On Mar 3, 2015, at 8:55 AM, Topi Miettinen <toiwo...@gmail.com<mailto:toiwo...@gmail.com>> wrote:
On 03/03/15 01:28, Jay Faulkner wrote: Hey, Lennart reviewed this in IRC and suggested I refactor the change in this manner. Now, we have an array of capability:sys call pairs, and iterate through that and then only add the seccomp filter if the capability doesn’t exist. The new patch is attached, and available here: https://github.com/jayofdoom/systemd/pull/5.patch. +typedef struct CapSeccompPair { + uint64_t capability; + int scmp_syscall_num; +} CapSeccompPair; ... + static const CapSeccompPair blacklist[] = { + { SCMP_SYS(iopl), CAP_SYS_RAWIO }, The fields are swapped. -Topi Thanks for the review! I’ve corrected the issue, and have the new patch attached and available here: https://github.com/jayofdoom/systemd/pull/5.patch. -Jay Faulkner
nspawn-capabilty-seccomp.patch
Description: nspawn-capabilty-seccomp.patch
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel