qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp

From: Marc-André Lureau
Subject: Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp
Date: Mon, 25 Mar 2019 16:25:19 +0100 
Hi

On Mon, Mar 25, 2019 at 3:07 PM Daniel P. Berrangé <address@hidden> wrote:
>
> Most of the seccomp functions return errnos as a negative return
> value. The code is currently ignoring these and reporting a generic
> error message for all seccomp failure scenarios making debugging
> painful. Report a more precise error from each failed call and include
> errno if it is available.
>
> Signed-off-by: Daniel P. Berrangé <address@hidden>

Is this for 4.0? Eligible imho.

Reviewed-by: Marc-André Lureau <address@hidden>

> ---
>  qemu-seccomp.c | 20 +++++++++++++-------
>  1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 36d5829831..8daa9e0528 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -138,21 +138,23 @@ static uint32_t qemu_seccomp_get_kill_action(void)
>  }
>
>
> -static int seccomp_start(uint32_t seccomp_opts)
> +static int seccomp_start(uint32_t seccomp_opts, Error **errp)
>  {
> -    int rc = 0;
> +    int rc = -1;
>      unsigned int i = 0;
>      scmp_filter_ctx ctx;
>      uint32_t action = qemu_seccomp_get_kill_action();
>
>      ctx = seccomp_init(SCMP_ACT_ALLOW);
>      if (ctx == NULL) {
> -        rc = -1;
> +        error_setg(errp, "failed to initialize seccomp context");
>          goto seccomp_return;
>      }
>
>      rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
>      if (rc != 0) {
> +        error_setg_errno(errp, -rc,
> +                         "failed to set seccomp thread synchronization");
>          goto seccomp_return;
>      }
>
> @@ -164,15 +166,21 @@ static int seccomp_start(uint32_t seccomp_opts)
>          rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
>                                      blacklist[i].narg, blacklist[i].arg_cmp);
>          if (rc < 0) {
> +            error_setg_errno(errp, -rc,
> +                             "failed to add seccomp blacklist rules");
>              goto seccomp_return;
>          }
>      }
>
>      rc = seccomp_load(ctx);
> +    if (rc < 0) {
> +        error_setg_errno(errp, -rc,
> +                         "failed to load seccomp syscall filter in kernel");
> +    }
>
>    seccomp_return:
>      seccomp_release(ctx);
> -    return rc;
> +    return rc < 0 ? -1 : 0;
>  }
>
>  #ifdef CONFIG_SECCOMP
> @@ -242,9 +250,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error 
> **errp)
>              }
>          }
>
> -        if (seccomp_start(seccomp_opts) < 0) {
> -            error_setg(errp, "failed to install seccomp syscall filter "
> -                       "in the kernel");
> +        if (seccomp_start(seccomp_opts, errp) < 0) {
>              return -1;
>          }
>      }
> --
> 2.20.1
>
>


-- 
Marc-André Lureau
reply via email to
[Prev in Thread] Current Thread [Next in Thread]