seccomp: make do_resolve_add_rule() more strict

Let's error out on syscalls that cannot be resolved or fail to resolve instead
of just warning users.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ab40473e492bda277fb4b84c49372cba1193e486..7ae76a71ca5875efa20798bc749087c9241cc27f 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -500,14 +500,12 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
        nr = seccomp_syscall_resolve_name(line);
        if (nr == __NR_SCMP_ERROR) {
                WARN("Failed to resolve syscall \"%s\"", line);
-               WARN("This syscall will NOT be blacklisted");
-               return true;
+               return false;
        }
 
        if (nr < 0) {
                WARN("Got negative return value %d for syscall \"%s\"", nr, line);
-               WARN("This syscall will NOT be blacklisted");
-               return true;
+               return false;
        }
 
        memset(&arg_cmp, 0, sizeof(arg_cmp));