From 5692f3ae95db8f0e00b6cdd5845f05e169c6ccf3 Mon Sep 17 00:00:00 2001 From: Zach Reizner Date: Wed, 27 Feb 2019 18:06:34 -0800 Subject: syscall_filter: allow more than one @include per syscall filter The variable used to track the include_level was being incremented with variable++ in the argument list for the recursive call, spoiling any future @include lines in the same syscall filter file. This change fixes it to use variable + 1, fixing the issue. Bug: None Test: make tests Change-Id: I3ff5ecbf024273c3798f63635989fb8da33201cf Merged-In: I3ff5ecbf024273c3798f63635989fb8da33201cf Bug: 145289821 --- syscall_filter.c | 2 +- syscall_filter_unittest.cc | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/syscall_filter.c b/syscall_filter.c index 9dd7fb22..ba365d28 100644 --- a/syscall_filter.c +++ b/syscall_filter.c @@ -555,7 +555,7 @@ int compile_file(const char *filename, FILE *policy_file, if (compile_file(filename, included_file, head, arg_blocks, labels, use_ret_trap, allow_logging, - ++include_level) == -1) { + include_level + 1) == -1) { compiler_warn(&state, "'@include %s' failed", filename); fclose(included_file); diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc index 9beac652..7c5a4c2b 100644 --- a/syscall_filter_unittest.cc +++ b/syscall_filter_unittest.cc @@ -1566,6 +1566,25 @@ TEST(FilterTest, include_same_syscalls) { free(actual.filter); } +TEST(FilterTest, include_two) { + struct sock_fprog actual; + std::string policy = + "@include " + source_path("test/seccomp.policy") + "\n" + + "@include " + source_path("test/seccomp.policy") + "\n"; + + FILE* policy_file = write_policy_to_pipe(policy); + ASSERT_NE(policy_file, nullptr); + + int res = test_compile_filter("policy", policy_file, &actual); + fclose(policy_file); + + ASSERT_EQ(res, 0); + EXPECT_EQ(actual.len, + ARCH_VALIDATION_LEN + 1 /* load syscall nr */ + + 2 * 8 /* check syscalls twice */ + 1 /* filter return */); + free(actual.filter); +} + TEST(FilterTest, include_invalid_policy) { struct sock_fprog actual; const char *policy = -- cgit v1.2.3