[PATCH v4 3/4] filter_seccomp: skip seccomp setup when there's nothing to filter
Dmitry V. Levin
ldv at altlinux.org
Sat Aug 31 17:07:43 UTC 2019
On Thu, Aug 29, 2019 at 04:00:44PM +0200, Paul Chaignon wrote:
> If the trace_set set is complete (no syscalls are filtered), seccomp
> filtering is disabled. This patch adds a new is_complete_set_array
> function to check whether all sets of a set array are complete.
>
> * number_set.c (is_complete_set_array): New function.
> * number_set.h (is_complete_set_array): New prototype.
> * filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
> nothing to filter.
>
> Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
> ---
> filter_seccomp.c | 6 ++++++
> number_set.c | 12 ++++++++++++
> number_set.h | 4 ++++
> 3 files changed, 22 insertions(+)
>
> diff --git a/filter_seccomp.c b/filter_seccomp.c
> index f1d10a5d..31de8c94 100644
> --- a/filter_seccomp.c
> +++ b/filter_seccomp.c
> @@ -244,6 +244,12 @@ check_seccomp_filter(void)
> goto end;
> }
>
> + /* Let's avoid enabling seccomp if all syscalls are traced. */
> + seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
> + SUPPORTED_PERSONALITIES);
> + if (!seccomp_filtering)
> + goto end;
How did you test this?
The "goto end" part is definitely wrong because it will produce
misleading "seccomp-filter is requested but unavailable" error
diagnostics.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190831/7a2f5c33/attachment.bin>
More information about the Strace-devel
mailing list