[Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp

From:	Daniel P . Berrangé
Subject:	[Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp
Date:	Mon, 25 Mar 2019 14:03:18 +0000

Most of the seccomp functions return errnos as a negative return
value. The code is currently ignoring these and reporting a generic
error message for all seccomp failure scenarios making debugging
painful. Report a more precise error from each failed call and include
errno if it is available.

Signed-off-by: Daniel P. Berrangé <address@hidden>
---
 qemu-seccomp.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 36d5829831..8daa9e0528 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -138,21 +138,23 @@ static uint32_t qemu_seccomp_get_kill_action(void)
 }
 
 
-static int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
 {
-    int rc = 0;
+    int rc = -1;
     unsigned int i = 0;
     scmp_filter_ctx ctx;
     uint32_t action = qemu_seccomp_get_kill_action();
 
     ctx = seccomp_init(SCMP_ACT_ALLOW);
     if (ctx == NULL) {
-        rc = -1;
+        error_setg(errp, "failed to initialize seccomp context");
         goto seccomp_return;
     }
 
     rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
     if (rc != 0) {
+        error_setg_errno(errp, -rc,
+                         "failed to set seccomp thread synchronization");
         goto seccomp_return;
     }
 
@@ -164,15 +166,21 @@ static int seccomp_start(uint32_t seccomp_opts)
         rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
                                     blacklist[i].narg, blacklist[i].arg_cmp);
         if (rc < 0) {
+            error_setg_errno(errp, -rc,
+                             "failed to add seccomp blacklist rules");
             goto seccomp_return;
         }
     }
 
     rc = seccomp_load(ctx);
+    if (rc < 0) {
+        error_setg_errno(errp, -rc,
+                         "failed to load seccomp syscall filter in kernel");
+    }
 
   seccomp_return:
     seccomp_release(ctx);
-    return rc;
+    return rc < 0 ? -1 : 0;
 }
 
 #ifdef CONFIG_SECCOMP
@@ -242,9 +250,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error 
**errp)
             }
         }
 
-        if (seccomp_start(seccomp_opts) < 0) {
-            error_setg(errp, "failed to install seccomp syscall filter "
-                       "in the kernel");
+        if (seccomp_start(seccomp_opts, errp) < 0) {
             return -1;
         }
     }
-- 
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp, Daniel P . Berrangé <=
- Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp, Marc-André Lureau, 2019/03/25
  - Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp, Daniel P . Berrangé, 2019/03/25
    - Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp, Eduardo Otubo, 2019/03/27

Prev by Date: Re: [Qemu-devel] [PATCH v2 0/3] qemu-img: removing created when img_create fails
Next by Date: Re: [Qemu-devel] [RFC PATCH] hw/arm/virt: use variable size of flash device to save memory
Previous by thread: [Qemu-devel] [PATCH v13 for-4.1 00/11] qemu_thread_create: propagate the error to callers to handle
Next by thread: Re: [Qemu-devel] [PATCH] seccomp: report more useful errors from seccomp
Index(es):
- Date
- Thread