[PATCH 2/2] Make seccomp failures non-fatal & lower log prio

Thu May 16 10:16:36 EDT 2013

Building a binary with --enable-seccomp and then running it on a < 3.5
kernel, results in seccomp_load() failing and ocserv's worker process
aborting. This might be okay-ish for users who ./configure && make
install on their own systems but it's obviously non-ideal for e.g.
distributions that need to distribute binaries.

Unfortunately there doesn't seem to be a good way (that I could find) to
check if the running kernel has seccomp -- uname/uts isn't a good
solution as Ubuntu has backported it to 3.2, custom kernels might have
CONFIG_SECCOMP=n etc.

So, this makes a tradeoff call and removes the exit_worker() call on
seccomp failures, lowers the seccomp error logs to LOG_DEBUG from
LOG_WARNING and the "could not disable system calls" to LOG_INFO from
LOG_ERR.
---
 src/worker-privs.c |    6 +++---
 src/worker-vpn.c   |    3 +--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/worker-privs.c b/src/worker-privs.c
index 2b3158d..95b49dc 100644
--- a/src/worker-privs.c
+++ b/src/worker-privs.c
@@ -31,7 +31,7 @@ int disable_system_calls(struct worker_st *ws)
 	
 	ctx = seccomp_init(SCMP_ACT_KILL);
 	if (ctx == NULL) {
-		oclog(ws, LOG_WARNING, "could not initialize seccomp");
+		oclog(ws, LOG_DEBUG, "could not initialize seccomp");
 		return -1;
 	}
 
@@ -39,7 +39,7 @@ int disable_system_calls(struct worker_st *ws)
 	ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(name), 0); \
 	/* libseccomp returns EDOM for pseudo-syscalls due to a bug */ \
 	if (ret < 0 && ret != -EDOM) { \
-		oclog(ws, LOG_WARNING, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
+		oclog(ws, LOG_DEBUG, "could not add " #name " to seccomp filter: %s", strerror(-ret)); \
 		ret = -1; \
 		goto fail; \
 	}
@@ -66,7 +66,7 @@ int disable_system_calls(struct worker_st *ws)
 
 	ret = seccomp_load(ctx);
 	if (ret < 0) {
-		oclog(ws, LOG_ERR, "could not load seccomp filter");
+		oclog(ws, LOG_DEBUG, "could not load seccomp filter");
 		ret = -1;
 		goto fail;
 	}
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 3ff612e..d573320 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -490,8 +490,7 @@ void vpn_server(struct worker_st* ws)
 		
 	ret = disable_system_calls(ws);
 	if (ret < 0) {
-		oclog(ws, LOG_ERR, "could not disable system calls (seccomp error)");
-		exit_worker(ws);
+		oclog(ws, LOG_INFO, "could not disable system calls, kernel might not support seccomp");
 	}
 
 	oclog(ws, LOG_INFO, "accepted connection");
-- 
1.7.2.5


