1 files changed, 19 insertions, 2 deletions

diff --git a/filter.c b/filter.c
index f8b782d..dbda7ca 100644
--- a/filter.c
+++ b/filter.c
@@ -174,6 +174,20 @@ static unsigned int get_total_args(const struct syscall_entry table[],
 	return n;
 }
 
+unsigned int create_bpf_program_log(struct sock_filter filter[])
+{
+	filter[0] = (struct sock_filter)BPF_STMT(
+		BPF_LD | BPF_W | BPF_ABS,
+		(offsetof(struct seccomp_data, arch)));
+	filter[1] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+						 SEITAN_AUDIT_ARCH, 0, 1);
+	filter[2] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+						 SECCOMP_RET_USER_NOTIF);
+	filter[3] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+						 SECCOMP_RET_ALLOW);
+	return 4;
+}
+
 unsigned int create_bfp_program(struct syscall_entry table[],
 				struct sock_filter filter[],
 				unsigned int n_syscall)
@@ -258,7 +272,7 @@ static int compare_names(const void *a, const void *b)
 		      ((struct syscall_numbers *)b)->name);
 }
 
-int convert_bpf(char *file, struct bpf_call *entries, int n)
+int convert_bpf(char *file, struct bpf_call *entries, int n, bool log)
 {
 	int nt, fd, fsize;
 	struct syscall_entry table[N_SYSCALL];
@@ -270,7 +284,10 @@ int convert_bpf(char *file, struct bpf_call *entries, int n)
 	qsort(entries, n, sizeof(struct bpf_call), compare_bpf_call_names);
 	nt = construct_table(entries, n, table);
 
-	fsize = create_bfp_program(table, filter, nt);
+	if (log)
+		fsize = create_bpf_program_log(filter);
+	else
+		fsize = create_bfp_program(table, filter, nt);
 
 	fd = open(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
 		  S_IRUSR | S_IWUSR);