On Tue, Apr 18, 2023 at 04:24:49PM +0200, Alejandro Colomar wrote:
> Hi Mickaël,
>
> On 4/17/23 22:45, Mickaël Salaün wrote:
>
> [...]
>
> >> +int abi = landlock_create_ruleset(NULL, 0,
> >> + LANDLOCK_CREATE_RULESET_VERSION);
> >> +if (abi <= 0) {
> >> + /*
> >> + * Kernel too old, not compiled with Landlock,
> >> + * or Landlock was not enabled at boot time.
> >> + */
> >> + perror("Giving up \- No Landlock support");
>
> [...]
>
> > As a side note, this syscall and this flag should never return 0, but if
> > it does (e.g. because of weird seccomp filter), the errno value might be
> > unspecified.
>
> Hmm, good catch, we should test for `== -1`, rather than `< 0`.
> Michael Kerrisk explicitly wanted this, and I agree with him, as it makes
> the code slightly more readable (explicit).
Ack, I'll send a small follow-up.
–Günther
