC 2014


On Wed, Jun 18, 2014 at 07:36:37PM +0000, Serge Hallyn wrote:
> If a syscall is listed which is not resolvable, continue.  This allows
> us to keep a more complete list of syscalls in a global seccomp policy
> without having to worry about older kernels not supporting the newer
> syscalls.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/seccomp.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index d75defe..fadc190 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -235,8 +235,10 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
>  		}
>  		nr = seccomp_syscall_resolve_name_arch(arch, line);
>  		if (nr < 0) {
> -			ERROR("Failed to resolve syscall: %s", line);
> -			goto bad_rule;
> +			WARN("Seccomp: failed to resolve syscall: %s (returned %d)",
> +				line, nr);
> +			WARN("This syscall will NOT be blacklisted");
> +			continue;
>  		}
>  		ret = seccomp_rule_add(ctx ? ctx : conf->seccomp_ctx,
>  				action, nr, 0);
> -- 
> 2.0.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/83743aa9/attachment.sig>


More information about the lxc-devel mailing list