sandbox-linux: call seccomp_release, remove unnecessary iteration

sandbox/sandbox-linux.cpp

@@ -50,10 +50,11 @@ bool SandboxLinux::seccomp_blacklist(std::initializer_list<int> syscalls)
 		Logger::error() << "Failed to load seccomp filter";
 		return false;
 	}
+	seccomp_release(ctx);
 	return success;
 }
 
-bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list<std::string> paths)
+bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector<std::string> &paths)
 {
 	for(const std::string &path : paths)
 	{
@@ -81,7 +82,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
 
 			if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
 			{
-				Logger::error() << "Bind mount failed! " << strerror(errno);
+				Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! "
+								<< strerror(errno);
 				return false;
 			}
 		}
@@ -147,13 +149,10 @@ bool SandboxLinux::isolateNamespaces(std::vector<std::string> fsPaths)
 		return false;
 	}
 
-	for(std::string &path : fsPaths)
+	if(!bindMountPaths(rootpath, fsPaths))
 	{
-		if(!bindMountPaths(rootpath, {path}))
-		{
-			Logger::error() << "Bind mount for " << path << " failed!";
-			return false;
-		}
+		Logger::error() << "Bind mounting paths failed!";
+		return false;
 	}
 
 	if(chroot(rootpath.c_str()) == -1)

sandbox/sandbox-linux.h

@@ -15,6 +15,6 @@ class SandboxLinux : public Sandbox
   private:
 	bool isolateNamespaces(std::vector<std::string> fsPaths);
 	bool seccomp_blacklist(std::initializer_list<int> syscalls);
-	bool bindMountPaths(std::string target_root, std::initializer_list<std::string> paths);
+	bool bindMountPaths(std::string target_root, const std::vector<std::string> &paths);
 };
 #endif