woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Indentation + add missing macros to the seccomp helper

Browse Source
This commit is contained in:
Jagger 2015-05-15 02:05:36 +02:00
parent 970f3b70b4
commit 9d58b74bb9
4 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -45,7 +45,7 @@ depend:
makedepend -Y. -- $(CFLAGS) -- $(SRCS) makedepend -Y. -- $(CFLAGS) -- $(SRCS)
indent: indent:
indent -linux -l120 -lc120 -sob -c33 -cp33 *.c *.h; rm -f *~ indent -linux -l120 -lc120 -sob -c33 -cp33 *.c *.h seccomp/*.c seccomp/*.h; rm -f *~ seccomp/*~
# DO NOT DELETE THIS LINE -- make depend depends on it. # DO NOT DELETE THIS LINE -- make depend depends on it.

2
sandbox.c
View File

@ -42,7 +42,6 @@ static bool sandboxPrepareAndCommit(void)
{ {
struct bpf_labels l = {.count = 0 }; struct bpf_labels l = {.count = 0 };
struct sock_filter filter[] = { struct sock_filter filter[] = {
#if 0
LOAD_ARCH, LOAD_ARCH,
JEQ32(AUDIT_ARCH_I386, JUMP(&l, label_i386)), JEQ32(AUDIT_ARCH_I386, JUMP(&l, label_i386)),
JEQ32(AUDIT_ARCH_X86_64, JUMP(&l, label_x86_64)), JEQ32(AUDIT_ARCH_X86_64, JUMP(&l, label_x86_64)),
@ -63,7 +62,6 @@ static bool sandboxPrepareAndCommit(void)
#define __NR_uselib_64 134 #define __NR_uselib_64 134
JEQ32(__NR_syslog_64, ERRNO(ENOENT)), JEQ32(__NR_syslog_64, ERRNO(ENOENT)),
JEQ32(__NR_uselib_64, ERRNO(ENOENT)), JEQ32(__NR_uselib_64, ERRNO(ENOENT)),
#endif /* 0 */
ALLOW, ALLOW,
}; };

27
seccomp/bpf-helper.c
View File

@ -15,8 +15,7 @@
#include "bpf-helper.h" #include "bpf-helper.h"
int bpf_resolve_jumps(struct bpf_labels *labels, int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count)
struct sock_filter *filter, size_t count)
{ {
struct sock_filter *begin = filter; struct sock_filter *begin = filter;
__u8 insn = count - 1; __u8 insn = count - 1;
@ -29,24 +28,21 @@ int bpf_resolve_jumps(struct bpf_labels *labels,
*/ */
filter += insn; filter += insn;
for (; filter >= begin; --insn, --filter) { for (; filter >= begin; --insn, --filter) {
if (filter->code != (BPF_JMP+BPF_JA)) if (filter->code != (BPF_JMP + BPF_JA))
continue; continue;
switch ((filter->jt<<8)|filter->jf) { switch ((filter->jt << 8) | filter->jf) {
case (JUMP_JT<<8)|JUMP_JF: case (JUMP_JT << 8) | JUMP_JF:
if (labels->labels[filter->k].location == 0xffffffff) { if (labels->labels[filter->k].location == 0xffffffff) {
fprintf(stderr, "Unresolved label: '%s'\n", fprintf(stderr, "Unresolved label: '%s'\n", labels->labels[filter->k].label);
labels->labels[filter->k].label);
return 1; return 1;
} }
filter->k = labels->labels[filter->k].location - filter->k = labels->labels[filter->k].location - (insn + 1);
(insn + 1);
filter->jt = 0; filter->jt = 0;
filter->jf = 0; filter->jf = 0;
continue; continue;
case (LABEL_JT<<8)|LABEL_JF: case (LABEL_JT << 8) | LABEL_JF:
if (labels->labels[filter->k].location != 0xffffffff) { if (labels->labels[filter->k].location != 0xffffffff) {
fprintf(stderr, "Duplicate label use: '%s'\n", fprintf(stderr, "Duplicate label use: '%s'\n", labels->labels[filter->k].label);
labels->labels[filter->k].label);
return 1; return 1;
} }
labels->labels[filter->k].location = insn; labels->labels[filter->k].location = insn;
@ -60,7 +56,7 @@ int bpf_resolve_jumps(struct bpf_labels *labels,
} }
/* Simple lookup table for labels. */ /* Simple lookup table for labels. */
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label) __u32 seccomp_bpf_label(struct bpf_labels * labels, const char *label)
{ {
struct __bpf_label *begin = labels->labels, *end; struct __bpf_label *begin = labels->labels, *end;
int id; int id;
@ -89,7 +85,6 @@ __u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
void seccomp_bpf_print(struct sock_filter *filter, size_t count) void seccomp_bpf_print(struct sock_filter *filter, size_t count)
{ {
struct sock_filter *end = filter + count; struct sock_filter *end = filter + count;
for ( ; filter < end; ++filter) for (; filter < end; ++filter)
printf("{ code=%u,jt=%u,jf=%u,k=%u },\n", printf("{ code=%u,jt=%u,jf=%u,k=%u },\n", filter->code, filter->jt, filter->jf, filter->k);
filter->code, filter->jt, filter->jf, filter->k);
} }

11
seccomp/bpf-helper.h
View File

@ -16,6 +16,7 @@
#include <asm/bitsperlong.h> /* for __BITS_PER_LONG */ #include <asm/bitsperlong.h> /* for __BITS_PER_LONG */
#include <endian.h> #include <endian.h>
#include <linux/audit.h>
#include <linux/filter.h> #include <linux/filter.h>
#include <linux/seccomp.h> /* for seccomp_data */ #include <linux/seccomp.h> /* for seccomp_data */
#include <linux/types.h> #include <linux/types.h>
@ -31,8 +32,7 @@ struct bpf_labels {
} labels[BPF_LABELS_MAX]; } labels[BPF_LABELS_MAX];
}; };
int bpf_resolve_jumps(struct bpf_labels *labels, int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count);
struct sock_filter *filter, size_t count);
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label); __u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label);
void seccomp_bpf_print(struct sock_filter *filter, size_t count); void seccomp_bpf_print(struct sock_filter *filter, size_t count);
@ -45,6 +45,9 @@ void seccomp_bpf_print(struct sock_filter *filter, size_t count);
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define DENY \ #define DENY \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define ERRNO(val) \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (val & SECCOMP_RET_DATA))
#define JUMP(labels, label) \ #define JUMP(labels, label) \
BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \ BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \
JUMP_JT, JUMP_JF) JUMP_JT, JUMP_JF)
@ -240,4 +243,8 @@ union arg64 {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
offsetof(struct seccomp_data, nr)) offsetof(struct seccomp_data, nr))
#define LOAD_ARCH \
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \
offsetof(struct seccomp_data, arch))
#endif /* __BPF_HELPER_H__ */ #endif /* __BPF_HELPER_H__ */