aboutgitcodelistschat:MatrixIRC
diff options
context:
space:
mode:
authorAlice Frosi <afrosi@redhat.com>2023-05-16 18:05:46 +0200
committerAlice Frosi <afrosi@redhat.com>2023-05-17 10:55:11 +0200
commit16346c99a674d95970cfc59b0aa5d00e91cc4e0f (patch)
treec10f01f1d33108ac17bec484ac570e4a431ded0b
parentaeaeda81af25fdc105d4157dc9e679423fdef761 (diff)
downloadseitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.gz
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.bz2
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.lz
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.xz
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.zst
seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.zip
filter: refactoring filter
Attempt to simplify the filter build: - storing all the bpf_args in a common array and saving the index of each entry in filter_input - added new flag to filter_add_arg for append an argument to an entry - split large loop in filter_build in multiple functions - adjust and refactor tests/units/test_filter The tests in test_filter_build.c still need to be fixed
-rw-r--r--cooker/filter.c576
-rw-r--r--cooker/filter.h13
-rw-r--r--tests/unit/test_filter.c301
-rw-r--r--tests/unit/testutil.h3
4 files changed, 419 insertions, 474 deletions
diff --git a/cooker/filter.c b/cooker/filter.c
index 98dec09..dcd04bf 100644
--- a/cooker/filter.c
+++ b/cooker/filter.c
@@ -1,3 +1,4 @@
+
/* SPDX-License-Identifier: GPL-3.0-or-later
* Copyright 2023 Red Hat GmbH
* Author: Alice Frosi <afrosi@redhat.com>
@@ -13,12 +14,182 @@
#include <unistd.h>
#include "filter.h"
-#include "util.h"
-struct notify {
- long nr;
- struct bpf_arg arg[6];
-} notify_call[512];
+struct bpf_entry entries[MAX_ENTRIES];
+static unsigned int index_entries = 0;
+
+/**
+ * struct filter_call_input - First input stage for cooker notification requests
+ * @notify: Notify on this system call
+ * @count: How many entry for the same syscall
+ * @entries: Index for the arguments for every entry
+ */
+struct filter_call_input {
+ bool notify;
+ unsigned int count;
+ int entries[MAX_ENTRIES_SYSCALL];
+} filter_input[N_SYSCALL] = { 0 };
+
+static long current_nr;
+
+static void set_no_args(struct bpf_entry *entry)
+{
+ for (int i = 0; i < 6; i++)
+ entry->args[i].cmp = NO_CHECK;
+}
+
+static unsigned int get_number_entries(long nr)
+{
+ struct filter_call_input *call = filter_input + nr;
+
+ return call->count;
+}
+
+static bool need_check_arg(const struct bpf_entry *entry)
+{
+ for (int i = 0; i < 6; i++)
+ if (entry->args[i].cmp != NO_CHECK)
+ return true;
+ return false;
+}
+
+static bool has_args(long nr)
+{
+ struct filter_call_input *call = filter_input + nr;
+
+ if (call-> count < 1)
+ return false;
+
+ /* Check if the first entry has some arguments */
+ return need_check_arg(&entries[call->entries[0]]);
+}
+
+static unsigned get_args_for_entry(const struct bpf_entry *entry)
+{
+ unsigned i, n = 0;
+
+ for (i = 0; i < 6; i++)
+ if (entry->args[i].cmp != NO_CHECK)
+ n++;
+ return n;
+}
+
+/* Calculate how many instruction for the syscall */
+static unsigned int get_n_args_syscall_instr(long nr)
+{
+ struct filter_call_input *call = filter_input + nr;
+ const struct bpf_entry *entry;
+ unsigned int n = 0, total_instr = 0;
+ unsigned int i, k;
+
+ for (i = 0; i < call->count; i++) {
+ entry = &entries[call->entries[i]];
+ n = 0;
+ for (k = 0; k < 6; k++) {
+ if (entry->args[k].cmp == NO_CHECK)
+ continue;
+ switch (entry->args[k].type) {
+ case BPF_U32:
+ /* For 32 bit arguments
+ * comparison instructions (2):
+ * 1 loading the value + 1 for evaluation
+ * arithemtic instructions (3):
+ * 1 loading the value + 1 for the operation + 1 for evaluation
+ */
+ if (entry->args[k].cmp == AND_EQ ||
+ entry->args[k].cmp == AND_NE)
+ n += 3;
+ else
+ n += 2;
+ break;
+ case BPF_U64:
+ /* For 64 bit arguments: 32 instructions * 2
+ * for loading and evaluating the high and low 32 bits chuncks.
+ */
+ if (entry->args[k].cmp == AND_EQ ||
+ entry->args[k].cmp == AND_NE)
+ n += 6;
+ else
+ n += 4;
+ break;
+ }
+ }
+ total_instr += n;
+ /* If there at least an argument, then there is the jump to the
+ * notification */
+ if (n > 0)
+ total_instr++;
+ }
+ /* If there at least an argument for that syscall, then there is the jump to the
+ * accept */
+ if (has_args(nr))
+ total_instr++;
+
+ return total_instr;
+}
+
+/**
+ * filter_notify() - Start of notification request, check/flush previous one
+ * @nr: System call number, -1 to just flush previous request
+ */
+void filter_notify(long nr) {
+ struct filter_call_input *call = filter_input + nr;
+
+ if (nr >= 0) {
+ current_nr = nr;
+ call->notify = true;
+ }
+}
+
+/**
+ * filter_add_arg(): Add a new argument to the current syscall
+ * @index: position of the argument
+ * @arg: the argument to add
+ * @append: if it is the first element add to the syscall entry
+ */
+void filter_add_arg(int index, struct bpf_arg arg, bool append)
+{
+ struct filter_call_input *call = filter_input + current_nr;
+
+ fprintf(stderr, "count=%d cmp=%d value=%X\n", call->count, arg.cmp,
+ arg.value.v32);
+ /* If it reaches the maximum number of entries per syscall, then we simply
+ * notify for all the arguments and ignore the other arguments.
+ */
+ if (call->count >= MAX_ENTRIES_SYSCALL) {
+ set_no_args(&entries[call->entries[0]]);
+ return;
+ }
+ if (!append)
+ call->entries[call->count++] = index_entries;
+ memcpy(&entries[index_entries++].args[index], &arg, sizeof(arg));
+}
+
+void filter_needs_deref(void)
+{
+ struct filter_call_input *call = filter_input + current_nr;
+
+ call->count = MAX_ENTRIES_SYSCALL;
+ set_no_args(&entries[call->entries[0]]);
+}
+
+static int table[N_SYSCALL];
+
+static unsigned int create_table_syscall()
+{
+ unsigned int i, count = 0;
+
+ for (i = 0; i < N_SYSCALL; i++)
+ if (filter_input[i].notify)
+ table[count++] = i;
+ return count;
+}
+
+static long get_syscall(unsigned int i)
+{
+ return (long)table[i];
+}
+
static unsigned int count_shift_right(unsigned int n)
{
@@ -42,7 +213,7 @@ static void insert_pair(int jumps[], int arr[], unsigned int level)
}
}
-unsigned int left_child(unsigned int parent_index)
+static unsigned int left_child(unsigned int parent_index)
{
unsigned int level = count_shift_right(parent_index + 1);
/* 2^(level) -1 gives the beginning of the next interval */
@@ -53,12 +224,12 @@ unsigned int left_child(unsigned int parent_index)
return next_interval + 2 * i;
}
-unsigned int right_child(unsigned int parent_index)
+static unsigned int right_child(unsigned int parent_index)
{
return left_child(parent_index) + 1;
}
-void create_lookup_nodes(int jumps[], unsigned int n)
+static void create_lookup_nodes(int jumps[], unsigned int n)
{
unsigned int i, index;
unsigned int old_interval, interval;
@@ -88,91 +259,17 @@ void create_lookup_nodes(int jumps[], unsigned int n)
}
}
-static unsigned get_n_args_syscall_entry(const struct notify *entry)
-{
- unsigned i, n = 0;
-
- for (i = 0; i < 6; i++)
- if (entry->arg[i].cmp != NO_CHECK)
- n++;
- return n;
-}
-
-static unsigned int get_n_args_syscall_instr(const struct notify *table,
- int len)
-{
- const struct notify *entry;
- bool has_arg = false;
- unsigned n = 0, total_instr = 0;
- int i;
-
- for (i = 0; i < len; i++) {
- entry = table + i;
- n = 0;
- for (unsigned int k = 0; k < 6; k++) {
- if (entry->arg[k].cmp == NO_CHECK)
- continue;
- switch (entry->arg[k].type) {
- case BPF_U32:
- /* For 32 bit arguments
- * comparison instructions (2):
- * 1 loading the value + 1 for evaluation
- * arithemtic instructions (3):
- * 1 loading the value + 1 for the operation + 1 for evaluation
- */
- if (entry->arg[k].cmp == AND_EQ ||
- entry->arg[k].cmp == AND_NE)
- n += 3;
- else
- n += 2;
- break;
- case BPF_U64:
- /* For 64 bit arguments: 32 instructions * 2
- * for loading and evaluating the high and low 32 bits chuncks.
- */
- if (entry->arg[k].cmp == AND_EQ ||
- entry->arg[k].cmp == AND_NE)
- n += 6;
- else
- n += 4;
- break;
- }
- }
- total_instr += n;
- /* If there at least an argument, then there is the jump to the
- * notification */
- if (n > 0) {
- has_arg = true;
- total_instr++;
- }
- }
- /* If there at least an argument for that syscall, then there is the jump to the
- * accept */
- if (has_arg)
- total_instr++;
-
- return total_instr;
-}
-
-static bool check_args_syscall_entry(const struct notify *entry){
- return entry->arg[0].cmp != NO_CHECK ||
- entry->arg[1].cmp != NO_CHECK ||
- entry->arg[2].cmp != NO_CHECK ||
- entry->arg[3].cmp != NO_CHECK ||
- entry->arg[4].cmp != NO_CHECK || entry->arg[5].cmp != NO_CHECK;
-}
-
static unsigned int eq(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
unsigned int size = 0;
uint32_t hi, lo;
- switch (entry->arg[idx].type) {
+ switch (entry->args[idx].type) {
case BPF_U64:
- hi = get_hi((entry->arg[idx]).value.v64);
- lo = get_lo((entry->arg[idx]).value.v64);
+ hi = get_hi((entry->args[idx]).value.v64);
+ lo = get_lo((entry->args[idx]).value.v64);
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)EQ(lo, 0, jfalse);
filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx));
@@ -181,7 +278,7 @@ static unsigned int eq(struct sock_filter filter[], int idx,
case BPF_U32:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)EQ(
- entry->arg[idx].value.v32, jtrue, jfalse);
+ entry->args[idx].value.v32, jtrue, jfalse);
break;
}
@@ -189,16 +286,16 @@ static unsigned int eq(struct sock_filter filter[], int idx,
}
static unsigned int gt(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
unsigned int size = 0;
uint32_t hi, lo;
- switch (entry->arg[idx].type) {
+ switch (entry->args[idx].type) {
case BPF_U64:
- hi = get_hi((entry->arg[idx]).value.v64);
- lo = get_lo((entry->arg[idx]).value.v64);
+ hi = get_hi((entry->args[idx]).value.v64);
+ lo = get_lo((entry->args[idx]).value.v64);
filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx));
filter[size++] = (struct sock_filter)GT(hi, jtrue + 2, 0);
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
@@ -207,7 +304,7 @@ static unsigned int gt(struct sock_filter filter[], int idx,
case BPF_U32:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)GT(
- entry->arg[idx].value.v32, jtrue, jfalse);
+ entry->args[idx].value.v32, jtrue, jfalse);
break;
}
@@ -215,16 +312,16 @@ static unsigned int gt(struct sock_filter filter[], int idx,
}
static unsigned int lt(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
unsigned int size = 0;
uint32_t hi, lo;
- switch (entry->arg[idx].type) {
+ switch (entry->args[idx].type) {
case BPF_U64:
- hi = get_hi((entry->arg[idx]).value.v64);
- lo = get_lo((entry->arg[idx]).value.v64);
+ hi = get_hi((entry->args[idx]).value.v64);
+ lo = get_lo((entry->args[idx]).value.v64);
filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx));
filter[size++] = (struct sock_filter)LT(hi, jtrue + 2, jfalse);
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
@@ -233,7 +330,7 @@ static unsigned int lt(struct sock_filter filter[], int idx,
case BPF_U32:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)LT(
- entry->arg[idx].value.v32, jtrue, jfalse);
+ entry->args[idx].value.v32, jtrue, jfalse);
break;
}
@@ -241,51 +338,51 @@ static unsigned int lt(struct sock_filter filter[], int idx,
}
static unsigned int neq(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
return eq(filter, idx, entry, jfalse, jtrue);
}
static unsigned int ge(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
return lt(filter, idx, entry, jfalse, jtrue);
}
static unsigned int le(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
return gt(filter, idx, entry, jfalse, jtrue);
}
static unsigned int and_eq (struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
unsigned int size = 0;
- switch (entry->arg[idx].type) {
+ switch (entry->args[idx].type) {
case BPF_U64:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)AND(
- get_lo(entry->arg[idx].op2.v64));
+ get_lo(entry->args[idx].op2.v64));
filter[size++] = (struct sock_filter)EQ(
- get_lo((entry->arg[idx]).value.v64), 0, jfalse);
+ get_lo((entry->args[idx]).value.v64), 0, jfalse);
filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx));
filter[size++] = (struct sock_filter)AND(
- get_hi(entry->arg[idx].op2.v64));
+ get_hi(entry->args[idx].op2.v64));
filter[size++] = (struct sock_filter)EQ(
- get_hi(entry->arg[idx].value.v64), jtrue, jfalse);
+ get_hi(entry->args[idx].value.v64), jtrue, jfalse);
break;
case BPF_U32:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] =
- (struct sock_filter)AND(entry->arg[idx].op2.v32);
+ (struct sock_filter)AND(entry->args[idx].op2.v32);
filter[size++] = (struct sock_filter)EQ(
- entry->arg[idx].value.v32, jtrue, jfalse);
+ entry->args[idx].value.v32, jtrue, jfalse);
break;
}
@@ -293,47 +390,100 @@ static unsigned int and_eq (struct sock_filter filter[], int idx,
}
static unsigned int and_ne(struct sock_filter filter[], int idx,
- const struct notify *entry, unsigned int jtrue,
+ const struct bpf_entry *entry, unsigned int jtrue,
unsigned int jfalse)
{
unsigned int size = 0;
- switch (entry->arg[idx].type) {
+ switch (entry->args[idx].type) {
case BPF_U64:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] = (struct sock_filter)AND(
- get_lo(entry->arg[idx].op2.v64));
+ get_lo(entry->args[idx].op2.v64));
filter[size++] = (struct sock_filter)EQ(
- get_lo((entry->arg[idx]).value.v64), 0, jtrue + 3);
+ get_lo((entry->args[idx]).value.v64), 0, jtrue + 3);
filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx));
filter[size++] = (struct sock_filter)AND(
- get_hi(entry->arg[idx].op2.v64));
+ get_hi(entry->args[idx].op2.v64));
filter[size++] = (struct sock_filter)EQ(
- get_hi(entry->arg[idx].value.v64), jfalse, jtrue);
+ get_hi(entry->args[idx].value.v64), jfalse, jtrue);
break;
case BPF_U32:
filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx));
filter[size++] =
- (struct sock_filter)AND(entry->arg[idx].op2.v32);
+ (struct sock_filter)AND(entry->args[idx].op2.v32);
filter[size++] = (struct sock_filter)EQ(
- entry->arg[idx].value.v32, jfalse, jtrue);
+ entry->args[idx].value.v32, jfalse, jtrue);
break;
}
return size;
}
-unsigned int filter_build(struct sock_filter filter[], unsigned int n)
+static unsigned int insert_args(struct sock_filter filter[], long nr)
+{
+ struct filter_call_input *call = filter_input + nr;
+ unsigned int i, k, size, next_offset, n_checks = 0;
+ unsigned int count = get_number_entries(nr);
+ struct bpf_entry *entry;
+ unsigned int offset = 0;
+
+ for (i = 0; i < count; i++) {
+ n_checks = 0;
+ entry = &entries[call->entries[i]];
+ next_offset = get_args_for_entry(entry);
+ for (k = 0; k < 6; k++) {
+ offset = next_offset - n_checks;
+ switch (entry->args[k].cmp) {
+ case NO_CHECK:
+ continue;
+ case EQ:
+ size += eq(&filter[size], k, entry, 0, offset);
+ break;
+ case NE:
+ size += neq(&filter[size], k, entry, 0, offset);
+ break;
+ case GT:
+ size += gt(&filter[size], k, entry, 0, offset);
+ break;
+ case LT:
+ size += lt(&filter[size], k, entry, 0, offset);
+ break;
+ case GE:
+ size += ge(&filter[size], k, entry, 0, offset);
+ break;
+ case LE:
+ size += le(&filter[size], k, entry, 0, offset);
+ break;
+ case AND_EQ:
+ size += and_eq
+ (&filter[size], k, entry, 0, offset);
+ break;
+ case AND_NE:
+ size += and_ne(&filter[size], k, entry, 0,
+ offset);
+
+ break;
+ }
+ n_checks++;
+ }
+ if (n_checks > 0)
+ filter[size++] = (struct sock_filter)BPF_STMT(
+ BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF);
+ }
+
+ return size;
+}
+
+unsigned int filter_build(struct sock_filter filter[], unsigned n)
{
unsigned int offset_left, offset_right;
unsigned int n_nodes, notify, accept;
unsigned int next_offset, offset;
- const struct notify *entry;
unsigned int size = 0;
- unsigned int next_args_off;
int nodes[MAX_JUMPS];
- unsigned int i, j, k;
- unsigned n_checks;
+ unsigned int i;
+ long nr;
create_lookup_nodes(nodes, n);
@@ -363,25 +513,27 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n)
filter[size++] =
(struct sock_filter)JUMPA(accept - size);
} else {
+ nr = get_syscall(i);
offset_left = left_child(i) - i - 1;
offset_right = right_child(i) - i - 1;
filter[size++] = (struct sock_filter)JGE(
- notify_call[i].nr, offset_right, offset_left);
+ get_syscall(i), offset_right, offset_left);
}
}
next_offset = n + 1;
/* Insert leaves */
for (i = 0; i < n; i++) {
- /* If the syscall doesn't have any arguments, then notify */
- if (check_args_syscall_entry(notify_call + i))
+ nr = get_syscall(i);
+ if (get_number_entries(nr) > 0)
offset = next_offset;
else
+ /* If the syscall doesn't have any arguments, then notify */
offset = notify - size - 1;
- filter[size++] = (struct sock_filter)EQ(notify_call[i].nr,
+ filter[size++] = (struct sock_filter)EQ(nr,
offset,
accept - size);
- next_offset += get_n_args_syscall_instr(notify_call + i, n) - 1;
+ next_offset += get_n_args_syscall_instr(nr) - 1;
}
/* Seccomp accept and notify instruction */
filter[size++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
@@ -395,67 +547,9 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n)
* check the following entry of the syscall and its arguments.
*/
for (i = 0; i < n; i++) {
- bool has_arg = false;
- unsigned int count = 0, x;
-
- for (x = 0; x < 6; x++)
- count += notify_call[i].arg[x].cmp == NO_CHECK;
-
- for (j = 0; j < count; j++) {
- n_checks = 0;
- entry = notify_call + i + j;
- next_args_off = get_n_args_syscall_entry(entry);
- for (k = 0; k < 6; k++) {
- offset = next_args_off - n_checks;
- switch (entry->arg[k].cmp) {
- case NO_CHECK:
- continue;
- case EQ:
- size += eq(&filter[size], k, entry, 0,
- offset);
- break;
- case NE:
- size += neq(&filter[size], k, entry, 0,
- offset);
- break;
- case GT:
- size += gt(&filter[size], k, entry, 0,
- offset);
- break;
- case LT:
- size += lt(&filter[size], k, entry, 0,
- offset);
- break;
- case GE:
- size += ge(&filter[size], k, entry, 0,
- offset);
- break;
- case LE:
- size += le(&filter[size], k, entry, 0,
- offset);
- break;
- case AND_EQ:
- size += and_eq (&filter[size], k, entry,
- 0, offset);
- break;
- case AND_NE:
- size += and_ne(&filter[size], k, entry,
- 0, offset);
-
- break;
- }
- n_checks++;
- has_arg = true;
- }
- if (check_args_syscall_entry(notify_call + i))
- filter[size++] = (struct sock_filter)BPF_STMT(
- BPF_RET | BPF_K,
- SECCOMP_RET_USER_NOTIF);
- }
- /* At this point none of the checks was positive, it jumps to
- * the default behavior
- */
- if (has_arg)
+ nr = get_syscall(i);
+ size += insert_args(&filter[size], nr);
+ if (has_args(nr))
filter[size++] = (struct sock_filter)BPF_STMT(
BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
}
@@ -463,118 +557,12 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n)
return size;
}
-/**
- * struct filter_call_input - First input stage for cooker notification requests
- * @notify: Notify on this system call
- * @no_args: No argument comparisons are allowed for this call
- * @args_set: Argument matches were already set up once for this call
- * @arg: Argument specification
- */
-struct filter_call_input {
- bool notify;
- bool no_args;
- bool args_set;
- struct bpf_arg arg[6];
-} filter_input[512] = { 0 };
-
-static struct {
- bool used;
- struct bpf_arg arg[6];
-} filter_current_args;
-
-static long current_nr;
-
-/**
- * filter_notify() - Start of notification request, check/flush previous one
- * @nr: System call number, -1 to just flush previous request
- */
-void filter_notify(long nr) {
- struct filter_call_input *call = filter_input + nr;
- long prev_nr = current_nr;
-
- if (nr >= 0) {
- current_nr = nr;
- call->notify = true;
- }
-
- if (filter_current_args.used) {
- struct filter_call_input *prev_call = filter_input + prev_nr;
-
- /* First time arguments for previous call are flushed? */
- if (!prev_call->args_set && !prev_call->no_args) {
- prev_call->args_set = true;
- memcpy(prev_call->arg, filter_current_args.arg,
- sizeof(filter_current_args.arg));
- return;
- }
-
- prev_call->args_set = true;
-
- /* ...not the first time: check exact overlap of matches */
- if (memcmp(prev_call->arg, filter_current_args.arg,
- sizeof(filter_current_args.arg)))
- prev_call->no_args = true;
-
- /* Flush temporary set of arguments */
- memset(&filter_current_args, 0, sizeof(filter_current_args));
- }
-}
-
-/**
- * filter_needs_deref() - Mark system call as ineligible for argument evaluation
- */
-void filter_needs_deref(void) {
- struct filter_call_input *call = filter_input + current_nr;
-
- call->no_args = true;
-}
-
-/**
- * Use temporary filter_call_cur_args storage. When there's a new notification,
- * or the parser is done, we flush these argument matches to filter_input, and
- * check if they match (including no-matches) all the previous argument
- * specification. If they don't, the arguments can't be evaluated in the filter.
- */
-void filter_add_arg(int index, struct bpf_arg arg) {
- struct filter_call_input *call = filter_input + current_nr;
-
- if (call->no_args)
- return;
-
- memcpy(filter_current_args.arg + index, &arg, sizeof(arg));
- filter_current_args.used = true;
-}
-
-unsigned int filter_close_input(void)
-{
- struct notify *call;
- int i, count = 0;
-
- filter_notify(-1);
-
- for (i = 0; i < 512; i++) {
- call = notify_call + count;
- if (filter_input[i].notify) {
- count++;
- call->nr = i;
-
- if (filter_input[i].no_args)
- continue;
-
- memcpy(call->arg, filter_input[i].arg,
- sizeof(call->arg));
- }
- }
-
- return count;
-}
-
void filter_write(const char *path)
{
struct sock_filter filter[MAX_FILTER];
int fd, n;
- n = filter_close_input();
+ n = create_table_syscall();
n = filter_build(filter, n);
fd = open(path, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
diff --git a/cooker/filter.h b/cooker/filter.h
index 7059a7c..0ec1204 100644
--- a/cooker/filter.h
+++ b/cooker/filter.h
@@ -44,6 +44,10 @@
#define MAX_JUMPS 128
#define EMPTY -1
+#define N_SYSCALL 512
+#define MAX_ENTRIES_SYSCALL 16
+#define MAX_ENTRIES N_SYSCALL * MAX_ENTRIES_SYSCALL
+
enum bpf_type { BPF_U32, BPF_U64 };
union bpf_value {
@@ -60,12 +64,13 @@ struct bpf_arg {
union bpf_value op2;
};
+struct bpf_entry {
+ struct bpf_arg args[6];
+};
+
void filter_notify(long nr);
void filter_needs_deref(void);
-void filter_add_arg(int index, struct bpf_arg arg);
+void filter_add_arg(int index, struct bpf_arg arg, bool append);
void filter_write(const char *path);
-void create_lookup_nodes(int jumps[], unsigned int n);
-unsigned int left_child(unsigned int parent_index);
-unsigned int right_child(unsigned int parent_index);
#endif
diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c
index 0654b9f..d45e57b 100644
--- a/tests/unit/test_filter.c
+++ b/tests/unit/test_filter.c
@@ -1,12 +1,13 @@
/* SPDX-License-Identifier: GPL-3.0-or-later
- * Copyright 2023 Red Hat GmbH
- * Author: Alice Frosi <afrosi@redhat.com>
- */
+* Copyright 2023 Red Hat GmbH
+* Author: Alice Frosi <afrosi@redhat.com>
+*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/mman.h>
@@ -14,23 +15,44 @@
#include <check.h>
-#include "gluten.h"
-#include "common.h"
+#include "common/gluten.h"
+#include "common/common.h"
#include "testutil.h"
-#include "filter.h"
-#include "disasm.h"
+#include "cooker/filter.h"
+#include "debug/disasm.h"
+
+char tfilter[] = "/tmp/test-filter.bpf";
+
+static int read_filter(struct sock_filter filter[])
+{
+ int fd, n;
+
+ fd = open(tfilter, O_CLOEXEC | O_RDONLY);
+ ck_assert_int_ge(fd, 0);
+
+ n = read(fd, filter, sizeof(struct sock_filter) * SIZE_FILTER);
+ ck_assert_int_ge(n, 0);
+ close(fd);
+
+ return n / sizeof(struct sock_filter);
+}
static int generate_install_filter(struct args_target *at)
{
- struct bpf_call calls[1];
- struct syscall_entry table[] = {
- { .count = 1, .nr = at->nr, .entry = &calls[0] }
- };
- struct sock_filter filter[30];
+ struct sock_filter filter[SIZE_FILTER];
unsigned int size;
-
- memcpy(&calls[0].args, &at->args, sizeof(calls[0].args));
- size = create_bfp_program(table, filter, 1);
+ bool append = false;
+
+ filter_notify(at->nr);
+ for (unsigned int i = 0; i < 6; i++) {
+ if (at->filter_args[i]) {
+ filter_add_arg(i, at->args[i], append);
+ append = true;
+ }
+ }
+ filter_write(tfilter);
+ size = read_filter(filter);
+ fprintf(stderr, "size %d\n", size);
bpf_disasm_all(filter, size);
return install_filter(filter, size);
}
@@ -48,15 +70,29 @@ START_TEST(no_args)
}
END_TEST
-static void test_with_getsid(enum arg_cmp cmp, int v)
+struct t32bit_getsid_data_t {
+ enum bpf_cmp cmp;
+ int v;
+};
+
+struct t32bit_getsid_data_t t32bit_getsid_data[] = { { EQ, 0 },
+ { GT, 0x100 },
+ { LE, 0x1 },
+ { GE, 0x10 },
+ { LE, 0x10 } };
+
+START_TEST(test_with_getsid)
{
+ enum bpf_cmp cmp = t32bit_getsid_data[_i].cmp;
+ int v = t32bit_getsid_data[_i].v;
int id = 0x10;
at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
at->check_fd = false;
at->nr = __NR_getsid;
set_args_no_check(at);
- at->args[0].type = U32;
+ at->filter_args[0] = true;
+ at->args[0].type = BPF_U32;
at->args[0].value.v32 = id;
at->args[0].cmp = cmp;
if (cmp == EQ)
@@ -66,35 +102,6 @@ static void test_with_getsid(enum arg_cmp cmp, int v)
at->install_filter = generate_install_filter;
setup();
}
-
-START_TEST(with_getsid)
-{
- test_with_getsid(EQ, 0);
-}
-END_TEST
-
-START_TEST(with_getsid_gt)
-{
- test_with_getsid(GT, 0x100);
-}
-END_TEST
-
-START_TEST(with_getsid_lt)
-{
- test_with_getsid(LE, 0x1);
-}
-END_TEST
-
-START_TEST(with_getsid_ge)
-{
- test_with_getsid(GE, 0x10);
-}
-END_TEST
-
-START_TEST(with_getsid_le)
-{
- test_with_getsid(LE, 0x10);
-}
END_TEST
START_TEST(with_getpriority)
@@ -106,11 +113,13 @@ START_TEST(with_getpriority)
at->check_fd = false;
at->nr = __NR_getpriority;
set_args_no_check(at);
+ at->filter_args[0] = true;
at->args[0].value.v32 = which;
- at->args[0].type = U32;
+ at->args[0].type = BPF_U32;
at->args[0].cmp = EQ;
at->args[1].value.v32 = who;
- at->args[1].type = U32;
+ at->filter_args[1] = true;
+ at->args[1].type = BPF_U32;
at->args[1].cmp = EQ;
at->targs[0] = (void *)(long)which;
at->targs[1] = (void *)(long)who;
@@ -130,16 +139,35 @@ static int target_lseek()
return target();
}
-static void test_lseek(enum arg_cmp cmp, off_t offset, off_t v)
+struct t64b_lseek_data_t {
+ enum bpf_cmp cmp;
+ off_t offset;
+ off_t v;
+};
+
+struct t64b_lseek_data_t t64b_lseek_data[] = {
+ { EQ, 0x1, 0 }, { EQ, 0x0000000100000000, 0 },
+ { GT, 0x1, 0x10 }, { GT, 0x100000000, 0x200000000 },
+ { LT, 0x10, 0x1 }, { LT, 0x200000000, 0x100000000 },
+ { GE, 0x1, 0x1 }, { GE, 0x100000000, 0x100000000 },
+ { LE, 0x1, 0x1 }, { LE, 0x200000000, 0x200000000 },
+};
+
+START_TEST(test_lseek)
{
+ enum bpf_cmp cmp = t64b_lseek_data[_i].cmp;
+ off_t offset = t64b_lseek_data[_i].offset;
+ off_t v = t64b_lseek_data[_i].v;
+
at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
at->check_fd = false;
at->nr = __NR_lseek;
at->target = target_lseek;
set_args_no_check(at);
+ at->filter_args[1] = true;
at->args[1].value.v64 = offset;
- at->args[1].type = U64;
+ at->args[1].type = BPF_U64;
at->args[1].cmp = cmp;
if (cmp == EQ)
at->targs[1] = (void *)(long)offset;
@@ -149,79 +177,38 @@ static void test_lseek(enum arg_cmp cmp, off_t offset, off_t v)
setup();
mock_syscall_target();
}
-
-START_TEST(with_lseek_lo)
-{
- test_lseek(EQ, 0x1, 0);
-}
END_TEST
-START_TEST(with_lseek_hi)
-{
- test_lseek(EQ, 0x0000000100000000, 0);
-}
-END_TEST
+struct topen_and_data_t {
+ uint32_t v;
+ uint32_t mask;
+ uint32_t res;
+ enum bpf_cmp cmp;
+};
-START_TEST(with_lseek_lo_gt)
-{
- test_lseek(GT, 0x1, 0x10);
-}
-END_TEST
+struct topen_and_data_t topen_and_data[] = {
+ { O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC,
+ AND_EQ },
+ { O_RDONLY | O_NONBLOCK | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC, AND_NE },
+};
-START_TEST(with_lseek_hi_gt)
-{
- test_lseek(GT, 0x100000000, 0x200000000);
-}
-END_TEST
-
-START_TEST(with_lseek_lo_lt)
-{
- test_lseek(LT, 0x10, 0x1);
-}
-END_TEST
-
-START_TEST(with_lseek_hi_lt)
-{
- test_lseek(LT, 0x200000000, 0x100000000);
-}
-END_TEST
-
-START_TEST(with_lseek_lo_ge)
-{
- test_lseek(GE, 0x1, 0x1);
-}
-END_TEST
-
-START_TEST(with_lseek_hi_ge)
-{
- test_lseek(GE, 0x100000000, 0x100000000);
-}
-END_TEST
-
-START_TEST(with_lseek_lo_le)
-{
- test_lseek(LE, 0x1, 0x1);
-}
-END_TEST
-
-START_TEST(with_lseek_hi_le)
-{
- test_lseek(LE, 0x200000000, 0x200000000);
-}
-END_TEST
-
-static void test_open_and(uint32_t v, uint32_t mask, uint32_t res,
- enum arg_cmp cmp)
+START_TEST(test_open_and)
{
+ uint32_t v = topen_and_data[_i].v;
+ uint32_t mask = topen_and_data[_i].mask;
+ uint32_t res = topen_and_data[_i].res;
+ enum bpf_cmp cmp = topen_and_data[_i].cmp;
char pathname[] = "test-abcdef";
+
at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
at->check_fd = false;
at->nr = __NR_open;
set_args_no_check(at);
+ at->filter_args[1] = true;
at->args[1].value.v32 = res;
at->args[1].op2.v32 = mask;
- at->args[1].type = U32;
+ at->args[1].type = BPF_U32;
at->args[1].cmp = cmp;
at->targs[0] = (void *)(long)&pathname;
at->targs[1] = (void *)(long)v;
@@ -229,32 +216,38 @@ static void test_open_and(uint32_t v, uint32_t mask, uint32_t res,
setup();
mock_syscall_target();
}
-
-START_TEST(with_open_and)
-{
- test_open_and(O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_DIRECTORY,
- O_CLOEXEC, O_CLOEXEC, AND_EQ);
-}
END_TEST
-START_TEST(with_open_and_ne)
+struct tprctl_and_data_t {
+ uint64_t v;
+ uint64_t mask;
+ uint64_t res;
+ enum bpf_cmp cmp;
+};
+
+struct tprctl_and_data_t tprctl_and_data[] = {
+ { 0x11111111, 0x1, 0x1, AND_EQ },
+ { 0x1111111100000000, 0x100000000, 0x100000000, AND_EQ },
+ { 0x11111111, 0x1, 0x2, AND_NE },
+ { 0x1111111100000000, 0x100000000, 0x200000000, AND_NE },
+};
+
+START_TEST(test_prctl_and)
{
- test_open_and(O_RDONLY | O_NONBLOCK | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC,
- AND_NE);
-}
-END_TEST
+ uint64_t v = tprctl_and_data[_i].v;
+ uint64_t mask = tprctl_and_data[_i].mask;
+ uint64_t res = tprctl_and_data[_i].res;
+ enum bpf_cmp cmp = tprctl_and_data[_i].cmp;
-static void test_prctl_and(uint64_t v, uint64_t mask, uint64_t res,
- enum arg_cmp cmp)
-{
at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
at->check_fd = false;
at->nr = __NR_prctl;
set_args_no_check(at);
+ at->filter_args[1] = true;
at->args[1].value.v64 = res;
at->args[1].op2.v64 = mask;
- at->args[1].type = U64;
+ at->args[1].type = BPF_U64;
at->args[1].cmp = cmp;
at->targs[0] = (void *)(long)1;
at->targs[1] = (void *)(long)v;
@@ -262,36 +255,14 @@ static void test_prctl_and(uint64_t v, uint64_t mask, uint64_t res,
setup();
mock_syscall_target();
}
-
-START_TEST(with_prctl_and_eq_lo)
-{
- test_prctl_and(0x11111111, 0x1, 0x1, AND_EQ);
-}
-END_TEST
-
-START_TEST(with_prctl_and_eq_hi)
-{
- test_prctl_and(0x1111111100000000, 0x100000000, 0x100000000, AND_EQ);
-}
END_TEST
-START_TEST(with_prctl_and_ne_lo)
-{
- test_prctl_and(0x11111111, 0x1, 0x2, AND_NE);
-}
-END_TEST
-
-START_TEST(with_prctl_and_ne_hi)
-{
- test_prctl_and(0x1111111100000000, 0x100000000, 0x200000000, AND_NE);
-}
-END_TEST
Suite *op_call_suite(void)
{
Suite *s;
int timeout = 30;
- TCase *simple, *args32, *args64, *cmp32, *cmp64;
+ TCase *simple, *args32, *args64, *cmp32;
TCase *andop32, *andop64;
s = suite_create("Test filter with target");
@@ -305,53 +276,33 @@ Suite *op_call_suite(void)
args32 = tcase_create("with args 32 bit");
tcase_add_checked_fixture(args32, NULL, teardown);
tcase_set_timeout(args32, timeout);
- tcase_add_test(args32, with_getsid);
tcase_add_test(args32, with_getpriority);
suite_add_tcase(s, args32);
args64 = tcase_create("with args 64 bit");
tcase_add_checked_fixture(args64, NULL, teardown);
- tcase_set_timeout(args32, timeout);
- tcase_add_test(args64, with_lseek_lo);
- tcase_add_test(args64, with_lseek_hi);
+ tcase_set_timeout(args64, timeout);
+ tcase_add_loop_test(args64, test_lseek, 0, ARRAY_SIZE(t64b_lseek_data));
suite_add_tcase(s, args64);
cmp32 = tcase_create("with args 32 bit and comparison operations");
tcase_add_checked_fixture(cmp32, NULL, teardown);
tcase_set_timeout(cmp32, timeout);
- tcase_add_test(cmp32, with_getsid_gt);
- tcase_add_test(cmp32, with_getsid_lt);
- tcase_add_test(cmp32, with_getsid_ge);
- tcase_add_test(cmp32, with_getsid_le);
+ tcase_add_loop_test(cmp32, test_with_getsid, 0,
+ ARRAY_SIZE(t32bit_getsid_data));
suite_add_tcase(s, cmp32);
- cmp64 = tcase_create("with args 64 bit and comparison operations");
- tcase_add_checked_fixture(cmp64, NULL, teardown);
- tcase_set_timeout(cmp64, timeout);
- tcase_add_test(cmp64, with_lseek_lo_gt);
- tcase_add_test(cmp64, with_lseek_hi_gt);
- tcase_add_test(cmp64, with_lseek_lo_lt);
- tcase_add_test(cmp64, with_lseek_hi_lt);
- tcase_add_test(cmp64, with_lseek_lo_ge);
- tcase_add_test(cmp64, with_lseek_hi_ge);
- tcase_add_test(cmp64, with_lseek_lo_le);
- tcase_add_test(cmp64, with_lseek_hi_le);
- suite_add_tcase(s, cmp64);
-
andop32 = tcase_create("with and operation and 32 bits");
tcase_add_checked_fixture(andop32, NULL, teardown);
tcase_set_timeout(andop32, timeout);
- tcase_add_test(andop32, with_open_and);
- tcase_add_test(andop32, with_open_and_ne);
+ tcase_add_loop_test(andop32, test_open_and, 0,
+ ARRAY_SIZE(topen_and_data));
suite_add_tcase(s, andop32);
andop64 = tcase_create("with and operation and 64 bits");
tcase_add_checked_fixture(andop64, NULL, teardown);
tcase_set_timeout(andop64, timeout);
- tcase_add_test(andop64, with_prctl_and_eq_lo);
- tcase_add_test(andop64, with_prctl_and_eq_hi);
- tcase_add_test(andop64, with_prctl_and_ne_lo);
- tcase_add_test(andop64, with_prctl_and_ne_hi);
+ tcase_add_loop_test(andop64, test_prctl_and, 0, ARRAY_SIZE(tprctl_and_data));
suite_add_tcase(s, andop64);
return s;
diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h
index 638dd0a..4f104ac 100644
--- a/tests/unit/testutil.h
+++ b/tests/unit/testutil.h
@@ -55,7 +55,8 @@ struct args_target {
bool open_path;
int fd;
int nr;
- struct arg args[6];
+ bool filter_args[6];
+ struct bpf_arg args[6];
void *targs[6];
int (*install_filter)(struct args_target *at);
int (*target)(void *);