[Bug 2361] seccomp filter (not only) for aarch64

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Apr 22 12:17:25 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2361

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
(In reply to Darren Tucker from comment #4)
> Comment on attachment 2561 [details]
> aarh64 patch
> 
> >+#ifdef __NR_select /* not on AArch64 */
> > 	SC_ALLOW(select),
> > #endif
> >+#ifdef __NR_pselect6 /* AArch64 */
> >+	SC_ALLOW(pselect6),
> >+#endif
> >+#endif
> 
> This nesting looks wrong and it's getting messy.

I can reindent, which makes it a bit clearer

#ifdef __NR__newselect
        SC_ALLOW(_newselect),
#else
# ifdef __NR_select /* not on AArch64 */
        SC_ALLOW(select),
# endif
# ifdef __NR_pselect6 /* AArch64 */
        SC_ALLOW(pselect6),
# endif
#endif

Though maybe it is just better to allow each syscall based on its own
presence:

#ifdef __NR__newselect
        SC_ALLOW(_newselect),
#endif
#ifdef __NR_select /* not on AArch64 */
        SC_ALLOW(select),
#endif
#ifdef __NR_pselect6 /* AArch64 */
        SC_ALLOW(pselect6),
#endif

> Could we put the __NR_$thing test inside the SC_ALLOW/SC_DENY macros?

How would this work? You can't have #if/#ifdef inside a #define

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list