[libseccomp-discuss] [RFC PATCH v1 01/10] arch: disconnect the BPF arch token from the libseccomp t
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
From: Paul M. <pm...@re...> - 2013-01-31 16:03:08
|
Unfortunately, the x32 ABI shares the same architecture token with x86_64 in the kernel so we need to separate the arch token we use in the BPF filter with the arch token we use for idenitfying the arch/ABI to libseccomp callers. Signed-off-by: Paul Moore <pm...@re...> --- src/api.c | 16 ++++++++-------- src/arch-i386.c | 3 ++- src/arch-x86_64.c | 3 ++- src/arch.c | 50 ++++++++++++++++---------------------------------- src/arch.h | 3 ++- src/gen_bpf.c | 4 ++-- src/gen_pfc.c | 8 ++++---- tools/sys_resolver.c | 2 +- 8 files changed, 37 insertions(+), 52 deletions(-) diff --git a/src/api.c b/src/api.c index 5072afc..ded1b66 100644 --- a/src/api.c +++ b/src/api.c @@ -76,7 +76,7 @@ scmp_filter_ctx seccomp_init(uint32_t def_action) col = db_col_init(def_action); if (col == NULL) return NULL; - db = db_init(&arch_def_native); + db = db_init(arch_def_native); if (db == NULL) goto init_failure_col; @@ -104,7 +104,7 @@ int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) db_col_reset(col, def_action); - db = db_init(&arch_def_native); + db = db_init(arch_def_native); if (db == NULL) return -ENOMEM; rc = db_col_db_add(col, db); @@ -143,7 +143,7 @@ int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src) /* NOTE - function header comment in include/seccomp.h */ uint32_t seccomp_arch_native(void) { - return arch_def_native.token; + return arch_def_native->token; } /* NOTE - function header comment in include/seccomp.h */ @@ -152,7 +152,7 @@ int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token) struct db_filter_col *col = (struct db_filter_col *)ctx; if (arch_token == 0) - arch_token = arch_def_native.token; + arch_token = arch_def_native->token; if (arch_valid(arch_token)) return -EINVAL; @@ -169,7 +169,7 @@ int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token) struct db_filter_col *col = (struct db_filter_col *)ctx; if (arch_token == 0) - arch_token = arch_def_native.token; + arch_token = arch_def_native->token; if (arch_valid(arch_token)) return -EINVAL; @@ -195,7 +195,7 @@ int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token) struct db_filter_col *col = (struct db_filter_col *)ctx; if (arch_token == 0) - arch_token = arch_def_native.token; + arch_token = arch_def_native->token; if (arch_valid(arch_token)) return -EINVAL; @@ -261,7 +261,7 @@ char *seccomp_syscall_resolve_num_arch(uint32_t arch_token, int num) const char *name; if (arch_token == 0) - arch_token = arch_def_native.token; + arch_token = arch_def_native->token; if (arch_valid(arch_token)) return NULL; arch = arch_def_lookup(arch_token); @@ -284,7 +284,7 @@ int seccomp_syscall_resolve_name_arch(uint32_t arch_token, const char *name) return -EINVAL; if (arch_token == 0) - arch_token = arch_def_native.token; + arch_token = arch_def_native->token; if (arch_valid(arch_token)) return -EINVAL; arch = arch_def_lookup(arch_token); diff --git a/src/arch-i386.c b/src/arch-i386.c index 8605e25..3738da7 100644 --- a/src/arch-i386.c +++ b/src/arch-i386.c @@ -31,7 +31,8 @@ #define __i386_NR_ipc 117 const struct arch_def arch_def_i386 = { - .token = AUDIT_ARCH_I386, + .token = SCMP_ARCH_X86, + .token_bpf = AUDIT_ARCH_I386, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_LITTLE, }; diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c index 9f6af9c..55656c2 100644 --- a/src/arch-x86_64.c +++ b/src/arch-x86_64.c @@ -27,7 +27,8 @@ #include "arch-x86_64.h" const struct arch_def arch_def_x86_64 = { - .token = AUDIT_ARCH_X86_64, + .token = SCMP_ARCH_X86_64, + .token_bpf = AUDIT_ARCH_X86_64, .size = ARCH_SIZE_64, .endian = ARCH_ENDIAN_LITTLE, }; diff --git a/src/arch.c b/src/arch.c index 4758296..c515e34 100644 --- a/src/arch.c +++ b/src/arch.c @@ -32,32 +32,14 @@ #include "arch-x86_64.h" #include "system.h" -const struct arch_def arch_def_native = { #if __i386__ - .token = AUDIT_ARCH_I386, +const struct arch_def *arch_def_native = &arch_def_i386; #elif __x86_64__ - .token = AUDIT_ARCH_X86_64, +const struct arch_def *arch_def_native = &arch_def_x86_64; #else #error the arch code needs to know about your machine type #endif /* machine type guess */ -#if __BITS_PER_LONG == 32 - .size = ARCH_SIZE_32, -#elif __BITS_PER_LONG == 64 - .size = ARCH_SIZE_64, -#else - .size = ARCH_SIZE_UNSPEC, -#endif /* BITS_PER_LONG */ - -#if __BYTE_ORDER == __LITTLE_ENDIAN - .endian = ARCH_ENDIAN_LITTLE, -#elif __BYTE_ORDER == __BIG_ENDIAN - .endian = ARCH_ENDIAN_BIG, -#else - .endian = ARCH_ENDIAN_UNSPEC, -#endif /* __BYTE_ORDER */ -}; - /** * Validate the architecture token * @param arch the architecture token @@ -68,8 +50,8 @@ const struct arch_def arch_def_native = { int arch_valid(uint32_t arch) { switch (arch) { - case AUDIT_ARCH_I386: - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86: + case SCMP_ARCH_X86_64: return 0; } @@ -86,10 +68,10 @@ int arch_valid(uint32_t arch) static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token) { switch (token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return i386_syscall_table; break; - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return x86_64_syscall_table; break; } @@ -107,10 +89,10 @@ static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token) const struct arch_def *arch_def_lookup(uint32_t token) { switch (token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return &arch_def_i386; break; - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return &arch_def_x86_64; break; } @@ -129,9 +111,9 @@ const struct arch_def *arch_def_lookup(uint32_t token) int arch_arg_count_max(const struct arch_def *arch) { switch (arch->token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return i386_arg_count_max; - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return x86_64_arg_count_max; default: return -EDOM; @@ -151,7 +133,7 @@ int arch_arg_count_max(const struct arch_def *arch) int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg) { switch (arch->token) { - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return x86_64_arg_offset_lo(arg); default: return -EDOM; @@ -171,7 +153,7 @@ int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg) int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg) { switch (arch->token) { - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return x86_64_arg_offset_hi(arg); default: return -EDOM; @@ -249,8 +231,8 @@ int arch_syscall_translate(const struct arch_def *arch, int *syscall) int sc_num; const char *sc_name; - if (arch->token != arch_def_native.token) { - sc_name = arch_syscall_resolve_num(&arch_def_native, *syscall); + if (arch->token != arch_def_native->token) { + sc_name = arch_syscall_resolve_num(arch_def_native, *syscall); if (sc_name == NULL) return -EFAULT; @@ -292,7 +274,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, unsigned int strict, } else if (sys <= -100 && sys > -10000) { /* rewritable syscalls */ switch (arch->token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return i386_syscall_rewrite(arch, strict, syscall); } /* NOTE: we fall through to the default handling (strict?) if @@ -335,7 +317,7 @@ int arch_filter_rewrite(const struct arch_def *arch, } else if (sys <= -100 && sys > -10000) { /* rewritable syscalls */ switch (arch->token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return i386_filter_rewrite(arch, strict, syscall, chain); } diff --git a/src/arch.h b/src/arch.h index 98f2dc0..061c2cc 100644 --- a/src/arch.h +++ b/src/arch.h @@ -33,6 +33,7 @@ struct db_api_arg; struct arch_def { uint32_t token; + uint32_t token_bpf; enum { ARCH_SIZE_UNSPEC = 0, ARCH_SIZE_32 = 32, @@ -46,7 +47,7 @@ struct arch_def { }; /* arch_def for the current architecture */ -extern const struct arch_def arch_def_native; +extern const struct arch_def *arch_def_native; /* NOTE: Syscall mappings can be found by running the following commands * on the specific architecture's include file: diff --git a/src/gen_bpf.c b/src/gen_bpf.c index 7fec966..b1287e5 100644 --- a/src/gen_bpf.c +++ b/src/gen_bpf.c @@ -1150,7 +1150,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state, _BPF_INSTR(instr, BPF_JMP+BPF_JEQ, _BPF_JMP_HSH(b_head->hash), _BPF_JMP_NXT(blk_cnt), - _BPF_K(db->arch->token)); + _BPF_K(db->arch->token_bpf)); b_head->prev = _blk_append(state, NULL, &instr); if (b_head->prev == NULL) goto arch_failure; @@ -1160,7 +1160,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state, /* arch check */ _BPF_INSTR(instr, BPF_JMP+BPF_JEQ, _BPF_JMP_HSH(state->def_hsh), _BPF_JMP_NXT(0), - _BPF_K(db->arch->token)); + _BPF_K(db->arch->token_bpf)); b_head = _blk_append(state, NULL, &instr); if (b_head == NULL) goto arch_failure; diff --git a/src/gen_pfc.c b/src/gen_pfc.c index 7d4463b..e19d053 100644 --- a/src/gen_pfc.c +++ b/src/gen_pfc.c @@ -49,9 +49,9 @@ struct pfc_sys_list { static const char *_pfc_arch(const struct arch_def *arch) { switch (arch->token) { - case AUDIT_ARCH_I386: + case SCMP_ARCH_X86: return "x86"; - case AUDIT_ARCH_X86_64: + case SCMP_ARCH_X86_64: return "x86_64"; default: return "UNKNOWN"; @@ -261,8 +261,8 @@ static int _gen_pfc_arch(const struct db_filter_col *col, } fprintf(fds, "# filter for arch %s (%u)\n", - _pfc_arch(db->arch), db->arch->token); - fprintf(fds, "if ($arch == %u)\n", db->arch->token); + _pfc_arch(db->arch), db->arch->token_bpf); + fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf); p_iter = p_head; while (p_iter != NULL) { if (p_iter->sys->valid == 0) diff --git a/tools/sys_resolver.c b/tools/sys_resolver.c index 6358b30..8a7f361 100644 --- a/tools/sys_resolver.c +++ b/tools/sys_resolver.c @@ -51,7 +51,7 @@ int main(int argc, char *argv[]) { int opt; int translate = 0; - const struct arch_def *arch = &arch_def_native; + const struct arch_def *arch = arch_def_native; int sys_num; /* parse the command line */ |