diff options
author | Paul Moore <pmoore@redhat.com> | 2012-09-20 10:34:31 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2012-09-20 14:17:37 -0400 |
commit | f2b5992e66a742ee062a457cf31fe78fa8eb0120 (patch) | |
tree | 0f3cc6ec1055152ca6ea3944b3f5453d55b6387d | |
parent | a3870f4d485367bbcfb70f7d20a8ad5d1f4d1147 (diff) | |
download | libseccomp-f2b5992e66a742ee062a457cf31fe78fa8eb0120.tar.gz |
db: fix a 64bit filter DB problem
Fix a problem when generating 64bit filters where the individual nodes
were overly connected, making some of the optimizations ineffective.
This fix should result in smaller filters on 64bit systems that use
syscall argument filtering.
The examples below were taken from the 08-subtree-checks test.
Before this patch (incorrect):
# filter code for syscall #1006 (priority: 65529)
if ($syscall != 1006) goto syscal_1006_end;
if ($a1.hi32 == 0)
if ($a1.lo32 == 1)
if ($a2.hi32 == 0)
if ($a2.lo32 == 2)
action ALLOW;
else
action ALLOW;
else
if ($a2.hi32 == 0)
if ($a2.lo32 == 0)
action ALLOW;
syscall_1006_end:
After this patch (correct):
# filter code for syscall #1006 (priority: 65531)
if ($syscall != 1006) goto syscal_1006_end;
if ($a1.hi32 == 0)
if ($a1.lo32 == 1)
if ($a2.hi32 == 0)
if ($a2.lo32 == 2)
action ALLOW;
else
action ALLOW;
syscall_1006_end:
Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r-- | src/db.c | 9 |
1 files changed, 3 insertions, 6 deletions
@@ -598,15 +598,12 @@ static struct db_sys_list *_db_rule_gen_64(const struct arch_def *arch, memset(c_iter_lo, 0, sizeof(*c_iter_lo)); c_iter_lo->refcnt = 1; - /* link the hi node to the previous level */ - if (c_prev_hi != NULL) { + /* link this level to the previous level */ + if (c_prev_lo != NULL) { if (tf_flag) c_prev_lo->nxt_t = c_iter_hi; - else { - c_iter_hi->refcnt++; - c_prev_hi->nxt_f = c_iter_hi; + else c_prev_lo->nxt_f = c_iter_hi; - } } else s_new->chains = c_iter_hi; s_new->node_cnt += 2; |