[PATCH v3 3/4] filter_seccomp: skip seccomp setup when there's nothing to filter

Paul Chaignon paul.chaignon at gmail.com
Thu Aug 15 17:52:31 UTC 2019


If the trace_set set is complete (no syscalls are filtered), seccomp
filtering is disabled.  This patch adds a new is_complete_set_array
function to check whether all sets of a set array are complete.

* number_set.c (is_complete_set_array): New function.
* number_set.h (is_complete_set_array): New prototype.
* filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
nothing to filter.

Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
---
 filter_seccomp.c |  6 ++++++
 number_set.c     | 12 ++++++++++++
 number_set.h     |  4 ++++
 3 files changed, 22 insertions(+)

diff --git a/filter_seccomp.c b/filter_seccomp.c
index 0a5bed53..ed1be992 100644
--- a/filter_seccomp.c
+++ b/filter_seccomp.c
@@ -243,6 +243,12 @@ check_seccomp_filter(void)
 		goto end;
 	}
 
+	/* Let's avoid enabling seccomp if all syscalls are traced. */
+	seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
+						   SUPPORTED_PERSONALITIES);
+	if (!seccomp_filtering)
+		goto end;
+
 	rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
 	seccomp_filtering = rc >= 0 || errno != EINVAL;
 	if (seccomp_filtering)
diff --git a/number_set.c b/number_set.c
index 27fcb6bb..3f9e5fa7 100644
--- a/number_set.c
+++ b/number_set.c
@@ -87,6 +87,18 @@ is_complete_set(const struct number_set *const set, const unsigned int max_numbe
 		       (get_number_setbit(set) == max_numbers));
 }
 
+bool
+is_complete_set_array(const struct number_set *const set,
+		      const unsigned int *const max_numbers,
+		      const unsigned int nmemb)
+{
+	for (unsigned int i = 0; i < nmemb; ++i) {
+		if (!is_complete_set(&set[i], max_numbers[i]))
+			return false;
+	}
+	return true;
+}
+
 void
 add_number_to_set(const unsigned int number, struct number_set *const set)
 {
diff --git a/number_set.h b/number_set.h
index 4011f50e..e306887d 100644
--- a/number_set.h
+++ b/number_set.h
@@ -25,6 +25,10 @@ is_number_in_set_array(unsigned int number, const struct number_set *, unsigned
 extern bool
 is_complete_set(const struct number_set *, unsigned int max_numbers);
 
+extern bool
+is_complete_set_array(const struct number_set *, const unsigned int *,
+		      const unsigned int nmemb);
+
 extern void
 add_number_to_set(unsigned int number, struct number_set *);
 
-- 
2.17.1



More information about the Strace-devel mailing list