1 files changed, 2 insertions, 30 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 7ae74c340..8abc249ec 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -164,6 +164,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
 }
 void seccomp_keep(const char *fname1, const char *fname2, char *list) {
+        (void) fname2;
+        
        // open file for pre-exec filter
        int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (fd < 0) {
@@ -187,36 +189,6 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        // close file
        close(fd);
-#if 0
-// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file
-// after running this code. We don't need the postexec filter in this case anyway.
-printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
-system("ls -l /proc/self/fd");
-printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
-        // open file for post-exec filter
-        fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-        if (fd < 0) {
-                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
-                exit(1);
-        }
-        // build post-exec filter: whitelist without @default-keep
-        filter_init(fd);
-        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
-                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
-                exit(1);
-        }
-        filter_end_whitelist(fd);
-        // close file
-        close(fd);
-printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
-system("ls -l /proc/self/fd");
-printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
-#endif
 }
 void memory_deny_write_execute(const char *fname) {

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7ae74c340..8abc249ec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -164,6 +164,8 @@ void seccomp_default_drop(const char fname1, const char fname2, char *list, in
164	}	164	}
165		165
166	void seccomp_keep(const char fname1, const char fname2, char *list) {	166	void seccomp_keep(const char fname1, const char fname2, char *list) {
		167	(void) fname2;
		168
167	// open file for pre-exec filter	169	// open file for pre-exec filter
168	int fd = open(fname1, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);	170	int fd = open(fname1, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
169	if (fd < 0) {	171	if (fd < 0) {
@@ -187,36 +189,6 @@ void seccomp_keep(const char fname1, const char fname2, char *list) {
187		189
188	// close file	190	// close file
189	close(fd);	191	close(fd);
190
191	#if 0
192	// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file
193	// after running this code. We don't need the postexec filter in this case anyway.
194	printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
195	system("ls -l /proc/self/fd");
196	printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
197	// open file for post-exec filter
198	fd = open(fname2, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
199	if (fd < 0) {
200	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
201	exit(1);
202	}
203
204	// build post-exec filter: whitelist without @default-keep
205	filter_init(fd);
206
207	if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
208	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
209	exit(1);
210	}
211
212	filter_end_whitelist(fd);
213
214	// close file
215	close(fd);
216	printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
217	system("ls -l /proc/self/fd");
218	printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
219	#endif
220	}	192	}
221		193
222	void memory_deny_write_execute(const char *fname) {	194	void memory_deny_write_execute(const char *fname) {