Merge lp://qastaging/~jdstrand/snap-confine/seccom-arg-filtering into lp://qastaging/~snappy-dev/snap-confine/trunk
Status: | Rejected | ||||
---|---|---|---|---|---|
Rejected by: | Jamie Strandboge | ||||
Proposed branch: | lp://qastaging/~jdstrand/snap-confine/seccom-arg-filtering | ||||
Merge into: | lp://qastaging/~snappy-dev/snap-confine/trunk | ||||
Diff against target: |
974 lines (+823/-31) 10 files modified
README (+82/-18) debian/changelog (+1/-0) src/seccomp.c (+313/-13) tests/test_bad_seccomp_filter_args (+54/-0) tests/test_bad_seccomp_filter_args_null (+51/-0) tests/test_bad_seccomp_filter_args_prctl (+55/-0) tests/test_bad_seccomp_filter_args_socket (+55/-0) tests/test_restrictions_working_args (+96/-0) tests/test_restrictions_working_args_prctl (+58/-0) tests/test_restrictions_working_args_socket (+58/-0) |
||||
To merge this branch: | bzr merge lp://qastaging/~jdstrand/snap-confine/seccom-arg-filtering | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Tyler Hicks | Pending | ||
Snappy Developers | Pending | ||
Review via email: mp+291069@code.qastaging.launchpad.net |
Description of the change
Implement seccomp arg filtering. See README for a complete description of how policy is affected. Implementation-
- add the seccomp_args struct for populating seccomp_
- add hsearch map and a few simple wrapper functions
- add parse_line() which takes a string that went through validate_
- use seccomp_
Currently parse_line can handle enums for:
- man 2 socket - domain
- man 2 socket - type
- man 2 prctl
More can easily be added as needed.
Unmerged revisions
- 149. By Jamie Strandboge
-
merge from trunk
adjust filter tests for trunk changes
adjust strdup error message - 148. By Jamie Strandboge
-
update README for prctl
- 147. By Jamie Strandboge
-
cleanup some comments
- 146. By Jamie Strandboge
-
use hcreate_r(), hsearch_r() and hdestroy_r() instead of hcreate(), hsearch()
and hdestroy() respectively - 145. By Jamie Strandboge
-
add some clarifying comments
fix a comment
free(buf_copy) as soon as possible instead of waiting - 144. By Jamie Strandboge
-
clarify some comments
use strtoul() instead of sscanf() - 143. By Jamie Strandboge
-
removes some parthesis that aren't needed
clarify a comment - 142. By Jamie Strandboge
-
tests/test_
bad_seccomp_ filter_ args_null: adjust for fgets() limitations - 141. By Jamie Strandboge
-
add some embedded NULL tests
- 140. By Jamie Strandboge
-
add prctl PR_ mappings
Hi Jamie - could you update this PR with the changes that you made when you merged in the cgroups branch?