seccomp: warn but continue on unresolvable syscalls

If a syscall is listed which is not resolvable, continue.  This allows
us to keep a more complete list of syscalls in a global seccomp policy
without having to worry about older kernels not supporting the newer
syscalls.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index d75defecfd9310bafe4bcc96c28775a688c876f7..fadc19075795b5ef83f07b9a3fa4fe80c61c5dd5 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -235,8 +235,10 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
                }
                nr = seccomp_syscall_resolve_name_arch(arch, line);
                if (nr < 0) {
-                       ERROR("Failed to resolve syscall: %s", line);
-                       goto bad_rule;
+                       WARN("Seccomp: failed to resolve syscall: %s (returned %d)",
+                               line, nr);
+                       WARN("This syscall will NOT be blacklisted");
+                       continue;
                }
                ret = seccomp_rule_add(ctx ? ctx : conf->seccomp_ctx,
                                action, nr, 0);