[CRIU] [PATCH] criu: Fix compilation when seccomp mode filter is not supported

Tycho Andersen tycho.andersen at canonical.com
Thu Nov 19 07:14:05 PST 2015 

Hi Pavel,

On Thu, Nov 19, 2015 at 05:48:41PM +0300, Pavel Emelyanov wrote:
> I have two issues in my VM -- no SECCOMP_SET_MODE_FILTER in header
> and no linux/bpf.h header.

This patch is fine with me, or I can re-send the one I sent that
Cyrill asked about. One thing that has that this doesn't is a runtime
fix if seccomp doesn't exists. It doesn't have the bpf ifdef, though,
so some combination of both is needed. Let me know what you want.

Acked-by: Tycho Andersen <tycho.andersen at canonical.com>

> Signed-off-by: Pavel Emelyanov <xemul at parallels.com>
> ---
>  cr-check.c     | 7 +++++++
>  pie/restorer.c | 5 +++++
>  2 files changed, 12 insertions(+)
> 
> diff --git a/cr-check.c b/cr-check.c
> index 8669576..5ee98c4 100644
> --- a/cr-check.c
> +++ b/cr-check.c
> @@ -13,7 +13,9 @@
>  #include <signal.h>
>  #include <linux/if.h>
>  #include <linux/filter.h>
> +#ifdef SECCOMP_MODE_FILTER
>  #include <linux/bpf.h>
> +#endif
>  #include <linux/seccomp.h>
>  #include <sys/syscall.h>
>  #include <sys/ioctl.h>
> @@ -646,6 +648,7 @@ static int check_ptrace_suspend_seccomp(void)
>  
>  static int setup_seccomp_filter(void)
>  {
> +#ifdef SECCOMP_MODE_FILTER
>  	struct sock_filter filter[] = {
>  		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
>  		/* Allow all syscalls except ptrace */
> @@ -663,6 +666,10 @@ static int setup_seccomp_filter(void)
>  		return -1;
>  
>  	return 0;
> +#else
> +	pr_err("Can't check seccomp filter support");
> +	return -1;
> +#endif
>  }
>  
>  static int check_ptrace_dump_seccomp_filters(void)
> diff --git a/pie/restorer.c b/pie/restorer.c
> index 4665c5d..02173f0 100644
> --- a/pie/restorer.c
> +++ b/pie/restorer.c
> @@ -41,6 +41,11 @@
>  #define PR_SET_PDEATHSIG 1
>  #endif
>  
> +#ifndef SECCOMP_SET_MODE_FILTER
> +#define SECCOMP_SET_MODE_FILTER 1
> +#define SECCOMP_FILTER_FLAG_TSYNC 1
> +#endif
> +
>  #define sys_prctl_safe(opcode, val1, val2, val3)			\
>  	({								\
>  		long __ret = sys_prctl(opcode, val1, val2, val3, 0);	\
> -- 
> 1.9.3
>

More information about the CRIU mailing list