Allow disabling seccomp or changing the whitelist

Without this change, once a service is started with seccomp, it is impossible to restart it without seccomp or change the whitelist file name. This commit fixes that. Disabling seccomp is as easy as commenting out the "procd_set_param seccomp" line in init.d script. Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
author: Michal Sojka 2018-07-30 07:32:19 +0000
committer: John Crispin 2018-07-30 13:25:24 +0000
commit: e29966f04cdf549a01f721f93634672055da8af4 (patch)
tree: 9352919b3801b1c69f566f697f98d4c500d5192e
parent: 5f57223913a9657bc1ff14284b01ffcb8dbe0eba (diff)
download: procd-e29966f04cdf549a01f721f93634672055da8af4.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/service/instance.c b/service/instance.c
index 27e35b1..a5742b7 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -639,6 +639,11 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
 	if (in->respawn_timeout != in_new->respawn_timeout)
 		return true;
 
+	if ((!in->seccomp && in_new->seccomp) ||
+	    (in->seccomp && !in_new->seccomp) ||
+	    (in->seccomp && in_new->seccomp && strcmp(in->seccomp, in_new->seccomp)))
+		return true;
+
 	if (!blobmsg_list_equal(&in->limits, &in_new->limits))
 		return true;
 
@@ -959,6 +964,7 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr
 	in->respawn_timeout = in_src->respawn_timeout;
 	in->name = in_src->name;
 	in->trace = in_src->trace;
+	in->seccomp = in_src->seccomp;
 	in->node.avl.key = in_src->node.avl.key;
 
 	free(in->config);
author	Michal Sojka	2018-07-30 07:32:19 +0000
committer	John Crispin	2018-07-30 13:25:24 +0000
commit	e29966f04cdf549a01f721f93634672055da8af4 (patch)
tree	9352919b3801b1c69f566f697f98d4c500d5192e
parent	5f57223913a9657bc1ff14284b01ffcb8dbe0eba (diff)
download	procd-e29966f04cdf549a01f721f93634672055da8af4.tar.gz