[ML] Add comment explaining changes required if Linux BPF are modified.

davidkyle · Hendrik Muhs · commit af9b29e6ba12 · 2018-05-30T22:10:35.000+02:00
diff --git a/lib/seccomp/CSystemCallFilter_Linux.cc b/lib/seccomp/CSystemCallFilter_Linux.cc
@@ -52,6 +52,10 @@ const struct sock_filter FILTER[] = {
     BPF_STMT(BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_NR_OFFSET),
     // Only applies to X86_64 arch. Jump to disallow for calls using the x32 ABI
     BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, UPPER_NR_LIMIT, 34, 0),
+    // If any sys call filters are added or removed then the jump
+    // destination for each statement including the one above must
+    // be updated accordingly
+
     // Allowed sys calls, jump to return allow on match
     BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_read, 34, 0),
     BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, 33, 0),
