check_policy_sanity(): Allow vows and syscall policies

Adjust checks to allow a mixed mode between syscall policies and vows.
Check for some easy to make mistakes in such scenario.
Cette révision appartient à :
Albert S. 2022-06-09 09:48:25 +02:00
Parent 42d44b0cc1
révision 8f38dc4480

Voir le fichier

@ -1410,6 +1410,11 @@ static int check_policy_sanity(struct exile_policy *policy)
{
if(syscall_policy->syscall == EXILE_SYSCALL_MATCH_ALL)
{
if(policy->vow_promises != 0)
{
EXILE_LOG_ERROR("It's not possible to specify a default, all matching syscall policy while also using vows\n");
return -1;
}
last_match_all = i;
match_all_policy = syscall_policy->policy;
}
@ -1420,7 +1425,7 @@ static int check_policy_sanity(struct exile_policy *policy)
syscall_policy = syscall_policy->next;
++i;
}
if(last_match_all == -1 || i - last_match_all != 1)
if(policy->vow_promises == 0 && (last_match_all == -1 || i - last_match_all != 1))
{
EXILE_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n");
return -1;