[lxc-devel] [lxc/master] seccomp: do not set SECCOMP_FILTER_FLAG_NEW_LISTENER

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 631 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190612/58e13f70/attachment.bin>
-------------- next part --------------
From f73adb35fbbd164c2bfc975dc4a8b7e8292f4e37 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 12 Jun 2019 13:42:25 +0200
Subject: [PATCH] seccomp: do not set SECCOMP_FILTER_FLAG_NEW_LISTENER

Do not set SECCOMP_FILTER_FLAG_NEW_LISTENER as seccomp attribute.
Prior to libseccomp merging support for SECCOMP_RET_USER_NOTIF there was a
libseccomp specific attribute that needed to be set before
SECCOMP_RET_USER_NOTIF could be used. This has been removed.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/seccomp.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index d49596fdf6..1e688a4517 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -944,11 +944,6 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 		if ((rule.action == SCMP_ACT_NOTIFY) &&
 		    !conf->seccomp.notifier.wants_supervision) {
-			ret = seccomp_attr_set(conf->seccomp.seccomp_ctx,
-					       SECCOMP_FILTER_FLAG_NEW_LISTENER, 1);
-			if (ret)
-				goto bad_rule;
-
 			conf->seccomp.notifier.wants_supervision = true;
 			TRACE("Set SECCOMP_FILTER_FLAG_NEW_LISTENER attribute");
 		}