On 03/03/15 01:28, Jay Faulkner wrote: > Hey, > > Lennart reviewed this in IRC and suggested I refactor the change in this > manner. Now, we have an array of capability:sys call pairs, and iterate > through that and then only add the seccomp filter if the capability > doesn’t exist. > > The new patch is attached, and available > here: https://github.com/jayofdoom/systemd/pull/5.patch.
+typedef struct CapSeccompPair { + uint64_t capability; + int scmp_syscall_num; +} CapSeccompPair; ... + static const CapSeccompPair blacklist[] = { + { SCMP_SYS(iopl), CAP_SYS_RAWIO }, The fields are swapped. -Topi _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel