diff options
author | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-01-22 17:18:51 -0800 |
---|---|---|
committer | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-01-22 17:18:51 -0800 |
commit | be351a294d36bd90f8bd4d887a7ad323d6441a67 (patch) | |
tree | 273c4bfb92da4ab16ff30207770574c1aad5dcf5 | |
parent | 605ce7f5ccda3597305f7ca8e21ba16e254cf96c (diff) | |
download | minijail-be351a294d36bd90f8bd4d887a7ad323d6441a67.tar.gz |
Don't fail on invalid syscalls.
When putting together a new policy, it's useful to get a list
of all the invalid syscalls. Don't fail on invalid syscalls if
the user requested logging failures.
Bug: None
Change-Id: Ib2d9bbb3e41a1eeb44a41fd2ab32b50ab4efcddf
-rw-r--r-- | syscall_filter.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/syscall_filter.c b/syscall_filter.c index 3335a07..b8ce461 100644 --- a/syscall_filter.c +++ b/syscall_filter.c @@ -423,6 +423,20 @@ int compile_filter(FILE *policy_file, struct sock_fprog *prog, if (nr < 0) { warn("compile_filter: nonexistent syscall '%s'", syscall_name); + if (log_failures) { + /* + * If we're logging failures, assume we're in a + * debugging case and continue. + * This is not super risky because an invalid + * syscall name is likely caused by a typo or by + * leftover lines from a different architecture. + * In either case, not including a policy line + * is equivalent to killing the process if the + * syscall is made, so there's no added attack + * surface. + */ + continue; + } return -1; } |