diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-08-24 11:38:12 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-08-24 11:39:21 -0700 |
| commit | 7b0dfb0cdbdcb402c000d30399dbfd2eeebe1266 (patch) | |
| tree | 6897feedc9ba861525b2505c5c61f87bd9903e91 /pkg/seccomp/seccomp_rules.go | |
| parent | a81a4402a265aec6715172cd3502ee7eebbf64aa (diff) | |
SyscallRules merge and add were dropping AllowAny rules
PiperOrigin-RevId: 210131001
Change-Id: I285707c5143b3e4c9a6948c1d1a452b6f16e65b7
Diffstat (limited to 'pkg/seccomp/seccomp_rules.go')
| -rw-r--r-- | pkg/seccomp/seccomp_rules.go | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/pkg/seccomp/seccomp_rules.go b/pkg/seccomp/seccomp_rules.go index 892ccabb4..4b99792fd 100644 --- a/pkg/seccomp/seccomp_rules.go +++ b/pkg/seccomp/seccomp_rules.go @@ -34,7 +34,7 @@ func seccompDataOffsetArgLow(i int) uint32 { } func seccompDataOffsetArgHigh(i int) uint32 { - return uint32(seccompDataOffsetArgs + i*8 + 4) + return seccompDataOffsetArgLow(i) + 4 } // AllowAny is marker to indicate any value will be accepted. @@ -100,7 +100,11 @@ func NewSyscallRules() SyscallRules { // AddRule adds the given rule. It will create a new entry for a new syscall, otherwise // it will append to the existing rules. func (sr SyscallRules) AddRule(sysno uintptr, r Rule) { - if _, ok := sr[sysno]; ok { + if cur, ok := sr[sysno]; ok { + // An empty rules means allow all. Honor it when more rules are added. + if len(cur) == 0 { + sr[sysno] = append(sr[sysno], Rule{}) + } sr[sysno] = append(sr[sysno], r) } else { sr[sysno] = []Rule{r} @@ -110,7 +114,14 @@ func (sr SyscallRules) AddRule(sysno uintptr, r Rule) { // Merge merges the given SyscallRules. func (sr SyscallRules) Merge(rules SyscallRules) { for sysno, rs := range rules { - if _, ok := sr[sysno]; ok { + if cur, ok := sr[sysno]; ok { + // An empty rules means allow all. Honor it when more rules are added. + if len(cur) == 0 { + sr[sysno] = append(sr[sysno], Rule{}) + } + if len(rs) == 0 { + rs = []Rule{Rule{}} + } sr[sysno] = append(sr[sysno], rs...) } else { sr[sysno] = rs |