[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp
From: |
Marc-André Lureau |
Subject: |
Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp |
Date: |
Mon, 25 Mar 2019 16:25:19 +0100 |
Hi
On Mon, Mar 25, 2019 at 3:07 PM Daniel P. Berrangé <address@hidden> wrote:
>
> Most of the seccomp functions return errnos as a negative return
> value. The code is currently ignoring these and reporting a generic
> error message for all seccomp failure scenarios making debugging
> painful. Report a more precise error from each failed call and include
> errno if it is available.
>
> Signed-off-by: Daniel P. Berrangé <address@hidden>
Is this for 4.0? Eligible imho.
Reviewed-by: Marc-André Lureau <address@hidden>
> ---
> qemu-seccomp.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 36d5829831..8daa9e0528 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -138,21 +138,23 @@ static uint32_t qemu_seccomp_get_kill_action(void)
> }
>
>
> -static int seccomp_start(uint32_t seccomp_opts)
> +static int seccomp_start(uint32_t seccomp_opts, Error **errp)
> {
> - int rc = 0;
> + int rc = -1;
> unsigned int i = 0;
> scmp_filter_ctx ctx;
> uint32_t action = qemu_seccomp_get_kill_action();
>
> ctx = seccomp_init(SCMP_ACT_ALLOW);
> if (ctx == NULL) {
> - rc = -1;
> + error_setg(errp, "failed to initialize seccomp context");
> goto seccomp_return;
> }
>
> rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
> if (rc != 0) {
> + error_setg_errno(errp, -rc,
> + "failed to set seccomp thread synchronization");
> goto seccomp_return;
> }
>
> @@ -164,15 +166,21 @@ static int seccomp_start(uint32_t seccomp_opts)
> rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
> blacklist[i].narg, blacklist[i].arg_cmp);
> if (rc < 0) {
> + error_setg_errno(errp, -rc,
> + "failed to add seccomp blacklist rules");
> goto seccomp_return;
> }
> }
>
> rc = seccomp_load(ctx);
> + if (rc < 0) {
> + error_setg_errno(errp, -rc,
> + "failed to load seccomp syscall filter in kernel");
> + }
>
> seccomp_return:
> seccomp_release(ctx);
> - return rc;
> + return rc < 0 ? -1 : 0;
> }
>
> #ifdef CONFIG_SECCOMP
> @@ -242,9 +250,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error
> **errp)
> }
> }
>
> - if (seccomp_start(seccomp_opts) < 0) {
> - error_setg(errp, "failed to install seccomp syscall filter "
> - "in the kernel");
> + if (seccomp_start(seccomp_opts, errp) < 0) {
> return -1;
> }
> }
> --
> 2.20.1
>
>
--
Marc-André Lureau