From 39f9b1a2229f8624f92bdcf823ef755c15e28de2 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 25 Aug 2019 18:37:05 +0300
Subject: Allow exceptions to seccomp lists

Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.

Closes #1366
---
 src/fseccomp/syscall.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/fseccomp/syscall.c')

diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 3b698d2dd..d31b719d6 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -497,9 +497,17 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
 			syscall_check_list(new_list, callback, fd, arg, ptrarg);
 		}
 		else {
+			bool negate = false;
+			if (*ptr == '!') {
+				negate = true;
+				ptr++;
+			}
 			syscall_process_name(ptr, &syscall_nr, &error_nr);
 			if (syscall_nr == -1) {;}
 			else if (callback != NULL) {
+				if (negate) {
+					syscall_nr = -syscall_nr;
+				}
 				if (error_nr != -1 && fd != 0) {
 					filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
 				}
@@ -522,7 +530,7 @@ static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
 	(void)fd;
 	(void) arg;
 	SyscallCheckList *ptr = ptrarg;
-	if (syscall == ptr->syscall)
+	if (abs(syscall) == ptr->syscall)
 		ptr->found = true;
 }
 
-- 
cgit v1.2.3-70-g09d2