[lxc-devel] [PATCH 1/2] seccomp: warn but continue on unresolvable syscalls
Stéphane Graber
stgraber at ubuntu.com
Wed Jun 18 20:41:47 UTC 2014
On Wed, Jun 18, 2014 at 07:36:37PM +0000, Serge Hallyn wrote:
> If a syscall is listed which is not resolvable, continue. This allows
> us to keep a more complete list of syscalls in a global seccomp policy
> without having to worry about older kernels not supporting the newer
> syscalls.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/seccomp.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index d75defe..fadc190 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -235,8 +235,10 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> }
> nr = seccomp_syscall_resolve_name_arch(arch, line);
> if (nr < 0) {
> - ERROR("Failed to resolve syscall: %s", line);
> - goto bad_rule;
> + WARN("Seccomp: failed to resolve syscall: %s (returned %d)",
> + line, nr);
> + WARN("This syscall will NOT be blacklisted");
> + continue;
> }
> ret = seccomp_rule_add(ctx ? ctx : conf->seccomp_ctx,
> action, nr, 0);
> --
> 2.0.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/83743aa9/attachment.sig>
More information about the lxc-devel
mailing list