Don't fail on invalid syscalls.
When putting together a new policy, it's useful to get a list
of all the invalid syscalls. Don't fail on invalid syscalls if
the user requested logging failures.
Bug: None
Change-Id: Ib2d9bbb3e41a1eeb44a41fd2ab32b50ab4efcddf
diff --git a/syscall_filter.c b/syscall_filter.c
index 3335a07..b8ce461 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -423,6 +423,20 @@
if (nr < 0) {
warn("compile_filter: nonexistent syscall '%s'",
syscall_name);
+ if (log_failures) {
+ /*
+ * If we're logging failures, assume we're in a
+ * debugging case and continue.
+ * This is not super risky because an invalid
+ * syscall name is likely caused by a typo or by
+ * leftover lines from a different architecture.
+ * In either case, not including a policy line
+ * is equivalent to killing the process if the
+ * syscall is made, so there's no added attack
+ * surface.
+ */
+ continue;
+ }
return -1;
}
