From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 25 May 2018 11:27:50 +0000 (+0200)
Subject: seccomp: make do_resolve_add_rule() more strict
X-Git-Tag: lxc-3.1.0~287^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfddc8aa7ef3362212f8394995088a5f525730dd;p=thirdparty%2Flxc.git

seccomp: make do_resolve_add_rule() more strict

Let's error out on syscalls that cannot be resolved or fail to resolve instead
of just warning users.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ab40473e4..7ae76a71c 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -500,14 +500,12 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
 	nr = seccomp_syscall_resolve_name(line);
 	if (nr == __NR_SCMP_ERROR) {
 		WARN("Failed to resolve syscall \"%s\"", line);
-		WARN("This syscall will NOT be blacklisted");
-		return true;
+		return false;
 	}
 
 	if (nr < 0) {
 		WARN("Got negative return value %d for syscall \"%s\"", nr, line);
-		WARN("This syscall will NOT be blacklisted");
-		return true;
+		return false;
 	}
 
 	memset(&arg_cmp, 0, sizeof(arg_cmp));