From 043ddc5c0d281e027f23db049788db29f2fedbe6 Mon Sep 17 00:00:00 2001
From: Zach Reizner <zachr@google.com>
Date: Tue, 3 Apr 2018 20:47:21 -0700
Subject: crosvm: enable seccomp logging in debug builds

This will be useful for diagnosing crosvm crashes which are most often
caused by seccomp killing a device process.

TEST=delete a seccomp filter, run crosvm, check for blocked syscall in
     /var/log/messages
BUG=None

Change-Id: I1e01a0794f0349e6ad9b101eb2e32320f60b1283
Reviewed-on: https://chromium-review.googlesource.com/994737
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
---
 src/plugin/mod.rs | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/plugin/mod.rs')

diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs
index 2e810f0..85a0266 100644
--- a/src/plugin/mod.rs
+++ b/src/plugin/mod.rs
@@ -228,6 +228,8 @@ fn create_plugin_jail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> {
     // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill
     // the entire plugin process if a worker thread commits a seccomp violation.
     j.set_seccomp_filter_tsync();
+    #[cfg(debug_assertions)]
+    j.log_seccomp_filter_failures();
     j.parse_seccomp_filters(seccomp_policy)
         .map_err(Error::ParseSeccomp)?;
     j.use_seccomp_filter();
-- 
cgit 1.4.1