[PATCH RFC v2 1/3] Introduce seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Mon Aug 5 15:50:52 UTC 2019
Thanks for the review!
On Mon, Aug 05, 2019 at 12:23:19AM +0300, Dmitry V. Levin wrote:
> On Wed, Jul 31, 2019 at 05:35:56PM +0200, Paul Chaignon wrote:
> [...]
> > diff --git a/defs.h b/defs.h
> > index 51622c05..1ff17ae8 100644
> > --- a/defs.h
> > +++ b/defs.h
> > @@ -147,6 +147,15 @@ extern char *stpcpy(char *dst, const char *src);
> > # define HAVE_PERSONALITY_2_MPERS 0
> > # endif
> >
> > +# ifndef PERSONALITY0_AUDIT_ARCH
> > +# define PERSONALITY0_AUDIT_ARCH { 0, 0 }
> > +# endif
> > +# if SUPPORTED_PERSONALITIES > 1
> > +# ifndef PERSONALITY1_AUDIT_ARCH
> > +# define PERSONALITY1_AUDIT_ARCH { 0, 0 }
> > +# endif
> > +# endif
> > +
>
> Do you plan to use these macros outside filter_seccomp.c?
> If not, why do you make them available globally by defining in defs.h
> file?
Will fix.
[...]
>
> I was thinking of something like
>
> static struct audit_arch_t audit_arch_vec[SUPPORTED_PERSONALITIES] = {
> #ifdef PERSONALITY0_AUDIT_ARCH
> [0] = PERSONALITY0_AUDIT_ARCH,
> #endif
> #ifdef PERSONALITY1_AUDIT_ARCH
> [1] = PERSONALITY1_AUDIT_ARCH,
> #endif
> #ifdef PERSONALITY2_AUDIT_ARCH
> [2] = PERSONALITY2_AUDIT_ARCH,
> #endif
> };
>
> This way you don't need any fallback PERSONALITY{0,1,2}_AUDIT_ARCH macros.
We'll still need to define PERSONALITY{0,1}_AUDIT_ARCH in case e.g.
AUDIT_ARCH_RISCV64 is undefined. Do you mean that it would be best to
handle this case directly in e.g. linux/riscv/arch_defs_.h? I defined the
fallback macros to avoid having duplicated #ifndef AUDIT_ARCH_XXX code in
arch_defs_.h files.
Paul
More information about the Strace-devel
mailing list