From 000c05207d68658b76af9e1caf9aa3a4e3fa697b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 21 Aug 2020 17:21:04 +0200 Subject: shared/seccomp-util: added functionality to make list of filtred syscalls While at it, start removing the "seccomp_" prefix from our own functions. It is used by libseccomp. --- src/nspawn/nspawn-seccomp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/nspawn/nspawn-seccomp.c') diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 79110d90d5..5b0ba46594 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -146,13 +146,18 @@ static int seccomp_add_default_syscall_filter( if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0) continue; - r = seccomp_add_syscall_filter_item(ctx, allow_list[i].name, SCMP_ACT_ALLOW, syscall_deny_list, false); + r = seccomp_add_syscall_filter_item(ctx, + allow_list[i].name, + SCMP_ACT_ALLOW, + syscall_deny_list, + false, + NULL); if (r < 0) return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name); } STRV_FOREACH(p, syscall_allow_list) { - r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true); + r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, NULL); if (r < 0) log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch)); -- cgit v1.2.1