[systemd-devel] [PATCH] refactored Re: [PATCH] nspawn: Map all seccomp filters to matching capabilities

[Topi Miettinen]

On 03/03/15 01:28, Jay Faulkner wrote:
> Hey,
> 
> Lennart reviewed this in IRC and suggested I refactor the change in this
> manner. Now, we have an array of capability:sys call pairs, and iterate
> through that and then only add the seccomp filter if the capability
> doesn’t exist.
> 
> The new patch is attached, and available
> here: https://github.com/jayofdoom/systemd/pull/5.patch. 

+typedef struct CapSeccompPair {
+        uint64_t capability;
+        int scmp_syscall_num;
+} CapSeccompPair;
...
+        static const CapSeccompPair blacklist[] = {
+                { SCMP_SYS(iopl), CAP_SYS_RAWIO },

The fields are swapped.

-Topi