seccomp: add new helper call seccomp_load_filter_set()

This allows us to unify most of the code in apply_protect_kernel_modules() and
apply_private_devices().

2 files changed, 26 insertions, 0 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index f1e9de05b2..6252cd16a6 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -452,3 +452,27 @@ int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterS
 
         return 0;
 }
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
+        scmp_filter_ctx seccomp;
+        int r;
+
+        assert(set);
+
+        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */
+
+        r = seccomp_init_conservative(&seccomp, default_action);
+        if (r < 0)
+                return r;
+
+        r = seccomp_add_syscall_filter_set(seccomp, set, action);
+        if (r < 0)
+                goto finish;
+
+        r = seccomp_load(seccomp);
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+
+}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 2de429a772..667687b14f 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -59,3 +59,5 @@ extern const SyscallFilterSet syscall_filter_sets[];
 const SyscallFilterSet *syscall_filter_set_find(const char *name);
 
 int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
+
+int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);