[systemd-devel] [PATCH] refactored Re: [PATCH] nspawn: Map all seccomp filters to matching capabilities

[Jay Faulkner]

On Mar 3, 2015, at 8:55 AM, Topi Miettinen <toiwoton at gmail.com<mailto:toiwoton at gmail.com>> wrote:

On 03/03/15 01:28, Jay Faulkner wrote:
Hey,

Lennart reviewed this in IRC and suggested I refactor the change in this
manner. Now, we have an array of capability:sys call pairs, and iterate
through that and then only add the seccomp filter if the capability
doesn’t exist.

The new patch is attached, and available
here: https://github.com/jayofdoom/systemd/pull/5.patch.

+typedef struct CapSeccompPair {
+        uint64_t capability;
+        int scmp_syscall_num;
+} CapSeccompPair;
...
+        static const CapSeccompPair blacklist[] = {
+                { SCMP_SYS(iopl), CAP_SYS_RAWIO },

The fields are swapped.

-Topi


Thanks for the review! I’ve corrected the issue, and have the new patch attached and available here: https://github.com/jayofdoom/systemd/pull/5.patch.

-Jay Faulkner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150303/54c6a8f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nspawn-capabilty-seccomp.patch
Type: application/octet-stream
Size: 4279 bytes
Desc: nspawn-capabilty-seccomp.patch
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150303/54c6a8f7/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150303/54c6a8f7/attachment.htm>