Indentation + add missing macros to the seccomp helper
This commit is contained in:
parent
970f3b70b4
commit
9d58b74bb9
2
Makefile
2
Makefile
@ -45,7 +45,7 @@ depend:
|
||||
makedepend -Y. -- $(CFLAGS) -- $(SRCS)
|
||||
|
||||
indent:
|
||||
indent -linux -l120 -lc120 -sob -c33 -cp33 *.c *.h; rm -f *~
|
||||
indent -linux -l120 -lc120 -sob -c33 -cp33 *.c *.h seccomp/*.c seccomp/*.h; rm -f *~ seccomp/*~
|
||||
|
||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||
|
||||
|
@ -42,7 +42,6 @@ static bool sandboxPrepareAndCommit(void)
|
||||
{
|
||||
struct bpf_labels l = {.count = 0 };
|
||||
struct sock_filter filter[] = {
|
||||
#if 0
|
||||
LOAD_ARCH,
|
||||
JEQ32(AUDIT_ARCH_I386, JUMP(&l, label_i386)),
|
||||
JEQ32(AUDIT_ARCH_X86_64, JUMP(&l, label_x86_64)),
|
||||
@ -63,7 +62,6 @@ static bool sandboxPrepareAndCommit(void)
|
||||
#define __NR_uselib_64 134
|
||||
JEQ32(__NR_syslog_64, ERRNO(ENOENT)),
|
||||
JEQ32(__NR_uselib_64, ERRNO(ENOENT)),
|
||||
#endif /* 0 */
|
||||
ALLOW,
|
||||
};
|
||||
|
||||
|
@ -15,8 +15,7 @@
|
||||
|
||||
#include "bpf-helper.h"
|
||||
|
||||
int bpf_resolve_jumps(struct bpf_labels *labels,
|
||||
struct sock_filter *filter, size_t count)
|
||||
int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count)
|
||||
{
|
||||
struct sock_filter *begin = filter;
|
||||
__u8 insn = count - 1;
|
||||
@ -24,33 +23,30 @@ int bpf_resolve_jumps(struct bpf_labels *labels,
|
||||
if (count < 1)
|
||||
return -1;
|
||||
/*
|
||||
* Walk it once, backwards, to build the label table and do fixups.
|
||||
* Since backward jumps are disallowed by BPF, this is easy.
|
||||
*/
|
||||
* Walk it once, backwards, to build the label table and do fixups.
|
||||
* Since backward jumps are disallowed by BPF, this is easy.
|
||||
*/
|
||||
filter += insn;
|
||||
for (; filter >= begin; --insn, --filter) {
|
||||
if (filter->code != (BPF_JMP+BPF_JA))
|
||||
if (filter->code != (BPF_JMP + BPF_JA))
|
||||
continue;
|
||||
switch ((filter->jt<<8)|filter->jf) {
|
||||
case (JUMP_JT<<8)|JUMP_JF:
|
||||
switch ((filter->jt << 8) | filter->jf) {
|
||||
case (JUMP_JT << 8) | JUMP_JF:
|
||||
if (labels->labels[filter->k].location == 0xffffffff) {
|
||||
fprintf(stderr, "Unresolved label: '%s'\n",
|
||||
labels->labels[filter->k].label);
|
||||
fprintf(stderr, "Unresolved label: '%s'\n", labels->labels[filter->k].label);
|
||||
return 1;
|
||||
}
|
||||
filter->k = labels->labels[filter->k].location -
|
||||
(insn + 1);
|
||||
filter->k = labels->labels[filter->k].location - (insn + 1);
|
||||
filter->jt = 0;
|
||||
filter->jf = 0;
|
||||
continue;
|
||||
case (LABEL_JT<<8)|LABEL_JF:
|
||||
case (LABEL_JT << 8) | LABEL_JF:
|
||||
if (labels->labels[filter->k].location != 0xffffffff) {
|
||||
fprintf(stderr, "Duplicate label use: '%s'\n",
|
||||
labels->labels[filter->k].label);
|
||||
fprintf(stderr, "Duplicate label use: '%s'\n", labels->labels[filter->k].label);
|
||||
return 1;
|
||||
}
|
||||
labels->labels[filter->k].location = insn;
|
||||
filter->k = 0; /* fall through */
|
||||
filter->k = 0; /* fall through */
|
||||
filter->jt = 0;
|
||||
filter->jf = 0;
|
||||
continue;
|
||||
@ -60,7 +56,7 @@ int bpf_resolve_jumps(struct bpf_labels *labels,
|
||||
}
|
||||
|
||||
/* Simple lookup table for labels. */
|
||||
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
|
||||
__u32 seccomp_bpf_label(struct bpf_labels * labels, const char *label)
|
||||
{
|
||||
struct __bpf_label *begin = labels->labels, *end;
|
||||
int id;
|
||||
@ -89,7 +85,6 @@ __u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
|
||||
void seccomp_bpf_print(struct sock_filter *filter, size_t count)
|
||||
{
|
||||
struct sock_filter *end = filter + count;
|
||||
for ( ; filter < end; ++filter)
|
||||
printf("{ code=%u,jt=%u,jf=%u,k=%u },\n",
|
||||
filter->code, filter->jt, filter->jf, filter->k);
|
||||
for (; filter < end; ++filter)
|
||||
printf("{ code=%u,jt=%u,jf=%u,k=%u },\n", filter->code, filter->jt, filter->jf, filter->k);
|
||||
}
|
||||
|
@ -16,6 +16,7 @@
|
||||
|
||||
#include <asm/bitsperlong.h> /* for __BITS_PER_LONG */
|
||||
#include <endian.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/filter.h>
|
||||
#include <linux/seccomp.h> /* for seccomp_data */
|
||||
#include <linux/types.h>
|
||||
@ -31,8 +32,7 @@ struct bpf_labels {
|
||||
} labels[BPF_LABELS_MAX];
|
||||
};
|
||||
|
||||
int bpf_resolve_jumps(struct bpf_labels *labels,
|
||||
struct sock_filter *filter, size_t count);
|
||||
int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count);
|
||||
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label);
|
||||
void seccomp_bpf_print(struct sock_filter *filter, size_t count);
|
||||
|
||||
@ -45,6 +45,9 @@ void seccomp_bpf_print(struct sock_filter *filter, size_t count);
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#define DENY \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||
#define ERRNO(val) \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (val & SECCOMP_RET_DATA))
|
||||
|
||||
#define JUMP(labels, label) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \
|
||||
JUMP_JT, JUMP_JF)
|
||||
@ -143,7 +146,7 @@ union arg64 {
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
|
||||
BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, HI_ARG(idx)), \
|
||||
BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
|
||||
BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
|
||||
|
||||
#define JEQ32(value, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (value), 0, 1), \
|
||||
@ -160,7 +163,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 0, 2), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JNE64(lo, hi, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 5, 0), \
|
||||
@ -168,7 +171,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 2, 0), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JA32(value, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (value), 0, 1), \
|
||||
@ -180,7 +183,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (lo), 0, 2), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JGE32(value, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 0, 1), \
|
||||
@ -198,7 +201,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (lo), 0, 2), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JLT64(lo, hi, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (hi), 0, 4), \
|
||||
@ -207,7 +210,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JGT32(value, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 0, 1), \
|
||||
@ -225,7 +228,7 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 0, 2), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define JLE64(lo, hi, jt) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (hi), 6, 0), \
|
||||
@ -234,10 +237,14 @@ union arg64 {
|
||||
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
|
||||
jt, \
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
|
||||
|
||||
#define LOAD_SYSCALL_NR \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
offsetof(struct seccomp_data, nr))
|
||||
|
||||
#endif /* __BPF_HELPER_H__ */
|
||||
#define LOAD_ARCH \
|
||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \
|
||||
offsetof(struct seccomp_data, arch))
|
||||
|
||||
#endif /* __BPF_HELPER_H__ */
|
||||
|
Loading…
Reference in New Issue
Block a user