Browse Source

seccomp: report more useful errors from seccomp

Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
tags/v4.0.0-rc2
Daniel P. Berrangé 2 months ago
parent
commit
035121d23a
1 changed files with 13 additions and 7 deletions
  1. 13
    7
      qemu-seccomp.c

+ 13
- 7
qemu-seccomp.c View File

@@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set)
155 155
 }
156 156
 
157 157
 
158
-static int seccomp_start(uint32_t seccomp_opts)
158
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
159 159
 {
160
-    int rc = 0;
160
+    int rc = -1;
161 161
     unsigned int i = 0;
162 162
     scmp_filter_ctx ctx;
163 163
 
164 164
     ctx = seccomp_init(SCMP_ACT_ALLOW);
165 165
     if (ctx == NULL) {
166
-        rc = -1;
166
+        error_setg(errp, "failed to initialize seccomp context");
167 167
         goto seccomp_return;
168 168
     }
169 169
 
170 170
     rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
171 171
     if (rc != 0) {
172
+        error_setg_errno(errp, -rc,
173
+                         "failed to set seccomp thread synchronization");
172 174
         goto seccomp_return;
173 175
     }
174 176
 
@@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts)
182 184
         rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
183 185
                                     blacklist[i].narg, blacklist[i].arg_cmp);
184 186
         if (rc < 0) {
187
+            error_setg_errno(errp, -rc,
188
+                             "failed to add seccomp blacklist rules");
185 189
             goto seccomp_return;
186 190
         }
187 191
     }
188 192
 
189 193
     rc = seccomp_load(ctx);
194
+    if (rc < 0) {
195
+        error_setg_errno(errp, -rc,
196
+                         "failed to load seccomp syscall filter in kernel");
197
+    }
190 198
 
191 199
   seccomp_return:
192 200
     seccomp_release(ctx);
193
-    return rc;
201
+    return rc < 0 ? -1 : 0;
194 202
 }
195 203
 
196 204
 #ifdef CONFIG_SECCOMP
@@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
260 268
             }
261 269
         }
262 270
 
263
-        if (seccomp_start(seccomp_opts) < 0) {
264
-            error_setg(errp, "failed to install seccomp syscall filter "
265
-                       "in the kernel");
271
+        if (seccomp_start(seccomp_opts, errp) < 0) {
266 272
             return -1;
267 273
         }
268 274
     }

Loading…
Cancel
Save