If the trace_set set is complete (no syscalls are filtered), seccomp
filtering is disabled. This patch adds a new is_complete_set_array
function to check whether all sets of a set array are complete.
* number_set.c (is_complete_set_array): New function.
* number_set.h (is_complete_set_array): New prototype.
* filter_seccomp.c (check_seccomp_filter): Skip seccomp setup if there is
nothing to filter.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
void
check_seccomp_filter(void)
{
+ /* Let's avoid enabling seccomp if all syscalls are traced. */
+ seccomp_filtering = !is_complete_set_array(trace_set, nsyscall_vec,
+ SUPPORTED_PERSONALITIES);
+ if (!seccomp_filtering) {
+ error_msg("Seccomp filter is requested "
+ "but there are no syscalls to filter. "
+ "See -e trace to filter syscalls.");
+ return;
+ }
+
check_seccomp_filter_properties();
if (!seccomp_filtering)
(get_number_setbit(set) == max_numbers));
}
+bool
+is_complete_set_array(const struct number_set *const set,
+ const unsigned int *const max_numbers,
+ const unsigned int nmemb)
+{
+ for (unsigned int i = 0; i < nmemb; ++i) {
+ if (!is_complete_set(&set[i], max_numbers[i]))
+ return false;
+ }
+ return true;
+}
+
void
add_number_to_set(const unsigned int number, struct number_set *const set)
{
extern bool
is_complete_set(const struct number_set *, unsigned int max_numbers);
+extern bool
+is_complete_set_array(const struct number_set *, const unsigned int *,
+ const unsigned int nmemb);
+
extern void
add_number_to_set(unsigned int number, struct number_set *);