On 03/03/15 01:28, Jay Faulkner wrote:
> Hey,
>
> Lennart reviewed this in IRC and suggested I refactor the change in this
> manner. Now, we have an array of capability:sys call pairs, and iterate
> through that and then only add the seccomp filter if the capability
> doesn’t exist.
>
> The new patch is attached, and available
> here: https://github.com/jayofdoom/systemd/pull/5.patch.
+typedef struct CapSeccompPair {
+ uint64_t capability;
+ int scmp_syscall_num;
+} CapSeccompPair;
...
+ static const CapSeccompPair blacklist[] = {
+ { SCMP_SYS(iopl), CAP_SYS_RAWIO },
The fields are swapped.
-Topi
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
