[PATCH v6 2/3] filter_seccomp: skip seccomp setup when there's nothing to filter
Paul Chaignon
paul.chaignon at gmail.com
Sun Sep 22 20:13:46 UTC 2019
If the trace_set set is complete (no syscalls are filtered), seccomp
filtering is disabled. This patch adds a new is_complete_set_array
function to check whether all sets of a set array are complete.
* number_set.c (is_complete_set_array): New function.
* number_set.h (is_complete_set_array): New prototype.
* filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
nothing to filter.
Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
---
filter_seccomp.c | 9 +++++++++
number_set.c | 12 ++++++++++++
number_set.h | 4 ++++
3 files changed, 25 insertions(+)
diff --git a/filter_seccomp.c b/filter_seccomp.c
index dd3aa173..172ba216 100644
--- a/filter_seccomp.c
+++ b/filter_seccomp.c
@@ -610,6 +610,15 @@ seccomp_filter_restart_operator(const struct tcb *tcp)
void
check_seccomp_filter(void)
{
+ /* Let's avoid enabling seccomp if all syscalls are traced. */
+ seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
+ SUPPORTED_PERSONALITIES);
+ if (!seccomp_filtering) {
+ error_msg("Seccomp filter is requested but there is nothing "
+ "to filters. See -e trace to filter syscalls.");
+ return;
+ }
+
check_seccomp_filter_properties();
if (!seccomp_filtering)
diff --git a/number_set.c b/number_set.c
index 27fcb6bb..3f9e5fa7 100644
--- a/number_set.c
+++ b/number_set.c
@@ -87,6 +87,18 @@ is_complete_set(const struct number_set *const set, const unsigned int max_numbe
(get_number_setbit(set) == max_numbers));
}
+bool
+is_complete_set_array(const struct number_set *const set,
+ const unsigned int *const max_numbers,
+ const unsigned int nmemb)
+{
+ for (unsigned int i = 0; i < nmemb; ++i) {
+ if (!is_complete_set(&set[i], max_numbers[i]))
+ return false;
+ }
+ return true;
+}
+
void
add_number_to_set(const unsigned int number, struct number_set *const set)
{
diff --git a/number_set.h b/number_set.h
index 4011f50e..e306887d 100644
--- a/number_set.h
+++ b/number_set.h
@@ -25,6 +25,10 @@ is_number_in_set_array(unsigned int number, const struct number_set *, unsigned
extern bool
is_complete_set(const struct number_set *, unsigned int max_numbers);
+extern bool
+is_complete_set_array(const struct number_set *, const unsigned int *,
+ const unsigned int nmemb);
+
extern void
add_number_to_set(unsigned int number, struct number_set *);
--
2.17.1
More information about the Strace-devel
mailing list