while (*line == ' ')
line++;
- // after 'whitelist' or 'blacklist' comes default behavior
+ /* After 'whitelist' or 'blacklist' comes default behavior. */
if (strncmp(line, "kill", 4) == 0)
ret_action = SCMP_ACT_KILL;
else if (strncmp(line, "errno", 5) == 0) {
static const char *get_action_name(uint32_t action)
{
- // The upper 16 bits indicate the type of the seccomp action
+ /* The upper 16 bits indicate the type of the seccomp action. */
switch(action & 0xffff0000){
case SCMP_ACT_KILL:
return "kill";
}
if (strcmp(uts.machine, "i686") == 0)
return lxc_seccomp_arch_i386;
- // no x32 kernels
+ /* no x32 kernels */
else if (strcmp(uts.machine, "x86_64") == 0)
return lxc_seccomp_arch_amd64;
else if (strncmp(uts.machine, "armv7", 5) == 0)
remove_trailing_newlines(line);
INFO("processing: .%s.", line);
if (line[0] == '[') {
- // read the architecture for next set of rules
+ /* Read the architecture for next set of rules. */
if (strcmp(line, "[x86]") == 0 ||
strcmp(line, "[X86]") == 0) {
if (native_arch != lxc_seccomp_arch_i386 &&
ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
return -1;
}
+
+/* After load seccomp filter into the kernel successfully, export the current seccomp
+ * filter to log file */
+#if HAVE_SCMP_FILTER_CTX
+ if ((lxc_log_get_level() <= LXC_LOG_LEVEL_TRACE || conf->loglevel <= LXC_LOG_LEVEL_TRACE) &&
+ lxc_log_fd >= 0) {
+ ret = seccomp_export_pfc(conf->seccomp_ctx, lxc_log_fd);
+ /* Just give an warning when export error */
+ if (ret < 0)
+ WARN("Failed to export seccomp filter to log file: %s.", strerror(-ret));
+ }
+#endif
return 0;
}