[PATCH v2 2/3] filter_seccomp: list of seccomp-filter generation strategies
Dmitry V. Levin
ldv at altlinux.org
Mon Oct 28 12:10:14 UTC 2019
On Wed, Oct 23, 2019 at 10:27:33AM +0200, Paul Chaignon wrote:
[...]
> @@ -458,13 +462,29 @@ check_seccomp_filter_properties(void)
> debug_func_perror_msg("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
>
> if (seccomp_filtering) {
> - bpf_prog.len = init_sock_filter(seccomp_filter);
> - if (bpf_prog.len > BPF_MAXINSNS) {
> + unsigned short len, min_len = USHRT_MAX;
> + unsigned int min_index = 0;
> + for (unsigned int i = 0; i < ARRAY_SIZE(filter_generators);
> + ++i) {
> + bool overflow = false;
> + len = filter_generators[i](filters[i], &overflow);
> + if (len < min_len && !overflow) {
> + min_len = len;
> + min_index = i;
Can't we just initialize bpf_prog at this point instead of ...
> + }
> + }
> + if (min_len == USHRT_MAX) {
> + debug_msg("seccomp filter disabled due to jump offset "
> + "overflow");
> + seccomp_filtering = false;
> + } else if (min_len > BPF_MAXINSNS) {
> debug_msg("seccomp filter disabled due to BPF program "
> "being oversized (%u > %d)", bpf_prog.len,
> BPF_MAXINSNS);
> seccomp_filtering = false;
> }
> + bpf_prog.len = min_len;
> + bpf_prog.filter = filters[min_index];
... doing it here? If not, let's initialize bpf_prog only if
seccomp_filtering == true.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20191028/ced38124/attachment.bin>
More information about the Strace-devel
mailing list