[PATCH v2 2/3] filter_seccomp: list of seccomp-filter generation strategies
Paul Chaignon
paul.chaignon at gmail.com
Thu Oct 31 13:53:35 UTC 2019
On Mon, Oct 28, 2019 at 03:10:14PM +0300, Dmitry V. Levin wrote:
> On Wed, Oct 23, 2019 at 10:27:33AM +0200, Paul Chaignon wrote:
> [...]
> > @@ -458,13 +462,29 @@ check_seccomp_filter_properties(void)
> > debug_func_perror_msg("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
> >
> > if (seccomp_filtering) {
> > - bpf_prog.len = init_sock_filter(seccomp_filter);
> > - if (bpf_prog.len > BPF_MAXINSNS) {
> > + unsigned short len, min_len = USHRT_MAX;
> > + unsigned int min_index = 0;
> > + for (unsigned int i = 0; i < ARRAY_SIZE(filter_generators);
> > + ++i) {
> > + bool overflow = false;
> > + len = filter_generators[i](filters[i], &overflow);
> > + if (len < min_len && !overflow) {
> > + min_len = len;
> > + min_index = i;
>
> Can't we just initialize bpf_prog at this point instead of ...
Yes, we can and it would remove the need for min_index and min_len. I'll
send an updated patchset.
[...]
Paul
More information about the Strace-devel
mailing list