[PATCH v6 2/3] filter_seccomp: skip seccomp setup when there's nothing to filter
Dmitry V. Levin
ldv at altlinux.org
Sun Sep 22 21:02:52 UTC 2019
On Sun, Sep 22, 2019 at 10:13:46PM +0200, Paul Chaignon wrote:
> If the trace_set set is complete (no syscalls are filtered), seccomp
> filtering is disabled. This patch adds a new is_complete_set_array
> function to check whether all sets of a set array are complete.
>
> * number_set.c (is_complete_set_array): New function.
> * number_set.h (is_complete_set_array): New prototype.
> * filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
> nothing to filter.
>
> Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
> ---
> filter_seccomp.c | 9 +++++++++
> number_set.c | 12 ++++++++++++
> number_set.h | 4 ++++
> 3 files changed, 25 insertions(+)
>
> diff --git a/filter_seccomp.c b/filter_seccomp.c
> index dd3aa173..172ba216 100644
> --- a/filter_seccomp.c
> +++ b/filter_seccomp.c
> @@ -610,6 +610,15 @@ seccomp_filter_restart_operator(const struct tcb *tcp)
> void
> check_seccomp_filter(void)
> {
> + /* Let's avoid enabling seccomp if all syscalls are traced. */
> + seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
> + SUPPORTED_PERSONALITIES);
> + if (!seccomp_filtering) {
> + error_msg("Seccomp filter is requested but there is nothing "
> + "to filters. See -e trace to filter syscalls.");
... but there are no syscalls to filter.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190923/78baef19/attachment.bin>
More information about the Strace-devel
mailing list