On Sat, 25.01.14 18:06, Ronny Chevalier ([email protected]) wrote: > > Doesn't libseccomp provide a way to enumerate the contents of the > > defined filter again? I'd really prefer if we could find a way that > > specifiying a filter of "read write" and of "write read" would actually > > result in the same string exposed via the bus. > Unfortunately no, this is why I strdup the string from the .service, > but yes I see why this is not really a good idea... > > Maybe by adding each syscall, after being validated by the libseccomp > API, in an array and sorting them ? And if the first element is the ~ > then it's a blacklist ?
Yeah, so I would be fine with parsing the string and resolving the syscalls with seccomp_syscall_resolve_name(), then adding the returned integer to an array, then sort the array and regenerate a string out if it again with seccomp_syscall_resolve_num(), possibly prefixing it with "~"... That way, we'd expose a string, but a normalized and somewhat portable one. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
