github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 06:52:13 +00:00
Code Issues Projects Releases Wiki Activity

agent: Ignore unknown seccomp system calls

Browse Source 
If Kata agent cannot resolve the system calls given by seccomp profiles,
the agent ignores the system calls and continues to run without an error.

Fixes: #2957

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This commit is contained in:
Manabu Sugimoto 2021-11-03 21:38:15 +09:00
parent 4be2c8b190
commit c66b56683b
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/agent/rustjail/src/seccomp.rs
View File

@ -68,7 +68,14 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
}
for name in &syscall.names {
let syscall_num = get_syscall_from_name(name, None)?;
let syscall_num = match get_syscall_from_name(name, None) {
Ok(num) => num,
Err(_) => {
// If we cannot resolve the given system call, we assume it is not supported
// by the kernel. Hence, we skip it without generating an error.
continue;
}
};
if syscall.args.is_empty() {
filter.add_rule(action, syscall_num, None)?;