From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 24 Mar 2023 10:17:08 +0000 (+0100)
Subject: seccomp-util: enforce group ordering
X-Git-Tag: v254-rc1~927^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=50524bd8879072ee41e539de768d4ab4a2792060;p=thirdparty%2Fsystemd.git

seccomp-util: enforce group ordering

So far we asked via a comment that @default should stay the first group
and @known the last group in the list. Let's enforce that statically, in
code, too.
---

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4f5b0249ad7..5fd135d5972 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -57,9 +57,12 @@ enum {
         SYSCALL_FILTER_SET_SYSTEM_SERVICE,
         SYSCALL_FILTER_SET_TIMER,
         SYSCALL_FILTER_SET_KNOWN,
-        _SYSCALL_FILTER_SET_MAX
+        _SYSCALL_FILTER_SET_MAX,
 };
 
+assert_cc(SYSCALL_FILTER_SET_DEFAULT == 0);
+assert_cc(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX-1);
+
 extern const SyscallFilterSet syscall_filter_sets[];
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name);