[PATCH v5 2/3] filter_seccomp: skip seccomp setup when there's nothing to filter
Dmitry V. Levin
ldv at altlinux.org
Sat Sep 21 21:36:06 UTC 2019
On Sat, Sep 21, 2019 at 10:51:52PM +0200, Paul Chaignon wrote:
> On Sat, Sep 21, 2019 at 07:02:36PM +0300, Dmitry V. Levin wrote:
> > From: Paul Chaignon <paul.chaignon at gmail.com>
> >
> > If the trace_set set is complete (no syscalls are filtered), seccomp
> > filtering is disabled. This patch adds a new is_complete_set_array
> > function to check whether all sets of a set array are complete.
> >
> > * number_set.c (is_complete_set_array): New function.
> > * number_set.h (is_complete_set_array): New prototype.
> > * filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
> > nothing to filter.
> >
> > Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
> > ---
> > filter_seccomp.c | 6 ++++++
> > number_set.c | 12 ++++++++++++
> > number_set.h | 4 ++++
> > 3 files changed, 22 insertions(+)
> >
> > diff --git a/filter_seccomp.c b/filter_seccomp.c
> > index 0fa6e84de..8361553d1 100644
> > --- a/filter_seccomp.c
> > +++ b/filter_seccomp.c
> > @@ -613,6 +613,12 @@ seccomp_filter_restart_operator(const struct tcb *tcp)
> > void
> > check_seccomp_filter(void)
> > {
> > + /* Let's avoid enabling seccomp if all syscalls are traced. */
> > + seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
> > + SUPPORTED_PERSONALITIES);
> > + if (!seccomp_filtering)
> > + return;
>
> I think this deserves a warning (or at least a debug message). Otherwise
> seccomp filter is silently disabled and users who want to try this new
> feature out may not realize it.
I agree. Feel free to add one, it's your patch after all.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190922/8d338048/attachment.bin>
More information about the Strace-devel
mailing list