Merge pull request #1578 from 0x0916/export-seccomp-filter-to-log

seccomp: export the seccomp filter after load it into kernel successful

Merge pull request #1578 from 0x0916/export-seccomp-filter-to-log
ab373bdf · Christian Brauner · GitHub · 9795e880 · 5107af32 · ab373bdf
Commit ab373bdf authored Jun 05, 2017 by Christian Brauner Committed by GitHub Jun 05, 2017
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

seccomp.c src/lxc/seccomp.c +12 -0

No files found.
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -791,6 +791,18 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 		ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
 		return -1;
 	}
+/* After load seccomp filter into the kernel successfully, export the current seccomp
+ * filter to log file */
+#if HAVE_SCMP_FILTER_CTX
+	if ((lxc_log_get_level() <= LXC_LOG_PRIORITY_TRACE || conf->loglevel <= LXC_LOG_PRIORITY_TRACE) &&
+	    lxc_log_fd >= 0) {
+		ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
+		/* Just give an warning when export error */
+		if (ret < 0)
+			WARN("Failed to export seccomp filter to log file: %s.", strerror(-ret));
+	}
+#endif
 	return 0;
 }