[File] [PATCH 1/2] seccomp: restore old loading logic

[Alex Xu (Hello71)]

When the seccomp filter is successfully loaded, the filter is double
freed. The original patch was apparently never tested as it can neither
compile nor load?

Fixes: be5fac4b0e ("allow new glibc malloc to set arena names (Thomas Weissschuh)")
---
 src/seccomp.c | 34 +++++++++++++---------------------
 1 file changed, 13 insertions(+), 21 deletions(-)

diff --git a/src/seccomp.c b/src/seccomp.c
index 5a39ee45..66ca777b 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -61,26 +61,6 @@ FILE_RCSID("@(#)$File: seccomp.c,v 1.28 2024/06/16 14:53:16 christos Exp $")
 
 static scmp_filter_ctx ctx;
 
-static int
-apply_filter(void)
-{
-#if defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME)
-	/* allow glibc to name malloc areas */
-	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 2,
-	    SCMP_CMP32(0, SCMP_CMP_EQ, PR_SET_VMA),
-	    SCMP_CMP64(1, SCMP_CMP_EQ, PR_SET_VMA_ANON_NAME)) == -1)
-		return 0;
-#endif
-
-	// applying filter...
-	if (seccomp_load(ctx) == -1)
-		return 0;
-	// free ctx after the filter has been loaded into the kernel
-	seccomp_release(ctx);
-	return 1;
-}
-
-
 int
 enable_sandbox_basic(void)
 {
@@ -298,8 +278,20 @@ enable_sandbox_full(void)
 		 goto out;
 #endif
 
-	if (!apply_filter())
+#if defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME)
+	/* allow glibc to name malloc areas */
+	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 2,
+	    SCMP_CMP32(0, SCMP_CMP_EQ, PR_SET_VMA),
+	    SCMP_CMP64(1, SCMP_CMP_EQ, PR_SET_VMA_ANON_NAME)) == -1)
+		return 0;
+#endif
+
+	// applying filter...
+	if (seccomp_load(ctx) == -1)
 		goto out;
+	// free ctx after the filter has been loaded into the kernel
+	seccomp_release(ctx);
+	return 0;
 
 out:
 	// something went wrong
-- 
2.46.1