diff options
author | Felipe Sateler <fsateler@gmail.com> | 2016-09-06 20:25:22 -0300 |
---|---|---|
committer | Felipe Sateler <fsateler@gmail.com> | 2016-09-06 20:25:49 -0300 |
commit | 1cec406d62f00a7642c94834010a60548ae99d96 (patch) | |
tree | b5eea543518154a151808cea1ebead42630b3596 | |
parent | d347d9029c7ec6b30eaaab93649105d935061b55 (diff) |
nspawn: detect SECCOMP availability, skip audit filter if unavailable
Fail hard if SECCOMP was detected but could not be installed
-rw-r--r-- | src/nspawn/nspawn-seccomp.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 3ab7160ebe..44a0b397ab 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -130,6 +130,11 @@ int setup_seccomp(uint64_t cap_list_retain) { scmp_filter_ctx seccomp; int r; + if (!is_seccomp_available()) { + log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP audit filter"); + return 0; + } + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return log_oom(); @@ -173,11 +178,6 @@ int setup_seccomp(uint64_t cap_list_retain) { } r = seccomp_load(seccomp); - if (r == -EINVAL) { - log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m"); - r = 0; - goto finish; - } if (r < 0) { log_error_errno(r, "Failed to install seccomp audit filter: %m"); goto finish; |