security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

helper/seccomp: do not call F_println if not verbose
All checks were successful
Test / Create distribution (push) Successful in 1m42s
Details
Test / Run NixOS test (push) Successful in 3m34s
Details

Browse Source 
This (slightly) improves performance.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-25 13:19:38 +09:00
parent 163f15e93f
commit 7b96cd6ded
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
4 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
helper/bwrap/seccomp-resolve.go → helper/bwrap/seccomp.go
View File

2
helper/seccomp/seccomp-export.c
View File

@ -28,7 +28,7 @@ struct f_syscall_act {
#define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
#define SECCOMP_RULESET_ADD(ruleset) do { \ #define SECCOMP_RULESET_ADD(ruleset) do { \
F_println("adding seccomp ruleset \"" #ruleset "\""); \ if (opts & F_VERBOSE) F_println("adding seccomp ruleset \"" #ruleset "\""); \
for (int i = 0; i < LEN(ruleset); i++) { \ for (int i = 0; i < LEN(ruleset); i++) { \
assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \ assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \
\ \

17
helper/seccomp/seccomp-export.h
View File

@ -8,14 +8,15 @@
#endif #endif
typedef enum { typedef enum {
F_EXT = 1 << 0, F_VERBOSE = 1 << 0,
F_DENY_NS = 1 << 1, F_EXT = 1 << 1,
F_DENY_TTY = 1 << 2, F_DENY_NS = 1 << 2,
F_DENY_DEVEL = 1 << 3, F_DENY_TTY = 1 << 3,
F_MULTIARCH = 1 << 4, F_DENY_DEVEL = 1 << 4,
F_LINUX32 = 1 << 5, F_MULTIARCH = 1 << 5,
F_CAN = 1 << 6, F_LINUX32 = 1 << 6,
F_BLUETOOTH = 1 << 7, F_CAN = 1 << 7,
F_BLUETOOTH = 1 << 8,
} f_syscall_opts; } f_syscall_opts;
extern void F_println(char *v); extern void F_println(char *v);

7
helper/seccomp/seccomp.go
View File

@ -28,6 +28,7 @@ var resErr = [...]error{
type SyscallOpts = C.f_syscall_opts type SyscallOpts = C.f_syscall_opts
const ( const (
flagVerbose SyscallOpts = C.F_VERBOSE
FlagExt SyscallOpts = C.F_EXT FlagExt SyscallOpts = C.F_EXT
FlagDenyNS SyscallOpts = C.F_DENY_NS FlagDenyNS SyscallOpts = C.F_DENY_NS
FlagDenyTTY SyscallOpts = C.F_DENY_TTY FlagDenyTTY SyscallOpts = C.F_DENY_TTY
@ -64,6 +65,12 @@ func exportFilter(fd uintptr, opts SyscallOpts) error {
multiarch = C.SCMP_ARCH_ARM multiarch = C.SCMP_ARCH_ARM
} }
// this removes repeated transitions between C and Go execution
// when producing log output via F_println and CPrintln is nil
if CPrintln != nil {
opts |= flagVerbose
}
res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts) res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
if re := resErr[res]; re != nil { if re := resErr[res]; re != nil {
if err == nil { if err == nil {