In order to add architectures with byte ordering that differs from the native architecture it is necessary to remove all architectures from a filter.
Signed-off-by: Paul Moore <[email protected]> --- doc/man/man3/seccomp_arch_add.3 | 12 ++++++------ src/api.c | 5 +---- src/db.c | 27 ++++++++++++++++++--------- 3 files changed, 25 insertions(+), 19 deletions(-) diff --git a/doc/man/man3/seccomp_arch_add.3 b/doc/man/man3/seccomp_arch_add.3 index fd1da55..f03376d 100644 --- a/doc/man/man3/seccomp_arch_add.3 +++ b/doc/man/man3/seccomp_arch_add.3 @@ -1,4 +1,4 @@ -.TH "seccomp_arch_add" 3 "26 November 2012" "[email protected]" "libseccomp Documentation" +.TH "seccomp_arch_add" 3 "16 April 2014" "[email protected]" "libseccomp Documentation" .\" ////////////////////////////////////////////////////////////////////////// .SH NAME .\" ////////////////////////////////////////////////////////////////////////// @@ -50,11 +50,11 @@ constants. .P When a seccomp filter is initialized with the call to .BR seccomp_init (3) -the native architecture is automatically added to the filter. If you want to -remove the native architecture from the filter, you first need to add another -architecture to the filter as a seccomp filter must contain at least one -architecture at all times. After you have added a second architecture to the -seccomp filter, you can remove the native architecture. +the native architecture is automatically added to the filter. +.P +While it is possible to remove all architectures from a filter, most of the +libseccomp APIs will fail if the filter does not contain at least one +architecture. .P When adding a new architecture to an existing filter, the existing rules will not be added to the new architecture. However, rules added after adding the diff --git a/src/api.c b/src/api.c index 198eb4e..ec01fb9 100644 --- a/src/api.c +++ b/src/api.c @@ -102,7 +102,7 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) struct db_filter_col *col = (struct db_filter_col *)ctx; struct db_filter *db; - if (db_col_valid(col) || db_action_valid(def_action) < 0) + if (ctx == NULL || db_action_valid(def_action) < 0) return -EINVAL; db_col_reset(col, def_action); @@ -120,9 +120,6 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) /* NOTE - function header comment in include/seccomp.h */ API void seccomp_release(scmp_filter_ctx ctx) { - if (_ctx_valid(ctx)) - return; - db_col_release((struct db_filter_col *)ctx); } diff --git a/src/db.c b/src/db.c index 7d1fbde..8694bac 100644 --- a/src/db.c +++ b/src/db.c @@ -389,7 +389,8 @@ void db_col_reset(struct db_filter_col *col, uint32_t def_action) for (iter = 0; iter < col->filter_cnt; iter++) db_release(col->filters[iter]); col->filter_cnt = 0; - free(col->filters); + if (col->filters) + free(col->filters); col->filters = NULL; /* set the endianess to undefined */ @@ -460,7 +461,7 @@ void db_col_release(struct db_filter_col *col) */ int db_col_valid(struct db_filter_col *col) { - if (col != NULL && col->state == _DB_STA_VALID) + if (col != NULL && col->state == _DB_STA_VALID && col->filter_cnt > 0) return 0; return -EINVAL; } @@ -654,7 +655,7 @@ int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token) unsigned int found; struct db_filter **dbs; - if ((col->filter_cnt <= 1) || (db_col_arch_exist(col, arch_token) == 0)) + if ((col->filter_cnt <= 0) || (db_col_arch_exist(col, arch_token) == 0)) return -EINVAL; for (found = 0, iter = 0; iter < col->filter_cnt; iter++) { @@ -667,12 +668,20 @@ int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token) } col->filters[--col->filter_cnt] = NULL; - /* NOTE: if we can't do the realloc it isn't fatal, we just have some - * extra space that will get cleaned up later */ - dbs = realloc(col->filters, - sizeof(struct db_filter *) * col->filter_cnt); - if (dbs != NULL) - col->filters = dbs; + if (col->filters > 0) { + /* NOTE: if we can't do the realloc it isn't fatal, we just + * have some extra space allocated */ + dbs = realloc(col->filters, + sizeof(struct db_filter *) * col->filter_cnt); + if (dbs != NULL) + col->filters = dbs; + } else { + /* this was the last filter so free all the associated memory + * and reset the endian token */ + free(col->filters); + col->filters = NULL; + col->endian = 0; + } return 0; } ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
