On Wednesday, February 13, 2013 11:42:58 PM [email protected] wrote:
> From: Vitaly _Vi Shukela <[email protected]>
In general, see my earlier comments about patch 1/3 as they impact this patch
too, other comments below ...
> diff --git a/doc/man/man3/seccomp_rule_add.3
> b/doc/man/man3/seccomp_rule_add.3 index eeb61dc..17408b8 100644
> --- a/doc/man/man3/seccomp_rule_add.3
> +++ b/doc/man/man3/seccomp_rule_add.3
> @@ -27,6 +27,19 @@ seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp
> .BI "int seccomp_rule_add_exact(scmp_filter_ctx " ctx " ...
> .BI " int " syscall ", ...
> .sp
> +.BI "int seccomp_rule_add_valist(scmp_filter_ctx " ctx ", "
> +.BI " uint32_t " action ", int " syscall ", unsigned int "
> arg_cnt ", " +.BI " va_list " arg_list ");"
> +.BI "int seccomp_rule_add_valist_exact(scmp_filter_ctx " ctx ", uint32_t "
> action "," +.BI " int " syscall ", unsigned int " arg_cnt ","
> +.BI " va_list " arg_list ");"
> +.BI "int seccomp_rule_add_array(scmp_filter_ctx " ctx ","
> +.BI " uint32_t " action ", int " syscall ", unsigned int "
> arg_cnt ", " +.BI " const struct scmp_arg_cmp *" arg_array ");"
> +.BI "int seccomp_rule_add_array_exact(scmp_filter_ctx " ctx ","
> +.BI " uint32_t " action ", int " syscall ", unsigned int "
> arg_cnt "," +.BI " const struct scmp_arg_cmp *" arg_array ");"
> +.sp
Since the _array() functions require that users populate the scmp_arg_cmp
struct manually I think it would be a good idea to describe the structure in
this manpage up where we describe the scmp_filter_ctx typedef.
> Link with \fI\-lseccomp\fP.
> .fi
> .\"
> //////////////////////////////////////////////////////////////////////////
> @@ -49,6 +62,16 @@ filter ruleset,
> .BR seccomp_rule_add ()
> does guarantee the same behavior regardless of the architecture.
> .P
> +There are also variants of adding functions that take va_list
> +or array of structs:
> +.BR seccomp_rule_add_valist ()
> +,
> +.BR seccomp_rule_add_valist_exact ()
> +,
> +.BR seccomp_rule_add_array ()
> +and
> +.BR seccomp_rule_add_array_exact ()
> +.P
I think it would be good to be a bit more explicit here, explain how the
_array() functions act the same as their non-array counterparts, only
differing in how the argument comparisons are specified.
> The newly added filter rule does not take effect until the entire filter is
> loaded into the kernel using
> .BR seccomp_load (3).
> @@ -235,8 +258,9 @@ int main(int argc, char *argv[])
> if (rc < 0)
> goto out;
>
> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
> - SCMP_CMP(0, SCMP_CMP_EQ, fd));
> + struct scmp_arg_cmp comparations[1] = { SCMP_CMP(0, SCMP_CMP_EQ, fd) };
You can use "[]" instead of "[1]".
> + rc = seccomp_rule_add_array(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
> + comparations);
> if (rc < 0)
> goto out;
Also, don't remove the existing seccomp_rule_add() example that specified an
argument comparison, add a new one with the array version. e.g. allow write to
stderr (a0 == 2).
--
paul moore
security and virtualization @ redhat
------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
