From: Damien Miller <djm@mindrot.org>
Date: Wed, 17 Jun 2015 04:36:54 +0000 (+1000)
Subject: trivial optimisation for seccomp-bpf
X-Git-Tag: V_6_9_P1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97e2e1596c202a4693468378b16b2353fd2d6c5e;p=thirdparty%2Fopenssh-portable.git

trivial optimisation for seccomp-bpf

When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
---

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index badfee2ec..c1fe1f3e9 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -81,7 +81,7 @@
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
 	/* load first syscall argument */ \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
 	    offsetof(struct seccomp_data, args[(_arg_nr)])), \