diff options
-rw-r--r-- | doc/man/man3/seccomp_arch_add.3 | 12 | ||||
-rw-r--r-- | src/api.c | 5 | ||||
-rw-r--r-- | src/db.c | 27 |
3 files changed, 25 insertions, 19 deletions
diff --git a/doc/man/man3/seccomp_arch_add.3 b/doc/man/man3/seccomp_arch_add.3 index fd1da55..f03376d 100644 --- a/doc/man/man3/seccomp_arch_add.3 +++ b/doc/man/man3/seccomp_arch_add.3 @@ -1,4 +1,4 @@ -.TH "seccomp_arch_add" 3 "26 November 2012" "paul@paul-moore.com" "libseccomp Documentation" +.TH "seccomp_arch_add" 3 "16 April 2014" "paul@paul-moore.com" "libseccomp Documentation" .\" ////////////////////////////////////////////////////////////////////////// .SH NAME .\" ////////////////////////////////////////////////////////////////////////// @@ -50,11 +50,11 @@ constants. .P When a seccomp filter is initialized with the call to .BR seccomp_init (3) -the native architecture is automatically added to the filter. If you want to -remove the native architecture from the filter, you first need to add another -architecture to the filter as a seccomp filter must contain at least one -architecture at all times. After you have added a second architecture to the -seccomp filter, you can remove the native architecture. +the native architecture is automatically added to the filter. +.P +While it is possible to remove all architectures from a filter, most of the +libseccomp APIs will fail if the filter does not contain at least one +architecture. .P When adding a new architecture to an existing filter, the existing rules will not be added to the new architecture. However, rules added after adding the @@ -102,7 +102,7 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) struct db_filter_col *col = (struct db_filter_col *)ctx; struct db_filter *db; - if (db_col_valid(col) || db_action_valid(def_action) < 0) + if (ctx == NULL || db_action_valid(def_action) < 0) return -EINVAL; db_col_reset(col, def_action); @@ -120,9 +120,6 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) /* NOTE - function header comment in include/seccomp.h */ API void seccomp_release(scmp_filter_ctx ctx) { - if (_ctx_valid(ctx)) - return; - db_col_release((struct db_filter_col *)ctx); } @@ -389,7 +389,8 @@ void db_col_reset(struct db_filter_col *col, uint32_t def_action) for (iter = 0; iter < col->filter_cnt; iter++) db_release(col->filters[iter]); col->filter_cnt = 0; - free(col->filters); + if (col->filters) + free(col->filters); col->filters = NULL; /* set the endianess to undefined */ @@ -460,7 +461,7 @@ void db_col_release(struct db_filter_col *col) */ int db_col_valid(struct db_filter_col *col) { - if (col != NULL && col->state == _DB_STA_VALID) + if (col != NULL && col->state == _DB_STA_VALID && col->filter_cnt > 0) return 0; return -EINVAL; } @@ -654,7 +655,7 @@ int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token) unsigned int found; struct db_filter **dbs; - if ((col->filter_cnt <= 1) || (db_col_arch_exist(col, arch_token) == 0)) + if ((col->filter_cnt <= 0) || (db_col_arch_exist(col, arch_token) == 0)) return -EINVAL; for (found = 0, iter = 0; iter < col->filter_cnt; iter++) { @@ -667,12 +668,20 @@ int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token) } col->filters[--col->filter_cnt] = NULL; - /* NOTE: if we can't do the realloc it isn't fatal, we just have some - * extra space that will get cleaned up later */ - dbs = realloc(col->filters, - sizeof(struct db_filter *) * col->filter_cnt); - if (dbs != NULL) - col->filters = dbs; + if (col->filters > 0) { + /* NOTE: if we can't do the realloc it isn't fatal, we just + * have some extra space allocated */ + dbs = realloc(col->filters, + sizeof(struct db_filter *) * col->filter_cnt); + if (dbs != NULL) + col->filters = dbs; + } else { + /* this was the last filter so free all the associated memory + * and reset the endian token */ + free(col->filters); + col->filters = NULL; + col->endian = 0; + } return 0; } |