[lxc-devel] [lxc/master] seccomp: handle all errors

brauner on Github lxc-bot at linuxcontainers.org
Fri Apr 13 16:01:25 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180413/6462cea2/attachment.bin>
-------------- next part --------------
From adfee3a873291bf2ec1ba0e079bccfd05eefdd1f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 13 Apr 2018 18:00:23 +0200
Subject: [PATCH] seccomp: handle all errors

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/seccomp.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 5da31a563..60118852d 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -371,20 +371,34 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
 	}
 #endif
 
-	if (seccomp_arch_exist(ctx, arch) == -EEXIST) {
+	ret = seccomp_arch_exist(ctx, arch);
+	if (ret < 0) {
+		if (ret != -EEXIST) {
+			ERROR("%s - Failed to determine whether arch %d is "
+			      "already present in the main seccomp context",
+			       strerror(-ret), (int)n_arch);
+			seccomp_release(ctx);
+			return NULL;
+		}
+
 		ret = seccomp_arch_add(ctx, arch);
 		if (ret != 0) {
-			ERROR("Seccomp error %d (%s) adding arch: %d", ret,
-					strerror(-ret), (int)n_arch);
+			ERROR("%s - Failed to add arch %d to main seccomp context",
+			      strerror(-ret), (int)n_arch);
 			seccomp_release(ctx);
 			return NULL;
 		}
+		TRACE("Added arch %d to main seccomp context", (int)n_arch);
 
-		if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
-			ERROR("Seccomp error removing native arch");
+		ret = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+		if (ret != 0) {
+			ERROR("Failed to remove native arch from main seccomp context");
 			seccomp_release(ctx);
 			return NULL;
 		}
+		TRACE("Removed native arch from main seccomp context");
+	} else {
+		TRACE("Arch %d already present in main seccomp context", (int)n_arch);
 	}
 
 	return ctx;

More information about the lxc-devel mailing list