]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - src/nspawn/nspawn-seccomp.c
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nspawn: log syscalls we cannot add at debug level
[thirdparty/systemd.git] / src / nspawn / nspawn-seccomp.c
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 0b39cda9ba9b8f4c7dc4e56f4938a4cd1e458bdd..f94f131f22e29663a903346bebc4cf636d651765 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -139,11 +139,10 @@ static int seccomp_add_default_syscall_filter(
                  */
         };
 
-        int r;
-        size_t i;
         char **p;
+        int r;
 
-        for (i = 0; i < ELEMENTSOF(whitelist); i++) {
+        for (size_t i = 0; i < ELEMENTSOF(whitelist); i++) {
                 if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
                         continue;
 
@@ -153,7 +152,7 @@ static int seccomp_add_default_syscall_filter(
         }
 
         STRV_FOREACH(p, syscall_whitelist) {
-                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
+                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, true);
                 if (r < 0)
                         log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                           *p, seccomp_arch_to_string(arch));
Unnamed repository; edit this file 'description' to name the repository.