all: block negative syscall numbers from the filter

We use negative syscalls numbers to indicate syscalls that aren't supported by a certain arch/ABI and unfortunately there were cases where these bogus syscall values were finding their way into the filter. This patch corrects this and adds a new test to check for this in the future. Reported-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Paul Moore <pmoore@redhat.com> 2015-08-24 18:05:05 -0400
committer: Paul Moore <pmoore@redhat.com> 2015-08-27 15:32:59 -0400
commit: 51c46f80c1edee863bbc4eb21b03decc44e69a45 (patch)
tree: f31f9fa56c7657f52055ab88c070f69b3c80667a /src/arch.h
parent: 1d63fad4a064b80e0b921b16ed419f3342337ed4 (diff)
download: libseccomp-51c46f80c1edee863bbc4eb21b03decc44e69a45.tar.gz
1 files changed, 1 insertions, 2 deletions
diff --git a/src/arch.h b/src/arch.h
index aa3158c..84e54e5 100644
--- a/src/arch.h
+++ b/src/arch.h
@@ -90,8 +90,7 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name);
 const char *arch_syscall_resolve_num(const struct arch_def *arch, int num);
 
 int arch_syscall_translate(const struct arch_def *arch, int *syscall);
-int arch_syscall_rewrite(const struct arch_def *arch, bool strict,
-			 int *syscall);
+int arch_syscall_rewrite(const struct arch_def *arch, int *syscall);
 
 int arch_filter_rewrite(const struct arch_def *arch,
 			bool strict, int *syscall, struct db_api_arg *chain);
author	Paul Moore <pmoore@redhat.com>	2015-08-24 18:05:05 -0400
committer	Paul Moore <pmoore@redhat.com>	2015-08-27 15:32:59 -0400
commit	51c46f80c1edee863bbc4eb21b03decc44e69a45 (patch)
tree	f31f9fa56c7657f52055ab88c070f69b3c80667a /src/arch.h
parent	1d63fad4a064b80e0b921b16ed419f3342337ed4 (diff)
download	libseccomp-51c46f80c1edee863bbc4eb21b03decc44e69a45.tar.gz