> I submitted a patch for this last year: > http://sourceforge.net/mailarchive/message.php?msg_id=29625574 > > At the time I suggested the function name to be vseccomp_rule_add > (inspired by printf and vprintf). I would do it differently today, > maybe calling it seccomp_rule_vadd(). > > Vitaly, please check out the link posted above; I'm still leaning towards > passing a struct array as opposed to valist. >
My first patch seems to be equivalent to the first patch in the link (but with less commands and without documentation). My second patch actually adds "array of structs" version (making _seccomp_rule_add accepting both va_list and array). But now I see that you can have only 6 rules (can't specify multiple filters for one arg like "A0>4 && A0<10" like I thought when was implementing the patch), so the second patch is maybe an overkill. If the multiple-rules-for-one-arg is going to be implemented someday then the more generic interface for comparators starts making sence. P.S. Implemented command-line interface for libseccomp features: https://github.com/vi/syscall_limiter . It allows user to set seccomp filter (including comparators) and execve the specified program. It just uses 6 ifs and seccomp_rule_adds. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
