seccomp-util: enforce group ordering

So far we asked via a comment that @default should stay the first group and @known the last group in the list. Let's enforce that statically, in code, too.
author: Lennart Poettering <lennart@poettering.net> 2023-03-24 11:17:08 +0100
committer: Lennart Poettering <lennart@poettering.net> 2023-03-24 12:28:46 +0100
commit: 50524bd8879072ee41e539de768d4ab4a2792060 (patch)
tree: 74f1d85e158a1b329245e364d644a77b87343b30 /src/shared/seccomp-util.h
parent: seccomp-util: add some newer syscalls to existing groups (diff)
download: systemd-50524bd8879072ee41e539de768d4ab4a2792060.tar.xz
systemd-50524bd8879072ee41e539de768d4ab4a2792060.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4f5b0249ad..5fd135d597 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -57,9 +57,12 @@ enum {
         SYSCALL_FILTER_SET_SYSTEM_SERVICE,
         SYSCALL_FILTER_SET_TIMER,
         SYSCALL_FILTER_SET_KNOWN,
-        _SYSCALL_FILTER_SET_MAX
+        _SYSCALL_FILTER_SET_MAX,
 };
 
+assert_cc(SYSCALL_FILTER_SET_DEFAULT == 0);
+assert_cc(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX-1);
+
 extern const SyscallFilterSet syscall_filter_sets[];
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name);
author	Lennart Poettering <lennart@poettering.net>	2023-03-24 11:17:08 +0100
committer	Lennart Poettering <lennart@poettering.net>	2023-03-24 12:28:46 +0100
commit	50524bd8879072ee41e539de768d4ab4a2792060 (patch)
tree	74f1d85e158a1b329245e364d644a77b87343b30 /src/shared/seccomp-util.h
parent	seccomp-util: add some newer syscalls to existing groups (diff)
download	systemd-50524bd8879072ee41e539de768d4ab4a2792060.tar.xz systemd-50524bd8879072ee41e539de768d4ab4a2792060.zip