Browse Source

seccomp: report more useful errors from seccomp

Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
tags/v4.0.0-rc2
Daniel P. Berrangé 5 months ago
parent
commit
035121d23a
1 changed files with 13 additions and 7 deletions
  1. 13
    7
      qemu-seccomp.c

+ 13
- 7
qemu-seccomp.c View File

@@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set)
}


static int seccomp_start(uint32_t seccomp_opts)
static int seccomp_start(uint32_t seccomp_opts, Error **errp)
{
int rc = 0;
int rc = -1;
unsigned int i = 0;
scmp_filter_ctx ctx;

ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
rc = -1;
error_setg(errp, "failed to initialize seccomp context");
goto seccomp_return;
}

rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
if (rc != 0) {
error_setg_errno(errp, -rc,
"failed to set seccomp thread synchronization");
goto seccomp_return;
}

@@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts)
rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
error_setg_errno(errp, -rc,
"failed to add seccomp blacklist rules");
goto seccomp_return;
}
}

rc = seccomp_load(ctx);
if (rc < 0) {
error_setg_errno(errp, -rc,
"failed to load seccomp syscall filter in kernel");
}

seccomp_return:
seccomp_release(ctx);
return rc;
return rc < 0 ? -1 : 0;
}

#ifdef CONFIG_SECCOMP
@@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
}
}

if (seccomp_start(seccomp_opts) < 0) {
error_setg(errp, "failed to install seccomp syscall filter "
"in the kernel");
if (seccomp_start(seccomp_opts, errp) < 0) {
return -1;
}
}

Loading…
Cancel
Save