-
Michal Sojka authored
When service init file declares seccomp support (procd_set_param seccomp), but procd is compiled without seccomp support, the service should be started normally, because seccomp-trace and utrace are not available. Older procd versions decided about whether to start a service in seccomp sandbox or not based on existence of seccomp whitelist in the filesystem. This was recently removed (c8faedc1 "Do not disable seccomp when configuration is not found", 2017-09-12) because it could be easy for attackers to disable seccomp support. This changes is a follow-up to the mentioned commit. With it, procd decides about whether to use seccomp sandbox based only on compile-time configuration. Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz> Tested-by: Hans Dedecker <dedeckeh@gmail.com>
b39c362c