aboutgitcodelistschat:MatrixIRC
diff options
context:
space:
mode:
authorAlice Frosi <afrosi@redhat.com>2023-03-30 11:02:47 +0200
committerAlice Frosi <afrosi@redhat.com>2023-03-30 11:07:12 +0200
commitfa00aa6b11a9a773bdb0b11c306d2e6936ba5862 (patch)
tree8852eebf58339d9bbce563022a754d4204411c26
parent6a850dfce709751292a136d76060c97b57435ef1 (diff)
downloadseitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.gz
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.bz2
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.lz
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.xz
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.zst
seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.zip
Create common function to install the BPF filter
-rw-r--r--common/common.c30
-rw-r--r--common/common.h4
-rw-r--r--eater/eater.c27
-rw-r--r--tests/unit/Makefile4
-rw-r--r--tests/unit/test_operations.c17
5 files changed, 40 insertions, 42 deletions
diff --git a/common/common.c b/common/common.c
index a8f79a2..cd792de 100644
--- a/common/common.c
+++ b/common/common.c
@@ -5,6 +5,15 @@
#include <unistd.h>
#include <stdlib.h>
#include <sys/stat.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+
+#include <linux/audit.h>
+#include <linux/seccomp.h>
+
+#include "util.h"
+#include "common.h"
int find_fd_seccomp_notifier(const char *path)
{
@@ -49,3 +58,24 @@ int find_fd_seccomp_notifier(const char *path)
fprintf(stderr, "seccomp notifier not found in %s\n", path);
return -1;
}
+
+static int seccomp(unsigned int operation, unsigned int flags, void *args)
+{
+ return syscall(__NR_seccomp, operation, flags, args);
+}
+
+int install_filter(struct sock_filter *filter, unsigned short len)
+{
+ struct sock_fprog prog;
+ int fd;
+
+ prog.filter = filter;
+ prog.len = len;
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0)
+ die(" prctl");
+ if ((fd = seccomp(SECCOMP_SET_MODE_FILTER,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog)) < 0)
+ die(" seccomp");
+
+ return fd;
+}
diff --git a/common/common.h b/common/common.h
index 487032b..780f756 100644
--- a/common/common.h
+++ b/common/common.h
@@ -1,6 +1,8 @@
#ifndef COMMON_H_
#define COMMON_H_
-int find_fd_seccomp_notifier(const char *pid);
+#include <linux/filter.h>
+int find_fd_seccomp_notifier(const char *pid);
+int install_filter(struct sock_filter *filter, unsigned short len);
#endif
diff --git a/eater/eater.c b/eater/eater.c
index 96a7b61..3396c78 100644
--- a/eater/eater.c
+++ b/eater/eater.c
@@ -17,15 +17,8 @@
#include <fcntl.h>
#include <unistd.h>
#include <argp.h>
-#include <sys/prctl.h>
-#include <sys/syscall.h>
-#include <sys/socket.h>
#include <signal.h>
-#include <linux/audit.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-
#include <dirent.h>
#include <sys/stat.h>
@@ -76,11 +69,6 @@ static struct argp argp = { .options = options,
.help_filter = NULL,
.argp_domain = NULL };
-static int seccomp(unsigned int operation, unsigned int flags, void *args)
-{
- return syscall(__NR_seccomp, operation, flags, args);
-}
-
static void signal_handler(__attribute__((unused)) int s)
{
}
@@ -96,27 +84,16 @@ int main(int argc, char **argv)
{
struct sock_filter filter[1024];
struct arguments arguments;
- struct sock_fprog prog;
struct sigaction act;
- size_t n;
int fd, flags;
+ size_t n;
argp_parse(&argp, argc, argv, 0, 0, &arguments);
fd = open(arguments.input_file, O_CLOEXEC | O_RDONLY);
n = read(fd, filter, sizeof(filter));
close(fd);
- prog.filter = filter;
- prog.len = (unsigned short)(n / sizeof(filter[0]));
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
- perror("prctl");
- exit(EXIT_FAILURE);
- }
- if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER,
- &prog) < 0) {
- perror("seccomp");
- exit(EXIT_FAILURE);
- }
+ install_filter(filter, (unsigned short)(n / sizeof(filter[0])));
/*
* close-on-exec flag is set for the file descriptor by seccomp.
* We want to preserve the fd on the exec in this way we are able
diff --git a/tests/unit/Makefile b/tests/unit/Makefile
index bdd419b..aad8549 100644
--- a/tests/unit/Makefile
+++ b/tests/unit/Makefile
@@ -7,8 +7,8 @@ OP_DIR := ../../
COOKER_DIR := ../../cooker
DBG_DIR := ../../debug
-SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c
-HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h
+SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c
+HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h
HEADERS_OP_CALL := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h
SRCS_OP_CALL := $(OP_DIR)/operations.c
diff --git a/tests/unit/test_operations.c b/tests/unit/test_operations.c
index a743aa4..c60fa4f 100644
--- a/tests/unit/test_operations.c
+++ b/tests/unit/test_operations.c
@@ -28,6 +28,7 @@
#include "gluten.h"
#include "operations.h"
#include "common.h"
+#include "util.h"
#define MAX_TEST_PATH 250
@@ -64,20 +65,8 @@ static int install_notification_filter(int nr)
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
};
- struct sock_fprog prog;
-
- prog.filter = filter;
- prog.len = (unsigned short)(sizeof(filter) / sizeof(filter[0]));
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
- perror("prctl");
- return -1;
- }
- if ((fd = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
- SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog)) < 0) {
- perror("seccomp");
- return -1;
- }
- return fd;
+ return install_filter(
+ &filter, (unsigned short)(sizeof(filter) / sizeof(filter[0])));
}
static int create_test_fd()