Don't fail on invalid syscalls.

When putting together a new policy, it's useful to get a list of all the invalid syscalls. Don't fail on invalid syscalls if the user requested logging failures. Bug: None Change-Id: Ib2d9bbb3e41a1eeb44a41fd2ab32b50ab4efcddf
author: Jorge Lucangeli Obes <jorgelo@google.com> 2016-01-22 17:18:51 -0800
committer: Jorge Lucangeli Obes <jorgelo@google.com> 2016-01-22 17:18:51 -0800
commit: be351a294d36bd90f8bd4d887a7ad323d6441a67 (patch)
tree: 273c4bfb92da4ab16ff30207770574c1aad5dcf5
parent: 605ce7f5ccda3597305f7ca8e21ba16e254cf96c (diff)
download: minijail-be351a294d36bd90f8bd4d887a7ad323d6441a67.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/syscall_filter.c b/syscall_filter.c
index 3335a07..b8ce461 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -423,6 +423,20 @@ int compile_filter(FILE *policy_file, struct sock_fprog *prog,
 		if (nr < 0) {
 			warn("compile_filter: nonexistent syscall '%s'",
 			     syscall_name);
+			if (log_failures) {
+				/*
+				 * If we're logging failures, assume we're in a
+				 * debugging case and continue.
+				 * This is not super risky because an invalid
+				 * syscall name is likely caused by a typo or by
+				 * leftover lines from a different architecture.
+				 * In either case, not including a policy line
+				 * is equivalent to killing the process if the
+				 * syscall is made, so there's no added attack
+				 * surface.
+				 */
+				continue;
+			}
 			return -1;
 		}
author	Jorge Lucangeli Obes <jorgelo@google.com>	2016-01-22 17:18:51 -0800
committer	Jorge Lucangeli Obes <jorgelo@google.com>	2016-01-22 17:18:51 -0800
commit	be351a294d36bd90f8bd4d887a7ad323d6441a67 (patch)
tree	273c4bfb92da4ab16ff30207770574c1aad5dcf5
parent	605ce7f5ccda3597305f7ca8e21ba16e254cf96c (diff)
download	minijail-be351a294d36bd90f8bd4d887a7ad323d6441a67.tar.gz