From: Paul Chaignon <paul.chaignon@gmail.com>
Date: Mon, 1 Jul 2019 19:14:15 +0000 (+0200)
Subject: filter_seccomp: skip seccomp setup when there's nothing to filter
X-Git-Tag: v5.3~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b238e7b9b94005a2ddcf32636bf7761bcf06bf2f;p=strace

filter_seccomp: skip seccomp setup when there's nothing to filter

If the trace_set set is complete (no syscalls are filtered), seccomp
filtering is disabled.  This patch adds a new is_complete_set_array
function to check whether all sets of a set array are complete.

* number_set.c (is_complete_set_array): New function.
* number_set.h (is_complete_set_array): New prototype.
* filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
nothing to filter.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
---

diff --git a/filter_seccomp.c b/filter_seccomp.c
index dd3aa173..fc582654 100644
--- a/filter_seccomp.c
+++ b/filter_seccomp.c
@@ -610,6 +610,16 @@ seccomp_filter_restart_operator(const struct tcb *tcp)
 void
 check_seccomp_filter(void)
 {
+	/* Let's avoid enabling seccomp if all syscalls are traced. */
+	seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
+						   SUPPORTED_PERSONALITIES);
+	if (!seccomp_filtering) {
+		error_msg("Seccomp filter is requested "
+			  "but there are no syscalls to filter.  "
+			  "See -e trace to filter syscalls.");
+		return;
+	}
+
 	check_seccomp_filter_properties();
 
 	if (!seccomp_filtering)
diff --git a/number_set.c b/number_set.c
index 27fcb6bb..3f9e5fa7 100644
--- a/number_set.c
+++ b/number_set.c
@@ -87,6 +87,18 @@ is_complete_set(const struct number_set *const set, const unsigned int max_numbe
 		       (get_number_setbit(set) == max_numbers));
 }
 
+bool
+is_complete_set_array(const struct number_set *const set,
+		      const unsigned int *const max_numbers,
+		      const unsigned int nmemb)
+{
+	for (unsigned int i = 0; i < nmemb; ++i) {
+		if (!is_complete_set(&set[i], max_numbers[i]))
+			return false;
+	}
+	return true;
+}
+
 void
 add_number_to_set(const unsigned int number, struct number_set *const set)
 {
diff --git a/number_set.h b/number_set.h
index 4011f50e..e306887d 100644
--- a/number_set.h
+++ b/number_set.h
@@ -25,6 +25,10 @@ is_number_in_set_array(unsigned int number, const struct number_set *, unsigned
 extern bool
 is_complete_set(const struct number_set *, unsigned int max_numbers);
 
+extern bool
+is_complete_set_array(const struct number_set *, const unsigned int *,
+		      const unsigned int nmemb);
+
 extern void
 add_number_to_set(unsigned int number, struct number_set *);