From dfddc8aa7ef3362212f8394995088a5f525730dd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 25 May 2018 13:27:50 +0200
Subject: [PATCH] seccomp: make do_resolve_add_rule() more strict

Let's error out on syscalls that cannot be resolved or fail to resolve instead
of just warning users.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/seccomp.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ab40473e4..7ae76a71c 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -500,14 +500,12 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
 	nr = seccomp_syscall_resolve_name(line);
 	if (nr == __NR_SCMP_ERROR) {
 		WARN("Failed to resolve syscall \"%s\"", line);
-		WARN("This syscall will NOT be blacklisted");
-		return true;
+		return false;
 	}
 
 	if (nr < 0) {
 		WARN("Got negative return value %d for syscall \"%s\"", nr, line);
-		WARN("This syscall will NOT be blacklisted");
-		return true;
+		return false;
 	}
 
 	memset(&arg_cmp, 0, sizeof(arg_cmp));
-- 
2.47.2