]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99f33d7)
trivial optimisation for seccomp-bpf
authorDamien Miller <djm@mindrot.org>
Wed, 17 Jun 2015 04:36:54 +0000 (14:36 +1000)
committerDamien Miller <djm@mindrot.org>
Wed, 17 Jun 2015 04:36:54 +0000 (14:36 +1000)
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.

sandbox-seccomp-filter.c patch | blob | blame | history

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index badfee2ecb314678b09c9515d555d43dc7af5580..c1fe1f3e9554f0dae98fc7bc138e029c1fd971bd 100644 (file)
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -81,7 +81,7 @@
        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
-       BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+       BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
        /* load first syscall argument */ \
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
            offsetof(struct seccomp_data, args[(_arg_nr)])), \
Mirror of https://github.com/openssh/openssh-portable.git