syscall_filter: ignore @frequency am: b1b2eba6e7 am: 58b1c17df2 am: e3192673e0

Change-Id: Ice5a1915b5b231a2fb6b05748426a45ef65ddba2

2 files changed, 21 insertions, 1 deletions

diff --git a/syscall_filter.c b/syscall_filter.c
index 3b78f97..2c389ae 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -595,9 +595,18 @@ int compile_file(const char *filename, FILE *policy_file,
 			continue;
 		}
 
-		/* Allow @include statements. */
+		/* Allow @include and @frequency statements. */
 		if (*policy_line == '@') {
 			const char *filename = NULL;
+
+			/* Ignore @frequency statements. */
+			if (strncmp("@frequency", policy_line,
+				    strlen("@frequency")) == 0) {
+				compiler_warn(&state,
+					      "ignored @frequency statement");
+				continue;
+			}
+
 			if (parse_include_statement(&state, policy_line,
 						    include_level,
 						    &filename) != 0) {
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 95b38f4..771dced 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc
@@ -1745,6 +1745,17 @@ TEST(FilterTest, allow_log_but_kill) {
   free(actual.filter);
 }
 
+TEST(FilterTest, frequency) {
+  struct sock_fprog actual;
+  std::string frequency = "@frequency ./path/is/ignored.frequency\n";
+
+  FILE* policy_file = write_policy_to_pipe(frequency);
+  ASSERT_NE(policy_file, nullptr);
+  int res = test_compile_filter("policy", policy_file, &actual);
+  fclose(policy_file);
+  EXPECT_EQ(res, 0);
+}
+
 TEST(FilterTest, include_invalid_token) {
   struct sock_fprog actual;
   std::string invalid_token = "@unclude ./test/seccomp.policy\n";