Certain operations don't make sense with multiple architectures so we disable them only when more than one architecture has been added to the given filter.
Signed-off-by: Paul Moore <[email protected]> --- src/api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/api.c b/src/api.c index 38c0ef3..b69880f 100644 --- a/src/api.c +++ b/src/api.c @@ -261,6 +261,9 @@ static int _seccomp_rule_add(struct db_filter_col *col, if (action == col->attr.act_default) return -EPERM; + if (strict && col->filter_cnt > 1) + return -EOPNOTSUPP; + /* collect the arguments for the filter rule */ chain_len_max = ARG_COUNT_MAX; chain = malloc(sizeof(*chain) * chain_len_max); ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
