kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git
commit aafecb9485dd1a4ac10732ca04deef8fc4a7d946
parent a5f68054843ee58e02dbd48f986af1221172ebfe
Author: Joris Vink <joris@coders.se>
Date:   Thu, 26 Sep 2019 06:42:00 +0000

Make sure filters from the hook are added first.

This allows user seccomp filters to be added before the kore ones which
means developers can override our own settings.

Diffstat:

src/seccomp.c | 9++++++++-


1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/seccomp.c b/src/seccomp.c
@@ -132,6 +132,7 @@ struct filter {
 };
 
 static TAILQ_HEAD(, filter)	filters;
+static struct filter		*ufilter = NULL;
 
 void
 kore_seccomp_init(void)
@@ -184,8 +185,10 @@ kore_seccomp_enable(void)
 
 	/* Allow application to add its own filters. */
 	if ((rcall = kore_runtime_getcall("kore_seccomp_hook")) != NULL) {
+		ufilter = TAILQ_FIRST(&filters);
 		kore_runtime_execute(rcall);
 		kore_free(rcall);
+		ufilter = NULL;
 	}
 
 	skip_worker_filter = 0;
@@ -262,7 +265,11 @@ kore_seccomp_filter(const char *name, void *prog, size_t len)
 	filter->instructions = len;
 	filter->name = kore_strdup(name);
 
-	TAILQ_INSERT_TAIL(&filters, filter, list);
+	if (ufilter) {
+		TAILQ_INSERT_BEFORE(ufilter, filter, list);
+	} else {
+		TAILQ_INSERT_TAIL(&filters, filter, list);
+	}
 
 	return (KORE_RESULT_OK);
 }