release-request-463ddcd0-eb2e-4e8b-aabc-11643980fdcc-for-git_oc-dr1-release-3959592 snap-temp-L58600000059207561

Change-Id: I2612abc90d6397e86680320f0afe73931662c8fc

2 files changed, 19 insertions, 0 deletions

diff --git a/syscall_filter.c b/syscall_filter.c
index 9a66d17..5a3ef21 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -550,6 +550,7 @@ int compile_file(FILE *policy_file, struct filter_block *head,
 			goto free_line;
 		}
 
+		syscall_name = strip(syscall_name);
 		int nr = lookup_syscall(syscall_name);
 		if (nr < 0) {
 			warn("compile_file: nonexistent syscall '%s'",
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 85c8a55..12389f8 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc
@@ -1169,6 +1169,24 @@ TEST(FilterTest, seccomp_read_write) {
   free(actual.filter);
 }
 
+TEST(FilterTest, misplaced_whitespace) {
+  struct sock_fprog actual;
+  const char *policy = "open :1\n";
+
+  FILE *policy_file = write_policy_to_pipe(policy, strlen(policy));
+  ASSERT_NE(policy_file, nullptr);
+
+  int res = compile_filter(policy_file, &actual, USE_RET_KILL, NO_LOGGING);
+  fclose(policy_file);
+
+  /* Checks return value and filter length. */
+  ASSERT_EQ(res, 0);
+  EXPECT_EQ(actual.len,
+            ARCH_VALIDATION_LEN + 1 /* load syscall nr */ + ALLOW_SYSCALL_LEN +
+                1 /* ret kill */);
+  free(actual.filter);
+}
+
 TEST(FilterTest, missing_atom) {
   struct sock_fprog actual;
   const char* policy = "open:\n";