[PATCH RFC 5/9] filter_seccomp: use init_sock_filter to check number of BPF instructions
Dmitry V. Levin
ldv at altlinux.org
Fri Aug 23 15:31:25 UTC 2019
On Fri, Aug 23, 2019 at 11:43:17AM +0200, Paul Chaignon wrote:
[...]
> 1 file changed, 120 insertions(+), 170 deletions(-)
I like this. :)
> diff --git a/filter_seccomp.c b/filter_seccomp.c
> index ed1be992..25cba5bd 100644
> --- a/filter_seccomp.c
> +++ b/filter_seccomp.c
> @@ -55,6 +55,16 @@ static const struct audit_arch_t audit_arch_vec[SUPPORTED_PERSONALITIES] = {
> bool seccomp_filtering = false;
> bool seccomp_before_sysentry;
>
> +/*
> + * Keep some margin in seccomp_filter as programs larger than allowed may
> + * be constructed before we discard them.
> + */
> +struct sock_filter seccomp_filter[2 * BPF_MAXINSNS];
> +struct sock_fprog bpf_prog = {
> + .len = 0,
> + .filter = seccomp_filter,
> +};
I suppose these objects should be static.
--
ldv
More information about the Strace-devel
mailing list