seccomp: split out inner loop code of seccomp_add_syscall_filter_set()

Let's add a new helper function seccomp_add_syscall_filter_item() that
contains the inner loop code of seccomp_add_syscall_filter_set(). This
helper function we can then export and make use of elsewhere.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 88e8af3fef37e0224c6e602d0305104aeb54608f..1215f714f1ff22e2526af33f0c9793f365c0a497 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -682,6 +682,40 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
         return NULL;
 }
 
+static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
+
+int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action) {
+        int r;
+
+        assert(seccomp);
+        assert(name);
+
+        if (name[0] == '@') {
+                const SyscallFilterSet *other;
+
+                other = syscall_filter_set_find(name);
+                if (!other)
+                        return -EINVAL;
+
+                r = seccomp_add_syscall_filter_set(seccomp, other, action);
+                if (r < 0)
+                        return r;
+        } else {
+                int id;
+
+                id = seccomp_syscall_resolve_name(name);
+                if (id == __NR_SCMP_ERROR)
+                        return -EINVAL; /* Not known at all? Then that's a real error */
+
+                r = seccomp_rule_add_exact(seccomp, action, id, 0);
+                if (r < 0)
+                        /* If the system call is not known on this architecture, then that's fine, let's ignore it */
+                        log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", name, id);
+        }
+
+        return 0;
+}
+
 static int seccomp_add_syscall_filter_set(
                 scmp_filter_ctx seccomp,
                 const SyscallFilterSet *set,
@@ -694,28 +728,9 @@ static int seccomp_add_syscall_filter_set(
         assert(set);
 
         NULSTR_FOREACH(sys, set->value) {
-                int id;
-
-                if (sys[0] == '@') {
-                        const SyscallFilterSet *other;
-
-                        other = syscall_filter_set_find(sys);
-                        if (!other)
-                                return -EINVAL;
-
-                        r = seccomp_add_syscall_filter_set(seccomp, other, action);
-                        if (r < 0)
-                                return r;
-                } else {
-                        id = seccomp_syscall_resolve_name(sys);
-                        if (id == __NR_SCMP_ERROR)
-                                return -EINVAL; /* Not known at all? Then that's a real error */
-
-                        r = seccomp_rule_add_exact(seccomp, action, id, 0);
-                        if (r < 0)
-                                /* If the system call is not known on this architecture, then that's fine, let's ignore it */
-                                log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", sys, id);
-                }
+                r = seccomp_add_syscall_filter_item(seccomp, sys, action);
+                if (r < 0)
+                        return r;
         }
 
         return 0;

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index ca43ba8659a5ebae5b18c23f1ed1733ad8b3d44b..894c53e6fdc275b497a9a4e5333b64d6613ebf2f 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -69,6 +69,8 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
 
 int seccomp_filter_set_add(Set *s, bool b, const SyscallFilterSet *set);
 
+int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action);
+
 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
 int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint32_t action);