diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2019-03-27 10:47:28 +0100 |
|---|---|---|
| committer | Eduardo Otubo <otubo@redhat.com> | 2019-03-27 13:11:38 +0100 |
| commit | 035121d23abcafcc2f346627d48132073d2e71d7 (patch) | |
| tree | b4022a2939cab3bbb41e77cbfe9bf2f1f58a2e15 /qemu-seccomp.c | |
| parent | 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8 (diff) | |
seccomp: report more useful errors from seccomp
Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Diffstat (limited to 'qemu-seccomp.c')
| -rw-r--r-- | qemu-seccomp.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/qemu-seccomp.c b/qemu-seccomp.c index cf520883c7..e0a1829b3d 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set) } -static int seccomp_start(uint32_t seccomp_opts) +static int seccomp_start(uint32_t seccomp_opts, Error **errp) { - int rc = 0; + int rc = -1; unsigned int i = 0; scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { - rc = -1; + error_setg(errp, "failed to initialize seccomp context"); goto seccomp_return; } rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); if (rc != 0) { + error_setg_errno(errp, -rc, + "failed to set seccomp thread synchronization"); goto seccomp_return; } @@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts) rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cmp); if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to add seccomp blacklist rules"); goto seccomp_return; } } rc = seccomp_load(ctx); + if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to load seccomp syscall filter in kernel"); + } seccomp_return: seccomp_release(ctx); - return rc; + return rc < 0 ? -1 : 0; } #ifdef CONFIG_SECCOMP @@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } - if (seccomp_start(seccomp_opts) < 0) { - error_setg(errp, "failed to install seccomp syscall filter " - "in the kernel"); + if (seccomp_start(seccomp_opts, errp) < 0) { return -1; } } |