diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-05-16 18:05:46 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-05-17 10:55:11 +0200 |
commit | 16346c99a674d95970cfc59b0aa5d00e91cc4e0f (patch) | |
tree | c10f01f1d33108ac17bec484ac570e4a431ded0b | |
parent | aeaeda81af25fdc105d4157dc9e679423fdef761 (diff) | |
download | seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.gz seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.bz2 seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.lz seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.xz seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.tar.zst seitan-16346c99a674d95970cfc59b0aa5d00e91cc4e0f.zip |
filter: refactoring filter
Attempt to simplify the filter build:
- storing all the bpf_args in a common array and saving the index of
each entry in filter_input
- added new flag to filter_add_arg for append an argument to an entry
- split large loop in filter_build in multiple functions
- adjust and refactor tests/units/test_filter
The tests in test_filter_build.c still need to be fixed
-rw-r--r-- | cooker/filter.c | 576 | ||||
-rw-r--r-- | cooker/filter.h | 13 | ||||
-rw-r--r-- | tests/unit/test_filter.c | 301 | ||||
-rw-r--r-- | tests/unit/testutil.h | 3 |
4 files changed, 419 insertions, 474 deletions
diff --git a/cooker/filter.c b/cooker/filter.c index 98dec09..dcd04bf 100644 --- a/cooker/filter.c +++ b/cooker/filter.c @@ -1,3 +1,4 @@ + /* SPDX-License-Identifier: GPL-3.0-or-later * Copyright 2023 Red Hat GmbH * Author: Alice Frosi <afrosi@redhat.com> @@ -13,12 +14,182 @@ #include <unistd.h> #include "filter.h" -#include "util.h" -struct notify { - long nr; - struct bpf_arg arg[6]; -} notify_call[512]; +struct bpf_entry entries[MAX_ENTRIES]; +static unsigned int index_entries = 0; + +/** + * struct filter_call_input - First input stage for cooker notification requests + * @notify: Notify on this system call + * @count: How many entry for the same syscall + * @entries: Index for the arguments for every entry + */ +struct filter_call_input { + bool notify; + unsigned int count; + int entries[MAX_ENTRIES_SYSCALL]; +} filter_input[N_SYSCALL] = { 0 }; + +static long current_nr; + +static void set_no_args(struct bpf_entry *entry) +{ + for (int i = 0; i < 6; i++) + entry->args[i].cmp = NO_CHECK; +} + +static unsigned int get_number_entries(long nr) +{ + struct filter_call_input *call = filter_input + nr; + + return call->count; +} + +static bool need_check_arg(const struct bpf_entry *entry) +{ + for (int i = 0; i < 6; i++) + if (entry->args[i].cmp != NO_CHECK) + return true; + return false; +} + +static bool has_args(long nr) +{ + struct filter_call_input *call = filter_input + nr; + + if (call-> count < 1) + return false; + + /* Check if the first entry has some arguments */ + return need_check_arg(&entries[call->entries[0]]); +} + +static unsigned get_args_for_entry(const struct bpf_entry *entry) +{ + unsigned i, n = 0; + + for (i = 0; i < 6; i++) + if (entry->args[i].cmp != NO_CHECK) + n++; + return n; +} + +/* Calculate how many instruction for the syscall */ +static unsigned int get_n_args_syscall_instr(long nr) +{ + struct filter_call_input *call = filter_input + nr; + const struct bpf_entry *entry; + unsigned int n = 0, total_instr = 0; + unsigned int i, k; + + for (i = 0; i < call->count; i++) { + entry = &entries[call->entries[i]]; + n = 0; + for (k = 0; k < 6; k++) { + if (entry->args[k].cmp == NO_CHECK) + continue; + switch (entry->args[k].type) { + case BPF_U32: + /* For 32 bit arguments + * comparison instructions (2): + * 1 loading the value + 1 for evaluation + * arithemtic instructions (3): + * 1 loading the value + 1 for the operation + 1 for evaluation + */ + if (entry->args[k].cmp == AND_EQ || + entry->args[k].cmp == AND_NE) + n += 3; + else + n += 2; + break; + case BPF_U64: + /* For 64 bit arguments: 32 instructions * 2 + * for loading and evaluating the high and low 32 bits chuncks. + */ + if (entry->args[k].cmp == AND_EQ || + entry->args[k].cmp == AND_NE) + n += 6; + else + n += 4; + break; + } + } + total_instr += n; + /* If there at least an argument, then there is the jump to the + * notification */ + if (n > 0) + total_instr++; + } + /* If there at least an argument for that syscall, then there is the jump to the + * accept */ + if (has_args(nr)) + total_instr++; + + return total_instr; +} + +/** + * filter_notify() - Start of notification request, check/flush previous one + * @nr: System call number, -1 to just flush previous request + */ +void filter_notify(long nr) { + struct filter_call_input *call = filter_input + nr; + + if (nr >= 0) { + current_nr = nr; + call->notify = true; + } +} + +/** + * filter_add_arg(): Add a new argument to the current syscall + * @index: position of the argument + * @arg: the argument to add + * @append: if it is the first element add to the syscall entry + */ +void filter_add_arg(int index, struct bpf_arg arg, bool append) +{ + struct filter_call_input *call = filter_input + current_nr; + + fprintf(stderr, "count=%d cmp=%d value=%X\n", call->count, arg.cmp, + arg.value.v32); + /* If it reaches the maximum number of entries per syscall, then we simply + * notify for all the arguments and ignore the other arguments. + */ + if (call->count >= MAX_ENTRIES_SYSCALL) { + set_no_args(&entries[call->entries[0]]); + return; + } + if (!append) + call->entries[call->count++] = index_entries; + memcpy(&entries[index_entries++].args[index], &arg, sizeof(arg)); +} + +void filter_needs_deref(void) +{ + struct filter_call_input *call = filter_input + current_nr; + + call->count = MAX_ENTRIES_SYSCALL; + set_no_args(&entries[call->entries[0]]); +} + +static int table[N_SYSCALL]; + +static unsigned int create_table_syscall() +{ + unsigned int i, count = 0; + + for (i = 0; i < N_SYSCALL; i++) + if (filter_input[i].notify) + table[count++] = i; + return count; +} + +static long get_syscall(unsigned int i) +{ + return (long)table[i]; +} + static unsigned int count_shift_right(unsigned int n) { @@ -42,7 +213,7 @@ static void insert_pair(int jumps[], int arr[], unsigned int level) } } -unsigned int left_child(unsigned int parent_index) +static unsigned int left_child(unsigned int parent_index) { unsigned int level = count_shift_right(parent_index + 1); /* 2^(level) -1 gives the beginning of the next interval */ @@ -53,12 +224,12 @@ unsigned int left_child(unsigned int parent_index) return next_interval + 2 * i; } -unsigned int right_child(unsigned int parent_index) +static unsigned int right_child(unsigned int parent_index) { return left_child(parent_index) + 1; } -void create_lookup_nodes(int jumps[], unsigned int n) +static void create_lookup_nodes(int jumps[], unsigned int n) { unsigned int i, index; unsigned int old_interval, interval; @@ -88,91 +259,17 @@ void create_lookup_nodes(int jumps[], unsigned int n) } } -static unsigned get_n_args_syscall_entry(const struct notify *entry) -{ - unsigned i, n = 0; - - for (i = 0; i < 6; i++) - if (entry->arg[i].cmp != NO_CHECK) - n++; - return n; -} - -static unsigned int get_n_args_syscall_instr(const struct notify *table, - int len) -{ - const struct notify *entry; - bool has_arg = false; - unsigned n = 0, total_instr = 0; - int i; - - for (i = 0; i < len; i++) { - entry = table + i; - n = 0; - for (unsigned int k = 0; k < 6; k++) { - if (entry->arg[k].cmp == NO_CHECK) - continue; - switch (entry->arg[k].type) { - case BPF_U32: - /* For 32 bit arguments - * comparison instructions (2): - * 1 loading the value + 1 for evaluation - * arithemtic instructions (3): - * 1 loading the value + 1 for the operation + 1 for evaluation - */ - if (entry->arg[k].cmp == AND_EQ || - entry->arg[k].cmp == AND_NE) - n += 3; - else - n += 2; - break; - case BPF_U64: - /* For 64 bit arguments: 32 instructions * 2 - * for loading and evaluating the high and low 32 bits chuncks. - */ - if (entry->arg[k].cmp == AND_EQ || - entry->arg[k].cmp == AND_NE) - n += 6; - else - n += 4; - break; - } - } - total_instr += n; - /* If there at least an argument, then there is the jump to the - * notification */ - if (n > 0) { - has_arg = true; - total_instr++; - } - } - /* If there at least an argument for that syscall, then there is the jump to the - * accept */ - if (has_arg) - total_instr++; - - return total_instr; -} - -static bool check_args_syscall_entry(const struct notify *entry){ - return entry->arg[0].cmp != NO_CHECK || - entry->arg[1].cmp != NO_CHECK || - entry->arg[2].cmp != NO_CHECK || - entry->arg[3].cmp != NO_CHECK || - entry->arg[4].cmp != NO_CHECK || entry->arg[5].cmp != NO_CHECK; -} - static unsigned int eq(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { unsigned int size = 0; uint32_t hi, lo; - switch (entry->arg[idx].type) { + switch (entry->args[idx].type) { case BPF_U64: - hi = get_hi((entry->arg[idx]).value.v64); - lo = get_lo((entry->arg[idx]).value.v64); + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)EQ(lo, 0, jfalse); filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); @@ -181,7 +278,7 @@ static unsigned int eq(struct sock_filter filter[], int idx, case BPF_U32: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)EQ( - entry->arg[idx].value.v32, jtrue, jfalse); + entry->args[idx].value.v32, jtrue, jfalse); break; } @@ -189,16 +286,16 @@ static unsigned int eq(struct sock_filter filter[], int idx, } static unsigned int gt(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { unsigned int size = 0; uint32_t hi, lo; - switch (entry->arg[idx].type) { + switch (entry->args[idx].type) { case BPF_U64: - hi = get_hi((entry->arg[idx]).value.v64); - lo = get_lo((entry->arg[idx]).value.v64); + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); filter[size++] = (struct sock_filter)GT(hi, jtrue + 2, 0); filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); @@ -207,7 +304,7 @@ static unsigned int gt(struct sock_filter filter[], int idx, case BPF_U32: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)GT( - entry->arg[idx].value.v32, jtrue, jfalse); + entry->args[idx].value.v32, jtrue, jfalse); break; } @@ -215,16 +312,16 @@ static unsigned int gt(struct sock_filter filter[], int idx, } static unsigned int lt(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { unsigned int size = 0; uint32_t hi, lo; - switch (entry->arg[idx].type) { + switch (entry->args[idx].type) { case BPF_U64: - hi = get_hi((entry->arg[idx]).value.v64); - lo = get_lo((entry->arg[idx]).value.v64); + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); filter[size++] = (struct sock_filter)LT(hi, jtrue + 2, jfalse); filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); @@ -233,7 +330,7 @@ static unsigned int lt(struct sock_filter filter[], int idx, case BPF_U32: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)LT( - entry->arg[idx].value.v32, jtrue, jfalse); + entry->args[idx].value.v32, jtrue, jfalse); break; } @@ -241,51 +338,51 @@ static unsigned int lt(struct sock_filter filter[], int idx, } static unsigned int neq(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { return eq(filter, idx, entry, jfalse, jtrue); } static unsigned int ge(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { return lt(filter, idx, entry, jfalse, jtrue); } static unsigned int le(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { return gt(filter, idx, entry, jfalse, jtrue); } static unsigned int and_eq (struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { unsigned int size = 0; - switch (entry->arg[idx].type) { + switch (entry->args[idx].type) { case BPF_U64: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)AND( - get_lo(entry->arg[idx].op2.v64)); + get_lo(entry->args[idx].op2.v64)); filter[size++] = (struct sock_filter)EQ( - get_lo((entry->arg[idx]).value.v64), 0, jfalse); + get_lo((entry->args[idx]).value.v64), 0, jfalse); filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); filter[size++] = (struct sock_filter)AND( - get_hi(entry->arg[idx].op2.v64)); + get_hi(entry->args[idx].op2.v64)); filter[size++] = (struct sock_filter)EQ( - get_hi(entry->arg[idx].value.v64), jtrue, jfalse); + get_hi(entry->args[idx].value.v64), jtrue, jfalse); break; case BPF_U32: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = - (struct sock_filter)AND(entry->arg[idx].op2.v32); + (struct sock_filter)AND(entry->args[idx].op2.v32); filter[size++] = (struct sock_filter)EQ( - entry->arg[idx].value.v32, jtrue, jfalse); + entry->args[idx].value.v32, jtrue, jfalse); break; } @@ -293,47 +390,100 @@ static unsigned int and_eq (struct sock_filter filter[], int idx, } static unsigned int and_ne(struct sock_filter filter[], int idx, - const struct notify *entry, unsigned int jtrue, + const struct bpf_entry *entry, unsigned int jtrue, unsigned int jfalse) { unsigned int size = 0; - switch (entry->arg[idx].type) { + switch (entry->args[idx].type) { case BPF_U64: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = (struct sock_filter)AND( - get_lo(entry->arg[idx].op2.v64)); + get_lo(entry->args[idx].op2.v64)); filter[size++] = (struct sock_filter)EQ( - get_lo((entry->arg[idx]).value.v64), 0, jtrue + 3); + get_lo((entry->args[idx]).value.v64), 0, jtrue + 3); filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); filter[size++] = (struct sock_filter)AND( - get_hi(entry->arg[idx].op2.v64)); + get_hi(entry->args[idx].op2.v64)); filter[size++] = (struct sock_filter)EQ( - get_hi(entry->arg[idx].value.v64), jfalse, jtrue); + get_hi(entry->args[idx].value.v64), jfalse, jtrue); break; case BPF_U32: filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); filter[size++] = - (struct sock_filter)AND(entry->arg[idx].op2.v32); + (struct sock_filter)AND(entry->args[idx].op2.v32); filter[size++] = (struct sock_filter)EQ( - entry->arg[idx].value.v32, jfalse, jtrue); + entry->args[idx].value.v32, jfalse, jtrue); break; } return size; } -unsigned int filter_build(struct sock_filter filter[], unsigned int n) +static unsigned int insert_args(struct sock_filter filter[], long nr) +{ + struct filter_call_input *call = filter_input + nr; + unsigned int i, k, size, next_offset, n_checks = 0; + unsigned int count = get_number_entries(nr); + struct bpf_entry *entry; + unsigned int offset = 0; + + for (i = 0; i < count; i++) { + n_checks = 0; + entry = &entries[call->entries[i]]; + next_offset = get_args_for_entry(entry); + for (k = 0; k < 6; k++) { + offset = next_offset - n_checks; + switch (entry->args[k].cmp) { + case NO_CHECK: + continue; + case EQ: + size += eq(&filter[size], k, entry, 0, offset); + break; + case NE: + size += neq(&filter[size], k, entry, 0, offset); + break; + case GT: + size += gt(&filter[size], k, entry, 0, offset); + break; + case LT: + size += lt(&filter[size], k, entry, 0, offset); + break; + case GE: + size += ge(&filter[size], k, entry, 0, offset); + break; + case LE: + size += le(&filter[size], k, entry, 0, offset); + break; + case AND_EQ: + size += and_eq + (&filter[size], k, entry, 0, offset); + break; + case AND_NE: + size += and_ne(&filter[size], k, entry, 0, + offset); + + break; + } + n_checks++; + } + if (n_checks > 0) + filter[size++] = (struct sock_filter)BPF_STMT( + BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF); + } + + return size; +} + +unsigned int filter_build(struct sock_filter filter[], unsigned n) { unsigned int offset_left, offset_right; unsigned int n_nodes, notify, accept; unsigned int next_offset, offset; - const struct notify *entry; unsigned int size = 0; - unsigned int next_args_off; int nodes[MAX_JUMPS]; - unsigned int i, j, k; - unsigned n_checks; + unsigned int i; + long nr; create_lookup_nodes(nodes, n); @@ -363,25 +513,27 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n) filter[size++] = (struct sock_filter)JUMPA(accept - size); } else { + nr = get_syscall(i); offset_left = left_child(i) - i - 1; offset_right = right_child(i) - i - 1; filter[size++] = (struct sock_filter)JGE( - notify_call[i].nr, offset_right, offset_left); + get_syscall(i), offset_right, offset_left); } } next_offset = n + 1; /* Insert leaves */ for (i = 0; i < n; i++) { - /* If the syscall doesn't have any arguments, then notify */ - if (check_args_syscall_entry(notify_call + i)) + nr = get_syscall(i); + if (get_number_entries(nr) > 0) offset = next_offset; else + /* If the syscall doesn't have any arguments, then notify */ offset = notify - size - 1; - filter[size++] = (struct sock_filter)EQ(notify_call[i].nr, + filter[size++] = (struct sock_filter)EQ(nr, offset, accept - size); - next_offset += get_n_args_syscall_instr(notify_call + i, n) - 1; + next_offset += get_n_args_syscall_instr(nr) - 1; } /* Seccomp accept and notify instruction */ filter[size++] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K, @@ -395,67 +547,9 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n) * check the following entry of the syscall and its arguments. */ for (i = 0; i < n; i++) { - bool has_arg = false; - unsigned int count = 0, x; - - for (x = 0; x < 6; x++) - count += notify_call[i].arg[x].cmp == NO_CHECK; - - for (j = 0; j < count; j++) { - n_checks = 0; - entry = notify_call + i + j; - next_args_off = get_n_args_syscall_entry(entry); - for (k = 0; k < 6; k++) { - offset = next_args_off - n_checks; - switch (entry->arg[k].cmp) { - case NO_CHECK: - continue; - case EQ: - size += eq(&filter[size], k, entry, 0, - offset); - break; - case NE: - size += neq(&filter[size], k, entry, 0, - offset); - break; - case GT: - size += gt(&filter[size], k, entry, 0, - offset); - break; - case LT: - size += lt(&filter[size], k, entry, 0, - offset); - break; - case GE: - size += ge(&filter[size], k, entry, 0, - offset); - break; - case LE: - size += le(&filter[size], k, entry, 0, - offset); - break; - case AND_EQ: - size += and_eq (&filter[size], k, entry, - 0, offset); - break; - case AND_NE: - size += and_ne(&filter[size], k, entry, - 0, offset); - - break; - } - n_checks++; - has_arg = true; - } - if (check_args_syscall_entry(notify_call + i)) - filter[size++] = (struct sock_filter)BPF_STMT( - BPF_RET | BPF_K, - SECCOMP_RET_USER_NOTIF); - } - /* At this point none of the checks was positive, it jumps to - * the default behavior - */ - if (has_arg) + nr = get_syscall(i); + size += insert_args(&filter[size], nr); + if (has_args(nr)) filter[size++] = (struct sock_filter)BPF_STMT( BPF_RET | BPF_K, SECCOMP_RET_ALLOW); } @@ -463,118 +557,12 @@ unsigned int filter_build(struct sock_filter filter[], unsigned int n) return size; } -/** - * struct filter_call_input - First input stage for cooker notification requests - * @notify: Notify on this system call - * @no_args: No argument comparisons are allowed for this call - * @args_set: Argument matches were already set up once for this call - * @arg: Argument specification - */ -struct filter_call_input { - bool notify; - bool no_args; - bool args_set; - struct bpf_arg arg[6]; -} filter_input[512] = { 0 }; - -static struct { - bool used; - struct bpf_arg arg[6]; -} filter_current_args; - -static long current_nr; - -/** - * filter_notify() - Start of notification request, check/flush previous one - * @nr: System call number, -1 to just flush previous request - */ -void filter_notify(long nr) { - struct filter_call_input *call = filter_input + nr; - long prev_nr = current_nr; - - if (nr >= 0) { - current_nr = nr; - call->notify = true; - } - - if (filter_current_args.used) { - struct filter_call_input *prev_call = filter_input + prev_nr; - - /* First time arguments for previous call are flushed? */ - if (!prev_call->args_set && !prev_call->no_args) { - prev_call->args_set = true; - memcpy(prev_call->arg, filter_current_args.arg, - sizeof(filter_current_args.arg)); - return; - } - - prev_call->args_set = true; - - /* ...not the first time: check exact overlap of matches */ - if (memcmp(prev_call->arg, filter_current_args.arg, - sizeof(filter_current_args.arg))) - prev_call->no_args = true; - - /* Flush temporary set of arguments */ - memset(&filter_current_args, 0, sizeof(filter_current_args)); - } -} - -/** - * filter_needs_deref() - Mark system call as ineligible for argument evaluation - */ -void filter_needs_deref(void) { - struct filter_call_input *call = filter_input + current_nr; - - call->no_args = true; -} - -/** - * Use temporary filter_call_cur_args storage. When there's a new notification, - * or the parser is done, we flush these argument matches to filter_input, and - * check if they match (including no-matches) all the previous argument - * specification. If they don't, the arguments can't be evaluated in the filter. - */ -void filter_add_arg(int index, struct bpf_arg arg) { - struct filter_call_input *call = filter_input + current_nr; - - if (call->no_args) - return; - - memcpy(filter_current_args.arg + index, &arg, sizeof(arg)); - filter_current_args.used = true; -} - -unsigned int filter_close_input(void) -{ - struct notify *call; - int i, count = 0; - - filter_notify(-1); - - for (i = 0; i < 512; i++) { - call = notify_call + count; - if (filter_input[i].notify) { - count++; - call->nr = i; - - if (filter_input[i].no_args) - continue; - - memcpy(call->arg, filter_input[i].arg, - sizeof(call->arg)); - } - } - - return count; -} - void filter_write(const char *path) { struct sock_filter filter[MAX_FILTER]; int fd, n; - n = filter_close_input(); + n = create_table_syscall(); n = filter_build(filter, n); fd = open(path, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, diff --git a/cooker/filter.h b/cooker/filter.h index 7059a7c..0ec1204 100644 --- a/cooker/filter.h +++ b/cooker/filter.h @@ -44,6 +44,10 @@ #define MAX_JUMPS 128 #define EMPTY -1 +#define N_SYSCALL 512 +#define MAX_ENTRIES_SYSCALL 16 +#define MAX_ENTRIES N_SYSCALL * MAX_ENTRIES_SYSCALL + enum bpf_type { BPF_U32, BPF_U64 }; union bpf_value { @@ -60,12 +64,13 @@ struct bpf_arg { union bpf_value op2; }; +struct bpf_entry { + struct bpf_arg args[6]; +}; + void filter_notify(long nr); void filter_needs_deref(void); -void filter_add_arg(int index, struct bpf_arg arg); +void filter_add_arg(int index, struct bpf_arg arg, bool append); void filter_write(const char *path); -void create_lookup_nodes(int jumps[], unsigned int n); -unsigned int left_child(unsigned int parent_index); -unsigned int right_child(unsigned int parent_index); #endif diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c index 0654b9f..d45e57b 100644 --- a/tests/unit/test_filter.c +++ b/tests/unit/test_filter.c @@ -1,12 +1,13 @@ /* SPDX-License-Identifier: GPL-3.0-or-later - * Copyright 2023 Red Hat GmbH - * Author: Alice Frosi <afrosi@redhat.com> - */ +* Copyright 2023 Red Hat GmbH +* Author: Alice Frosi <afrosi@redhat.com> +*/ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <stddef.h> +#include <unistd.h> #include <fcntl.h> #include <sys/syscall.h> #include <sys/mman.h> @@ -14,23 +15,44 @@ #include <check.h> -#include "gluten.h" -#include "common.h" +#include "common/gluten.h" +#include "common/common.h" #include "testutil.h" -#include "filter.h" -#include "disasm.h" +#include "cooker/filter.h" +#include "debug/disasm.h" + +char tfilter[] = "/tmp/test-filter.bpf"; + +static int read_filter(struct sock_filter filter[]) +{ + int fd, n; + + fd = open(tfilter, O_CLOEXEC | O_RDONLY); + ck_assert_int_ge(fd, 0); + + n = read(fd, filter, sizeof(struct sock_filter) * SIZE_FILTER); + ck_assert_int_ge(n, 0); + close(fd); + + return n / sizeof(struct sock_filter); +} static int generate_install_filter(struct args_target *at) { - struct bpf_call calls[1]; - struct syscall_entry table[] = { - { .count = 1, .nr = at->nr, .entry = &calls[0] } - }; - struct sock_filter filter[30]; + struct sock_filter filter[SIZE_FILTER]; unsigned int size; - - memcpy(&calls[0].args, &at->args, sizeof(calls[0].args)); - size = create_bfp_program(table, filter, 1); + bool append = false; + + filter_notify(at->nr); + for (unsigned int i = 0; i < 6; i++) { + if (at->filter_args[i]) { + filter_add_arg(i, at->args[i], append); + append = true; + } + } + filter_write(tfilter); + size = read_filter(filter); + fprintf(stderr, "size %d\n", size); bpf_disasm_all(filter, size); return install_filter(filter, size); } @@ -48,15 +70,29 @@ START_TEST(no_args) } END_TEST -static void test_with_getsid(enum arg_cmp cmp, int v) +struct t32bit_getsid_data_t { + enum bpf_cmp cmp; + int v; +}; + +struct t32bit_getsid_data_t t32bit_getsid_data[] = { { EQ, 0 }, + { GT, 0x100 }, + { LE, 0x1 }, + { GE, 0x10 }, + { LE, 0x10 } }; + +START_TEST(test_with_getsid) { + enum bpf_cmp cmp = t32bit_getsid_data[_i].cmp; + int v = t32bit_getsid_data[_i].v; int id = 0x10; at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); at->check_fd = false; at->nr = __NR_getsid; set_args_no_check(at); - at->args[0].type = U32; + at->filter_args[0] = true; + at->args[0].type = BPF_U32; at->args[0].value.v32 = id; at->args[0].cmp = cmp; if (cmp == EQ) @@ -66,35 +102,6 @@ static void test_with_getsid(enum arg_cmp cmp, int v) at->install_filter = generate_install_filter; setup(); } - -START_TEST(with_getsid) -{ - test_with_getsid(EQ, 0); -} -END_TEST - -START_TEST(with_getsid_gt) -{ - test_with_getsid(GT, 0x100); -} -END_TEST - -START_TEST(with_getsid_lt) -{ - test_with_getsid(LE, 0x1); -} -END_TEST - -START_TEST(with_getsid_ge) -{ - test_with_getsid(GE, 0x10); -} -END_TEST - -START_TEST(with_getsid_le) -{ - test_with_getsid(LE, 0x10); -} END_TEST START_TEST(with_getpriority) @@ -106,11 +113,13 @@ START_TEST(with_getpriority) at->check_fd = false; at->nr = __NR_getpriority; set_args_no_check(at); + at->filter_args[0] = true; at->args[0].value.v32 = which; - at->args[0].type = U32; + at->args[0].type = BPF_U32; at->args[0].cmp = EQ; at->args[1].value.v32 = who; - at->args[1].type = U32; + at->filter_args[1] = true; + at->args[1].type = BPF_U32; at->args[1].cmp = EQ; at->targs[0] = (void *)(long)which; at->targs[1] = (void *)(long)who; @@ -130,16 +139,35 @@ static int target_lseek() return target(); } -static void test_lseek(enum arg_cmp cmp, off_t offset, off_t v) +struct t64b_lseek_data_t { + enum bpf_cmp cmp; + off_t offset; + off_t v; +}; + +struct t64b_lseek_data_t t64b_lseek_data[] = { + { EQ, 0x1, 0 }, { EQ, 0x0000000100000000, 0 }, + { GT, 0x1, 0x10 }, { GT, 0x100000000, 0x200000000 }, + { LT, 0x10, 0x1 }, { LT, 0x200000000, 0x100000000 }, + { GE, 0x1, 0x1 }, { GE, 0x100000000, 0x100000000 }, + { LE, 0x1, 0x1 }, { LE, 0x200000000, 0x200000000 }, +}; + +START_TEST(test_lseek) { + enum bpf_cmp cmp = t64b_lseek_data[_i].cmp; + off_t offset = t64b_lseek_data[_i].offset; + off_t v = t64b_lseek_data[_i].v; + at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); at->check_fd = false; at->nr = __NR_lseek; at->target = target_lseek; set_args_no_check(at); + at->filter_args[1] = true; at->args[1].value.v64 = offset; - at->args[1].type = U64; + at->args[1].type = BPF_U64; at->args[1].cmp = cmp; if (cmp == EQ) at->targs[1] = (void *)(long)offset; @@ -149,79 +177,38 @@ static void test_lseek(enum arg_cmp cmp, off_t offset, off_t v) setup(); mock_syscall_target(); } - -START_TEST(with_lseek_lo) -{ - test_lseek(EQ, 0x1, 0); -} END_TEST -START_TEST(with_lseek_hi) -{ - test_lseek(EQ, 0x0000000100000000, 0); -} -END_TEST +struct topen_and_data_t { + uint32_t v; + uint32_t mask; + uint32_t res; + enum bpf_cmp cmp; +}; -START_TEST(with_lseek_lo_gt) -{ - test_lseek(GT, 0x1, 0x10); -} -END_TEST +struct topen_and_data_t topen_and_data[] = { + { O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC, + AND_EQ }, + { O_RDONLY | O_NONBLOCK | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC, AND_NE }, +}; -START_TEST(with_lseek_hi_gt) -{ - test_lseek(GT, 0x100000000, 0x200000000); -} -END_TEST - -START_TEST(with_lseek_lo_lt) -{ - test_lseek(LT, 0x10, 0x1); -} -END_TEST - -START_TEST(with_lseek_hi_lt) -{ - test_lseek(LT, 0x200000000, 0x100000000); -} -END_TEST - -START_TEST(with_lseek_lo_ge) -{ - test_lseek(GE, 0x1, 0x1); -} -END_TEST - -START_TEST(with_lseek_hi_ge) -{ - test_lseek(GE, 0x100000000, 0x100000000); -} -END_TEST - -START_TEST(with_lseek_lo_le) -{ - test_lseek(LE, 0x1, 0x1); -} -END_TEST - -START_TEST(with_lseek_hi_le) -{ - test_lseek(LE, 0x200000000, 0x200000000); -} -END_TEST - -static void test_open_and(uint32_t v, uint32_t mask, uint32_t res, - enum arg_cmp cmp) +START_TEST(test_open_and) { + uint32_t v = topen_and_data[_i].v; + uint32_t mask = topen_and_data[_i].mask; + uint32_t res = topen_and_data[_i].res; + enum bpf_cmp cmp = topen_and_data[_i].cmp; char pathname[] = "test-abcdef"; + at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); at->check_fd = false; at->nr = __NR_open; set_args_no_check(at); + at->filter_args[1] = true; at->args[1].value.v32 = res; at->args[1].op2.v32 = mask; - at->args[1].type = U32; + at->args[1].type = BPF_U32; at->args[1].cmp = cmp; at->targs[0] = (void *)(long)&pathname; at->targs[1] = (void *)(long)v; @@ -229,32 +216,38 @@ static void test_open_and(uint32_t v, uint32_t mask, uint32_t res, setup(); mock_syscall_target(); } - -START_TEST(with_open_and) -{ - test_open_and(O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_DIRECTORY, - O_CLOEXEC, O_CLOEXEC, AND_EQ); -} END_TEST -START_TEST(with_open_and_ne) +struct tprctl_and_data_t { + uint64_t v; + uint64_t mask; + uint64_t res; + enum bpf_cmp cmp; +}; + +struct tprctl_and_data_t tprctl_and_data[] = { + { 0x11111111, 0x1, 0x1, AND_EQ }, + { 0x1111111100000000, 0x100000000, 0x100000000, AND_EQ }, + { 0x11111111, 0x1, 0x2, AND_NE }, + { 0x1111111100000000, 0x100000000, 0x200000000, AND_NE }, +}; + +START_TEST(test_prctl_and) { - test_open_and(O_RDONLY | O_NONBLOCK | O_DIRECTORY, O_CLOEXEC, O_CLOEXEC, - AND_NE); -} -END_TEST + uint64_t v = tprctl_and_data[_i].v; + uint64_t mask = tprctl_and_data[_i].mask; + uint64_t res = tprctl_and_data[_i].res; + enum bpf_cmp cmp = tprctl_and_data[_i].cmp; -static void test_prctl_and(uint64_t v, uint64_t mask, uint64_t res, - enum arg_cmp cmp) -{ at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); at->check_fd = false; at->nr = __NR_prctl; set_args_no_check(at); + at->filter_args[1] = true; at->args[1].value.v64 = res; at->args[1].op2.v64 = mask; - at->args[1].type = U64; + at->args[1].type = BPF_U64; at->args[1].cmp = cmp; at->targs[0] = (void *)(long)1; at->targs[1] = (void *)(long)v; @@ -262,36 +255,14 @@ static void test_prctl_and(uint64_t v, uint64_t mask, uint64_t res, setup(); mock_syscall_target(); } - -START_TEST(with_prctl_and_eq_lo) -{ - test_prctl_and(0x11111111, 0x1, 0x1, AND_EQ); -} -END_TEST - -START_TEST(with_prctl_and_eq_hi) -{ - test_prctl_and(0x1111111100000000, 0x100000000, 0x100000000, AND_EQ); -} END_TEST -START_TEST(with_prctl_and_ne_lo) -{ - test_prctl_and(0x11111111, 0x1, 0x2, AND_NE); -} -END_TEST - -START_TEST(with_prctl_and_ne_hi) -{ - test_prctl_and(0x1111111100000000, 0x100000000, 0x200000000, AND_NE); -} -END_TEST Suite *op_call_suite(void) { Suite *s; int timeout = 30; - TCase *simple, *args32, *args64, *cmp32, *cmp64; + TCase *simple, *args32, *args64, *cmp32; TCase *andop32, *andop64; s = suite_create("Test filter with target"); @@ -305,53 +276,33 @@ Suite *op_call_suite(void) args32 = tcase_create("with args 32 bit"); tcase_add_checked_fixture(args32, NULL, teardown); tcase_set_timeout(args32, timeout); - tcase_add_test(args32, with_getsid); tcase_add_test(args32, with_getpriority); suite_add_tcase(s, args32); args64 = tcase_create("with args 64 bit"); tcase_add_checked_fixture(args64, NULL, teardown); - tcase_set_timeout(args32, timeout); - tcase_add_test(args64, with_lseek_lo); - tcase_add_test(args64, with_lseek_hi); + tcase_set_timeout(args64, timeout); + tcase_add_loop_test(args64, test_lseek, 0, ARRAY_SIZE(t64b_lseek_data)); suite_add_tcase(s, args64); cmp32 = tcase_create("with args 32 bit and comparison operations"); tcase_add_checked_fixture(cmp32, NULL, teardown); tcase_set_timeout(cmp32, timeout); - tcase_add_test(cmp32, with_getsid_gt); - tcase_add_test(cmp32, with_getsid_lt); - tcase_add_test(cmp32, with_getsid_ge); - tcase_add_test(cmp32, with_getsid_le); + tcase_add_loop_test(cmp32, test_with_getsid, 0, + ARRAY_SIZE(t32bit_getsid_data)); suite_add_tcase(s, cmp32); - cmp64 = tcase_create("with args 64 bit and comparison operations"); - tcase_add_checked_fixture(cmp64, NULL, teardown); - tcase_set_timeout(cmp64, timeout); - tcase_add_test(cmp64, with_lseek_lo_gt); - tcase_add_test(cmp64, with_lseek_hi_gt); - tcase_add_test(cmp64, with_lseek_lo_lt); - tcase_add_test(cmp64, with_lseek_hi_lt); - tcase_add_test(cmp64, with_lseek_lo_ge); - tcase_add_test(cmp64, with_lseek_hi_ge); - tcase_add_test(cmp64, with_lseek_lo_le); - tcase_add_test(cmp64, with_lseek_hi_le); - suite_add_tcase(s, cmp64); - andop32 = tcase_create("with and operation and 32 bits"); tcase_add_checked_fixture(andop32, NULL, teardown); tcase_set_timeout(andop32, timeout); - tcase_add_test(andop32, with_open_and); - tcase_add_test(andop32, with_open_and_ne); + tcase_add_loop_test(andop32, test_open_and, 0, + ARRAY_SIZE(topen_and_data)); suite_add_tcase(s, andop32); andop64 = tcase_create("with and operation and 64 bits"); tcase_add_checked_fixture(andop64, NULL, teardown); tcase_set_timeout(andop64, timeout); - tcase_add_test(andop64, with_prctl_and_eq_lo); - tcase_add_test(andop64, with_prctl_and_eq_hi); - tcase_add_test(andop64, with_prctl_and_ne_lo); - tcase_add_test(andop64, with_prctl_and_ne_hi); + tcase_add_loop_test(andop64, test_prctl_and, 0, ARRAY_SIZE(tprctl_and_data)); suite_add_tcase(s, andop64); return s; diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h index 638dd0a..4f104ac 100644 --- a/tests/unit/testutil.h +++ b/tests/unit/testutil.h @@ -55,7 +55,8 @@ struct args_target { bool open_path; int fd; int nr; - struct arg args[6]; + bool filter_args[6]; + struct bpf_arg args[6]; void *targs[6]; int (*install_filter)(struct args_target *at); int (*target)(void *); |