Browse Source

filter_seccomp: skip seccomp setup when there's nothing to filter

If the trace_set set is complete (no syscalls are filtered), seccomp
filtering is disabled.  This patch adds a new is_complete_set_array
function to check whether all sets of a set array are complete.

* number_set.c (is_complete_set_array): New function.
* number_set.h (is_complete_set_array): New prototype.
* filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
nothing to filter.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Paul Chaignon 4 months ago
parent
commit
b238e7b9b9
3 changed files with 26 additions and 0 deletions
  1. 10
    0
      filter_seccomp.c
  2. 12
    0
      number_set.c
  3. 4
    0
      number_set.h

+ 10
- 0
filter_seccomp.c View File

@@ -610,6 +610,16 @@ seccomp_filter_restart_operator(const struct tcb *tcp)
610 610
 void
611 611
 check_seccomp_filter(void)
612 612
 {
613
+	/* Let's avoid enabling seccomp if all syscalls are traced. */
614
+	seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
615
+						   SUPPORTED_PERSONALITIES);
616
+	if (!seccomp_filtering) {
617
+		error_msg("Seccomp filter is requested "
618
+			  "but there are no syscalls to filter.  "
619
+			  "See -e trace to filter syscalls.");
620
+		return;
621
+	}
622
+
613 623
 	check_seccomp_filter_properties();
614 624
 
615 625
 	if (!seccomp_filtering)

+ 12
- 0
number_set.c View File

@@ -87,6 +87,18 @@ is_complete_set(const struct number_set *const set, const unsigned int max_numbe
87 87
 		       (get_number_setbit(set) == max_numbers));
88 88
 }
89 89
 
90
+bool
91
+is_complete_set_array(const struct number_set *const set,
92
+		      const unsigned int *const max_numbers,
93
+		      const unsigned int nmemb)
94
+{
95
+	for (unsigned int i = 0; i < nmemb; ++i) {
96
+		if (!is_complete_set(&set[i], max_numbers[i]))
97
+			return false;
98
+	}
99
+	return true;
100
+}
101
+
90 102
 void
91 103
 add_number_to_set(const unsigned int number, struct number_set *const set)
92 104
 {

+ 4
- 0
number_set.h View File

@@ -25,6 +25,10 @@ is_number_in_set_array(unsigned int number, const struct number_set *, unsigned
25 25
 extern bool
26 26
 is_complete_set(const struct number_set *, unsigned int max_numbers);
27 27
 
28
+extern bool
29
+is_complete_set_array(const struct number_set *, const unsigned int *,
30
+		      const unsigned int nmemb);
31
+
28 32
 extern void
29 33
 add_number_to_set(unsigned int number, struct number_set *);
30 34
 

Loading…
Cancel
Save