diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-09-10 19:10:29 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-09-11 18:00:07 +0200 |
| commit | 69b1b241bb8ad504f11e9eec4f2bceb5da0e1100 (patch) | |
| tree | f289d982f9a50bfd37d9581620698042b6b364e7 /src/shared | |
| parent | 12dc37890254adf852439eb46ebb154fb3e37b41 (diff) | |
| download | systemd-69b1b241bb8ad504f11e9eec4f2bceb5da0e1100.tar.gz | |
seccomp: split out inner loop code of seccomp_add_syscall_filter_set()
Let's add a new helper function seccomp_add_syscall_filter_item() that
contains the inner loop code of seccomp_add_syscall_filter_set(). This
helper function we can then export and make use of elsewhere.
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/seccomp-util.c | 59 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 2 |
2 files changed, 39 insertions, 22 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 88e8af3fef..1215f714f1 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -682,6 +682,40 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) { return NULL; } +static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action); + +int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action) { + int r; + + assert(seccomp); + assert(name); + + if (name[0] == '@') { + const SyscallFilterSet *other; + + other = syscall_filter_set_find(name); + if (!other) + return -EINVAL; + + r = seccomp_add_syscall_filter_set(seccomp, other, action); + if (r < 0) + return r; + } else { + int id; + + id = seccomp_syscall_resolve_name(name); + if (id == __NR_SCMP_ERROR) + return -EINVAL; /* Not known at all? Then that's a real error */ + + r = seccomp_rule_add_exact(seccomp, action, id, 0); + if (r < 0) + /* If the system call is not known on this architecture, then that's fine, let's ignore it */ + log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", name, id); + } + + return 0; +} + static int seccomp_add_syscall_filter_set( scmp_filter_ctx seccomp, const SyscallFilterSet *set, @@ -694,28 +728,9 @@ static int seccomp_add_syscall_filter_set( assert(set); NULSTR_FOREACH(sys, set->value) { - int id; - - if (sys[0] == '@') { - const SyscallFilterSet *other; - - other = syscall_filter_set_find(sys); - if (!other) - return -EINVAL; - - r = seccomp_add_syscall_filter_set(seccomp, other, action); - if (r < 0) - return r; - } else { - id = seccomp_syscall_resolve_name(sys); - if (id == __NR_SCMP_ERROR) - return -EINVAL; /* Not known at all? Then that's a real error */ - - r = seccomp_rule_add_exact(seccomp, action, id, 0); - if (r < 0) - /* If the system call is not known on this architecture, then that's fine, let's ignore it */ - log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", sys, id); - } + r = seccomp_add_syscall_filter_item(seccomp, sys, action); + if (r < 0) + return r; } return 0; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index ca43ba8659..894c53e6fd 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -69,6 +69,8 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name); int seccomp_filter_set_add(Set *s, bool b, const SyscallFilterSet *set); +int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action); + int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action); int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint32_t action); |