projects / oweals / procd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5f57223)
Allow disabling seccomp or changing the whitelist
authorMichal Sojka <michal.sojka@cvut.cz>
Mon, 30 Jul 2018 07:32:19 +0000 (09:32 +0200)
committerJohn Crispin <john@phrozen.org>
Mon, 30 Jul 2018 13:25:24 +0000 (15:25 +0200)
Without this change, once a service is started with seccomp, it is
impossible to restart it without seccomp or change the whitelist file
name. This commit fixes that. Disabling seccomp is as easy as
commenting out the "procd_set_param seccomp" line in init.d script.

Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
service/instance.c patch | blob | history

diff --git a/service/instance.c b/service/instance.c
index 27e35b1aeddc50c86f8dbdaa38ec797484afe26a..a5742b7300d0b9075a605126b9574f3da0c13190 100644 (file)
--- a/service/instance.c
+++ b/service/instance.c
@@ -639,6 +639,11 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
        if (in->respawn_timeout != in_new->respawn_timeout)
                return true;
 
+       if ((!in->seccomp && in_new->seccomp) ||
+           (in->seccomp && !in_new->seccomp) ||
+           (in->seccomp && in_new->seccomp && strcmp(in->seccomp, in_new->seccomp)))
+               return true;
+
        if (!blobmsg_list_equal(&in->limits, &in_new->limits))
                return true;
 
@@ -959,6 +964,7 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr
        in->respawn_timeout = in_src->respawn_timeout;
        in->name = in_src->name;
        in->trace = in_src->trace;
+       in->seccomp = in_src->seccomp;
        in->node.avl.key = in_src->node.avl.key;
 
        free(in->config);
Unnamed repository; edit this file 'description' to name the repository.