[libseccomp-discuss] [RFC PATCH v1 01/10] arch: disconnect the BPF arch token from the libseccomp t
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
Menu
▾
▴
[libseccomp-discuss] [RFC PATCH v1 01/10] arch: disconnect the BPF arch token from the libseccomp token
|
From: Paul M. <pm...@re...> - 2013-01-31 16:03:08
|
Unfortunately, the x32 ABI shares the same architecture token with
x86_64 in the kernel so we need to separate the arch token we use
in the BPF filter with the arch token we use for idenitfying the
arch/ABI to libseccomp callers.
Signed-off-by: Paul Moore <pm...@re...>
---
src/api.c | 16 ++++++++--------
src/arch-i386.c | 3 ++-
src/arch-x86_64.c | 3 ++-
src/arch.c | 50 ++++++++++++++++----------------------------------
src/arch.h | 3 ++-
src/gen_bpf.c | 4 ++--
src/gen_pfc.c | 8 ++++----
tools/sys_resolver.c | 2 +-
8 files changed, 37 insertions(+), 52 deletions(-)
diff --git a/src/api.c b/src/api.c
index 5072afc..ded1b66 100644
--- a/src/api.c
+++ b/src/api.c
@@ -76,7 +76,7 @@ scmp_filter_ctx seccomp_init(uint32_t def_action)
col = db_col_init(def_action);
if (col == NULL)
return NULL;
- db = db_init(&arch_def_native);
+ db = db_init(arch_def_native);
if (db == NULL)
goto init_failure_col;
@@ -104,7 +104,7 @@ int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
db_col_reset(col, def_action);
- db = db_init(&arch_def_native);
+ db = db_init(arch_def_native);
if (db == NULL)
return -ENOMEM;
rc = db_col_db_add(col, db);
@@ -143,7 +143,7 @@ int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src)
/* NOTE - function header comment in include/seccomp.h */
uint32_t seccomp_arch_native(void)
{
- return arch_def_native.token;
+ return arch_def_native->token;
}
/* NOTE - function header comment in include/seccomp.h */
@@ -152,7 +152,7 @@ int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token)
struct db_filter_col *col = (struct db_filter_col *)ctx;
if (arch_token == 0)
- arch_token = arch_def_native.token;
+ arch_token = arch_def_native->token;
if (arch_valid(arch_token))
return -EINVAL;
@@ -169,7 +169,7 @@ int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token)
struct db_filter_col *col = (struct db_filter_col *)ctx;
if (arch_token == 0)
- arch_token = arch_def_native.token;
+ arch_token = arch_def_native->token;
if (arch_valid(arch_token))
return -EINVAL;
@@ -195,7 +195,7 @@ int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token)
struct db_filter_col *col = (struct db_filter_col *)ctx;
if (arch_token == 0)
- arch_token = arch_def_native.token;
+ arch_token = arch_def_native->token;
if (arch_valid(arch_token))
return -EINVAL;
@@ -261,7 +261,7 @@ char *seccomp_syscall_resolve_num_arch(uint32_t arch_token, int num)
const char *name;
if (arch_token == 0)
- arch_token = arch_def_native.token;
+ arch_token = arch_def_native->token;
if (arch_valid(arch_token))
return NULL;
arch = arch_def_lookup(arch_token);
@@ -284,7 +284,7 @@ int seccomp_syscall_resolve_name_arch(uint32_t arch_token, const char *name)
return -EINVAL;
if (arch_token == 0)
- arch_token = arch_def_native.token;
+ arch_token = arch_def_native->token;
if (arch_valid(arch_token))
return -EINVAL;
arch = arch_def_lookup(arch_token);
diff --git a/src/arch-i386.c b/src/arch-i386.c
index 8605e25..3738da7 100644
--- a/src/arch-i386.c
+++ b/src/arch-i386.c
@@ -31,7 +31,8 @@
#define __i386_NR_ipc 117
const struct arch_def arch_def_i386 = {
- .token = AUDIT_ARCH_I386,
+ .token = SCMP_ARCH_X86,
+ .token_bpf = AUDIT_ARCH_I386,
.size = ARCH_SIZE_32,
.endian = ARCH_ENDIAN_LITTLE,
};
diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c
index 9f6af9c..55656c2 100644
--- a/src/arch-x86_64.c
+++ b/src/arch-x86_64.c
@@ -27,7 +27,8 @@
#include "arch-x86_64.h"
const struct arch_def arch_def_x86_64 = {
- .token = AUDIT_ARCH_X86_64,
+ .token = SCMP_ARCH_X86_64,
+ .token_bpf = AUDIT_ARCH_X86_64,
.size = ARCH_SIZE_64,
.endian = ARCH_ENDIAN_LITTLE,
};
diff --git a/src/arch.c b/src/arch.c
index 4758296..c515e34 100644
--- a/src/arch.c
+++ b/src/arch.c
@@ -32,32 +32,14 @@
#include "arch-x86_64.h"
#include "system.h"
-const struct arch_def arch_def_native = {
#if __i386__
- .token = AUDIT_ARCH_I386,
+const struct arch_def *arch_def_native = &arch_def_i386;
#elif __x86_64__
- .token = AUDIT_ARCH_X86_64,
+const struct arch_def *arch_def_native = &arch_def_x86_64;
#else
#error the arch code needs to know about your machine type
#endif /* machine type guess */
-#if __BITS_PER_LONG == 32
- .size = ARCH_SIZE_32,
-#elif __BITS_PER_LONG == 64
- .size = ARCH_SIZE_64,
-#else
- .size = ARCH_SIZE_UNSPEC,
-#endif /* BITS_PER_LONG */
-
-#if __BYTE_ORDER == __LITTLE_ENDIAN
- .endian = ARCH_ENDIAN_LITTLE,
-#elif __BYTE_ORDER == __BIG_ENDIAN
- .endian = ARCH_ENDIAN_BIG,
-#else
- .endian = ARCH_ENDIAN_UNSPEC,
-#endif /* __BYTE_ORDER */
-};
-
/**
* Validate the architecture token
* @param arch the architecture token
@@ -68,8 +50,8 @@ const struct arch_def arch_def_native = {
int arch_valid(uint32_t arch)
{
switch (arch) {
- case AUDIT_ARCH_I386:
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86:
+ case SCMP_ARCH_X86_64:
return 0;
}
@@ -86,10 +68,10 @@ int arch_valid(uint32_t arch)
static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token)
{
switch (token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return i386_syscall_table;
break;
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return x86_64_syscall_table;
break;
}
@@ -107,10 +89,10 @@ static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token)
const struct arch_def *arch_def_lookup(uint32_t token)
{
switch (token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return &arch_def_i386;
break;
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return &arch_def_x86_64;
break;
}
@@ -129,9 +111,9 @@ const struct arch_def *arch_def_lookup(uint32_t token)
int arch_arg_count_max(const struct arch_def *arch)
{
switch (arch->token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return i386_arg_count_max;
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return x86_64_arg_count_max;
default:
return -EDOM;
@@ -151,7 +133,7 @@ int arch_arg_count_max(const struct arch_def *arch)
int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg)
{
switch (arch->token) {
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return x86_64_arg_offset_lo(arg);
default:
return -EDOM;
@@ -171,7 +153,7 @@ int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg)
int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg)
{
switch (arch->token) {
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return x86_64_arg_offset_hi(arg);
default:
return -EDOM;
@@ -249,8 +231,8 @@ int arch_syscall_translate(const struct arch_def *arch, int *syscall)
int sc_num;
const char *sc_name;
- if (arch->token != arch_def_native.token) {
- sc_name = arch_syscall_resolve_num(&arch_def_native, *syscall);
+ if (arch->token != arch_def_native->token) {
+ sc_name = arch_syscall_resolve_num(arch_def_native, *syscall);
if (sc_name == NULL)
return -EFAULT;
@@ -292,7 +274,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
} else if (sys <= -100 && sys > -10000) {
/* rewritable syscalls */
switch (arch->token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return i386_syscall_rewrite(arch, strict, syscall);
}
/* NOTE: we fall through to the default handling (strict?) if
@@ -335,7 +317,7 @@ int arch_filter_rewrite(const struct arch_def *arch,
} else if (sys <= -100 && sys > -10000) {
/* rewritable syscalls */
switch (arch->token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return i386_filter_rewrite(arch,
strict, syscall, chain);
}
diff --git a/src/arch.h b/src/arch.h
index 98f2dc0..061c2cc 100644
--- a/src/arch.h
+++ b/src/arch.h
@@ -33,6 +33,7 @@ struct db_api_arg;
struct arch_def {
uint32_t token;
+ uint32_t token_bpf;
enum {
ARCH_SIZE_UNSPEC = 0,
ARCH_SIZE_32 = 32,
@@ -46,7 +47,7 @@ struct arch_def {
};
/* arch_def for the current architecture */
-extern const struct arch_def arch_def_native;
+extern const struct arch_def *arch_def_native;
/* NOTE: Syscall mappings can be found by running the following commands
* on the specific architecture's include file:
diff --git a/src/gen_bpf.c b/src/gen_bpf.c
index 7fec966..b1287e5 100644
--- a/src/gen_bpf.c
+++ b/src/gen_bpf.c
@@ -1150,7 +1150,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state,
_BPF_INSTR(instr, BPF_JMP+BPF_JEQ,
_BPF_JMP_HSH(b_head->hash),
_BPF_JMP_NXT(blk_cnt),
- _BPF_K(db->arch->token));
+ _BPF_K(db->arch->token_bpf));
b_head->prev = _blk_append(state, NULL, &instr);
if (b_head->prev == NULL)
goto arch_failure;
@@ -1160,7 +1160,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state,
/* arch check */
_BPF_INSTR(instr, BPF_JMP+BPF_JEQ,
_BPF_JMP_HSH(state->def_hsh), _BPF_JMP_NXT(0),
- _BPF_K(db->arch->token));
+ _BPF_K(db->arch->token_bpf));
b_head = _blk_append(state, NULL, &instr);
if (b_head == NULL)
goto arch_failure;
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
index 7d4463b..e19d053 100644
--- a/src/gen_pfc.c
+++ b/src/gen_pfc.c
@@ -49,9 +49,9 @@ struct pfc_sys_list {
static const char *_pfc_arch(const struct arch_def *arch)
{
switch (arch->token) {
- case AUDIT_ARCH_I386:
+ case SCMP_ARCH_X86:
return "x86";
- case AUDIT_ARCH_X86_64:
+ case SCMP_ARCH_X86_64:
return "x86_64";
default:
return "UNKNOWN";
@@ -261,8 +261,8 @@ static int _gen_pfc_arch(const struct db_filter_col *col,
}
fprintf(fds, "# filter for arch %s (%u)\n",
- _pfc_arch(db->arch), db->arch->token);
- fprintf(fds, "if ($arch == %u)\n", db->arch->token);
+ _pfc_arch(db->arch), db->arch->token_bpf);
+ fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf);
p_iter = p_head;
while (p_iter != NULL) {
if (p_iter->sys->valid == 0)
diff --git a/tools/sys_resolver.c b/tools/sys_resolver.c
index 6358b30..8a7f361 100644
--- a/tools/sys_resolver.c
+++ b/tools/sys_resolver.c
@@ -51,7 +51,7 @@ int main(int argc, char *argv[])
{
int opt;
int translate = 0;
- const struct arch_def *arch = &arch_def_native;
+ const struct arch_def *arch = arch_def_native;
int sys_num;
/* parse the command line */
|