woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable seccomp for all archs

Browse Source
This commit is contained in:
Robert Swiecki 2016-04-25 15:49:26 +02:00
parent 8371afabb9
commit 56cf3d2b22
1 changed files with 2 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sandbox.c
View File

@ -31,7 +31,6 @@
#include "common.h" #include "common.h"
#include "log.h" #include "log.h"
#if defined(__x86_64__) || defined(__i386__)
#include "seccomp/bpf-helper.h" #include "seccomp/bpf-helper.h"
/* /*
@ -40,6 +39,7 @@
*/ */
static bool sandboxPrepareAndCommit(void) static bool sandboxPrepareAndCommit(void)
{ {
#if defined(__x86_64__) || defined(__i386__)
struct bpf_labels l = {.count = 0 }; struct bpf_labels l = {.count = 0 };
struct sock_filter filter[] = { struct sock_filter filter[] = {
LOAD_ARCH, LOAD_ARCH,
@ -84,22 +84,17 @@ static bool sandboxPrepareAndCommit(void)
PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed"); PLOG_W("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed");
return false; return false;
} }
#endif /* defined(__x86_64__) || defined(__i386__) */
return true; return true;
} }
#endif /* defined(__x86_64__) || defined(__i386__) */
bool sandboxApply(struct nsjconf_t * nsjconf) bool sandboxApply(struct nsjconf_t * nsjconf)
{ {
if (nsjconf->apply_sandbox == false) { if (nsjconf->apply_sandbox == false) {
return true; return true;
} }
#if defined(__x86_64__) || defined(__i386__)
if (sandboxPrepareAndCommit() == false) { if (sandboxPrepareAndCommit() == false) {
return false; return false;
} }
#else /* defined(__x86_64__) || defined(__i386__) */
LOG_W
("There's no seccomp-bpf implementation ready for the current CPU architecture. Sandbox not enabled");
#endif /* defined(__x86_64__) || defined(__i386__) */
return true; return true;
} }