cybersecurity · advanced · ~15 min
seccomp's allow-list semantics + binary search.
Given a sorted allow-list of syscall numbers and a candidate
number, implement int syscall_allowed(int sys, const int *allow, int n_allow).
Return 1 if sys is in the allow-list (use binary search since it's sorted),
0 otherwise.
seccomp filters are how Chrome, OpenSSH and Docker shrink attack surface. The core operation is a simple set-membership test.
Syscall number + sorted array.
0/1.
Use binary search (O(log n)).
int syscall_allowed(int sys, const int *allow, int n_allow) { /* TODO */ (void)sys; (void)allow; (void)n_allow; return 0; }
Linear search — works but doesn't demonstrate the right pattern.
Empty allow-list (deny all). Negative syscall.
O(log n).
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.