Better error on failure to load seccomp2 sandbox

There are two reasons this is likeliest to happen -- no kernel
support, and some bug in Tor.  We'll ask people to check the former
before they report. Closes 23090.

diff --git a/changes/feature23090 b/changes/feature23090
new file mode 100644 (file)
index 0000000..44cdac5
--- /dev/null
+++ b/changes/feature23090
@@ -0,0 +1,3 @@
+  o Minor features (linux seccomp2 sandbox):
+    - If the sandbox filter fails to load, suggest to the user that their
+      kernel might not support seccomp2. Closes ticket 23090.

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 18beaabe14dec3eea357e881fe7692b09edbed00..a85b1406fa120e6210feaeeea58461775820d748 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -1638,7 +1638,9 @@ install_syscall_filter(sandbox_cfg_t* cfg)
 
   // loading the seccomp2 filter
   if ((rc = seccomp_load(ctx))) {
-    log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)!", rc,
+    log_err(LD_BUG, "(Sandbox) failed to load: %d (%s)! "
+            "Are you sure that your kernel has seccomp2 support? The "
+            "sandbox won't work without it.", rc,
             strerror(-rc));
     goto end;
   }