kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit aafecb9485dd1a4ac10732ca04deef8fc4a7d946
parent a5f68054843ee58e02dbd48f986af1221172ebfe
Author: Joris Vink <joris@coders.se>
Date:   Thu, 26 Sep 2019 06:42:00 +0000

Make sure filters from the hook are added first.

This allows user seccomp filters to be added before the kore ones which
means developers can override our own settings.

Diffstat:
src/seccomp.c | 9++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/seccomp.c b/src/seccomp.c @@ -132,6 +132,7 @@ struct filter { }; static TAILQ_HEAD(, filter) filters; +static struct filter *ufilter = NULL; void kore_seccomp_init(void) @@ -184,8 +185,10 @@ kore_seccomp_enable(void) /* Allow application to add its own filters. */ if ((rcall = kore_runtime_getcall("kore_seccomp_hook")) != NULL) { + ufilter = TAILQ_FIRST(&filters); kore_runtime_execute(rcall); kore_free(rcall); + ufilter = NULL; } skip_worker_filter = 0; @@ -262,7 +265,11 @@ kore_seccomp_filter(const char *name, void *prog, size_t len) filter->instructions = len; filter->name = kore_strdup(name); - TAILQ_INSERT_TAIL(&filters, filter, list); + if (ufilter) { + TAILQ_INSERT_BEFORE(ufilter, filter, list); + } else { + TAILQ_INSERT_TAIL(&filters, filter, list); + } return (KORE_RESULT_OK); }