seccomp: report more useful errors from seccomp

Most of the seccomp functions return errnos as a negative return value. The code is currently ignoring these and reporting a generic error message for all seccomp failure scenarios making debugging painful. Report a more precise error from each failed call and include errno if it is available. Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: N Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: N Eduardo Otubo <otubo@redhat.com>

seccomp: report more useful errors from seccomp
Most of the seccomp functions return errnos as a negative return value. The code is currently ignoring these and reporting a generic error message for all seccomp failure scenarios making debugging painful. Report a more precise error from each failed call and include errno if it is available. Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: N Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: N Eduardo Otubo <otubo@redhat.com>
035121d2 · Daniel P. Berrangé · Eduardo Otubo · 9a1565a0 · 035121d2
隐藏空白更改
内联并排

Showing with 13 addition and 7 deletion

qemu-seccomp.c qemu-seccomp.c +13 -7

未找到文件。
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set)
 }
-static int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
 {
-    int rc = 0;
+    int rc = -1;
    unsigned int i = 0;
    scmp_filter_ctx ctx;
    ctx = seccomp_init(SCMP_ACT_ALLOW);
    if (ctx == NULL) {
-        rc = -1;
+        error_setg(errp, "failed to initialize seccomp context");
        goto seccomp_return;
    }
    rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
    if (rc != 0) {
+        error_setg_errno(errp, -rc,
+                         "failed to set seccomp thread synchronization");
        goto seccomp_return;
    }
@@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts)
        rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
                                    blacklist[i].narg, blacklist[i].arg_cmp);
        if (rc < 0) {
+            error_setg_errno(errp, -rc,
+                             "failed to add seccomp blacklist rules");
            goto seccomp_return;
        }
    }
    rc = seccomp_load(ctx);
+    if (rc < 0) {
+        error_setg_errno(errp, -rc,
+                         "failed to load seccomp syscall filter in kernel");
+    }
  seccomp_return:
    seccomp_release(ctx);
-    return rc;
+    return rc < 0 ? -1 : 0;
 }
 #ifdef CONFIG_SECCOMP
@@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
            }
        }
-        if (seccomp_start(seccomp_opts) < 0) {
+        if (seccomp_start(seccomp_opts, errp) < 0) {
-            error_setg(errp, "failed to install seccomp syscall filter "
-                       "in the kernel");
            return -1;
        }
    }