syscall_filter: allow more than one @include per syscall filter
The variable used to track the include_level was being incremented with
variable++ in the argument list for the recursive call, spoiling any
future @include lines in the same syscall filter file. This change
fixes it to use variable + 1, fixing the issue.
Bug: None
Test: make tests
Change-Id: I3ff5ecbf024273c3798f63635989fb8da33201cf
diff --git a/syscall_filter.c b/syscall_filter.c
index 29f250e..c1526a4 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -557,7 +557,7 @@
if (compile_file(filename, included_file, head,
arg_blocks, labels, use_ret_trap,
allow_logging,
- ++include_level) == -1) {
+ include_level + 1) == -1) {
compiler_warn(&state, "'@include %s' failed",
filename);
fclose(included_file);
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 7b38b84..cf01d3f 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc
@@ -1744,6 +1744,25 @@
free(actual.filter);
}
+TEST(FilterTest, include_two) {
+ struct sock_fprog actual;
+ std::string policy =
+ "@include " + source_path("test/seccomp.policy") + "\n" +
+ "@include " + source_path("test/seccomp.policy") + "\n";
+
+ FILE* policy_file = write_policy_to_pipe(policy);
+ ASSERT_NE(policy_file, nullptr);
+
+ int res = test_compile_filter("policy", policy_file, &actual);
+ fclose(policy_file);
+
+ ASSERT_EQ(res, 0);
+ EXPECT_EQ(actual.len,
+ ARCH_VALIDATION_LEN + 1 /* load syscall nr */ +
+ 2 * 8 /* check syscalls twice */ + 1 /* filter return */);
+ free(actual.filter);
+}
+
TEST(FilterTest, include_invalid_policy) {
struct sock_fprog actual;
std::string policy =
