X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fprocd.git;a=blobdiff_plain;f=jail%2Fseccomp.c;h=27bf3ce5f94c340c9e7a29ad8563e91c29adedf8;hp=de01fc68df116ea2f84e93b409184bac6a6f9807;hb=7f9b174026a318862d6b2073e81ef62c82a9d18e;hpb=dfcfcca7baf2b22d8dac1a724bdb7dd9d52f4c05

diff --git a/jail/seccomp.c b/jail/seccomp.c
index de01fc6..27bf3ce 100644
--- a/jail/seccomp.c
+++ b/jail/seccomp.c
@@ -10,11 +10,9 @@
  * found in the LICENSE file.
  */
 #define _GNU_SOURCE 1
-#include <stdio.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <syslog.h>
 
 #include <libubox/utils.h>
 #include <libubox/blobmsg.h>
@@ -69,13 +67,13 @@ int install_syscall_filter(const char *argv, const char *file)
 
 	blob_buf_init(&b, 0);
 	if (!blobmsg_add_json_from_file(&b, file)) {
-		INFO("%s: failed to load %s\n", argv, file);
+		ERROR("%s: failed to load %s\n", argv, file);
 		return -1;
 	}
 
 	blobmsg_parse(policy, __SECCOMP_MAX, tb, blob_data(b.head), blob_len(b.head));
 	if (!tb[SECCOMP_WHITELIST]) {
-		INFO("%s: %s is missing the syscall table\n", argv, file);
+		ERROR("%s: %s is missing the syscall table\n", argv, file);
 		return -1;
 	}
 
@@ -87,7 +85,7 @@ int install_syscall_filter(const char *argv, const char *file)
 
 	filter = calloc(sz, sizeof(struct sock_filter));
 	if (!filter) {
-		INFO("failed to allocate filter memory\n");
+		ERROR("failed to allocate filter memory\n");
 		return -1;
 	}
 
@@ -120,14 +118,14 @@ int install_syscall_filter(const char *argv, const char *file)
 	}
 
 	if (default_policy)
-		/* return -1 and set errno */
-		set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_LOGGER(default_policy));
+		/* notify tracer; without tracer return -1 and set errno to ENOSYS */
+		set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_TRACE);
 	else
 		/* kill the process */
 		set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL);
 
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-		INFO("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv, strerror(errno));
+		ERROR("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv, strerror(errno));
 		return errno;
 	}
 
@@ -135,7 +133,7 @@ int install_syscall_filter(const char *argv, const char *file)
 	prog.filter = filter;
 
 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-		INFO("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv, strerror(errno));
+		ERROR("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv, strerror(errno));
 		return errno;
 	}
 	return 0;