[Qemu-devel] [PULL 2/2] seccomp: report more useful errors from seccomp
From: Daniel P. Berrangé
Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.
Signed-off-by: Daniel P. Berrangé
Reviewed-by: Marc-André Lureau
Signed-off-by: Eduardo Otubo
---
qemu-seccomp.c | 20 +---
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index cf520883c7..e0a1829b3d 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set)
}
-static int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
{
-int rc = 0;
+int rc = -1;
unsigned int i = 0;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
-rc = -1;
+error_setg(errp, "failed to initialize seccomp context");
goto seccomp_return;
}
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
if (rc != 0) {
+error_setg_errno(errp, -rc,
+ "failed to set seccomp thread synchronization");
goto seccomp_return;
}
@@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts)
rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
+error_setg_errno(errp, -rc,
+ "failed to add seccomp blacklist rules");
goto seccomp_return;
}
}
rc = seccomp_load(ctx);
+if (rc < 0) {
+error_setg_errno(errp, -rc,
+ "failed to load seccomp syscall filter in kernel");
+}
seccomp_return:
seccomp_release(ctx);
-return rc;
+return rc < 0 ? -1 : 0;
}
#ifdef CONFIG_SECCOMP
@@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error
**errp)
}
}
-if (seccomp_start(seccomp_opts) < 0) {
-error_setg(errp, "failed to install seccomp syscall filter "
- "in the kernel");
+if (seccomp_start(seccomp_opts, errp) < 0) {
return -1;
}
}
--
2.17.2
[Qemu-devel] [PULL 2/2] seccomp: report more useful errors from seccomp
From: Daniel P. Berrangé
Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.
Signed-off-by: Daniel P. Berrangé
Reviewed-by: Marc-André Lureau
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 20 +---
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index cf520883c7..e0a1829b3d 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set)
}
-static int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
{
-int rc = 0;
+int rc = -1;
unsigned int i = 0;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
-rc = -1;
+error_setg(errp, "failed to initialize seccomp context");
goto seccomp_return;
}
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
if (rc != 0) {
+error_setg_errno(errp, -rc,
+ "failed to set seccomp thread synchronization");
goto seccomp_return;
}
@@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts)
rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
+error_setg_errno(errp, -rc,
+ "failed to add seccomp blacklist rules");
goto seccomp_return;
}
}
rc = seccomp_load(ctx);
+if (rc < 0) {
+error_setg_errno(errp, -rc,
+ "failed to load seccomp syscall filter in kernel");
+}
seccomp_return:
seccomp_release(ctx);
-return rc;
+return rc < 0 ? -1 : 0;
}
#ifdef CONFIG_SECCOMP
@@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error
**errp)
}
}
-if (seccomp_start(seccomp_opts) < 0) {
-error_setg(errp, "failed to install seccomp syscall filter "
- "in the kernel");
+if (seccomp_start(seccomp_opts, errp) < 0) {
return -1;
}
}
--
2.17.2
