Our mode (passt / pasta / vhost-user) should always be set by the time we reach isolate_postfork(). Make sure it is with an ASSERT(), rather than risk continuing with no seccomp filter installed. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- isolation.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/isolation.c b/isolation.c index c2a3c7b..c944fb3 100644 --- a/isolation.c +++ b/isolation.c @@ -392,6 +392,8 @@ void isolate_postfork(const struct ctx *c) prog.len = (unsigned short)ARRAY_SIZE(filter_vu); prog.filter = filter_vu; break; + default: + ASSERT(0); } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) || -- 2.47.0