diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-03-30 11:02:47 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-03-30 11:07:12 +0200 |
commit | fa00aa6b11a9a773bdb0b11c306d2e6936ba5862 (patch) | |
tree | 8852eebf58339d9bbce563022a754d4204411c26 | |
parent | 6a850dfce709751292a136d76060c97b57435ef1 (diff) | |
download | seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.gz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.bz2 seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.lz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.xz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.zst seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.zip |
Create common function to install the BPF filter
-rw-r--r-- | common/common.c | 30 | ||||
-rw-r--r-- | common/common.h | 4 | ||||
-rw-r--r-- | eater/eater.c | 27 | ||||
-rw-r--r-- | tests/unit/Makefile | 4 | ||||
-rw-r--r-- | tests/unit/test_operations.c | 17 |
5 files changed, 40 insertions, 42 deletions
diff --git a/common/common.c b/common/common.c index a8f79a2..cd792de 100644 --- a/common/common.c +++ b/common/common.c @@ -5,6 +5,15 @@ #include <unistd.h> #include <stdlib.h> #include <sys/stat.h> +#include <sys/prctl.h> +#include <sys/syscall.h> +#include <sys/socket.h> + +#include <linux/audit.h> +#include <linux/seccomp.h> + +#include "util.h" +#include "common.h" int find_fd_seccomp_notifier(const char *path) { @@ -49,3 +58,24 @@ int find_fd_seccomp_notifier(const char *path) fprintf(stderr, "seccomp notifier not found in %s\n", path); return -1; } + +static int seccomp(unsigned int operation, unsigned int flags, void *args) +{ + return syscall(__NR_seccomp, operation, flags, args); +} + +int install_filter(struct sock_filter *filter, unsigned short len) +{ + struct sock_fprog prog; + int fd; + + prog.filter = filter; + prog.len = len; + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) + die(" prctl"); + if ((fd = seccomp(SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog)) < 0) + die(" seccomp"); + + return fd; +} diff --git a/common/common.h b/common/common.h index 487032b..780f756 100644 --- a/common/common.h +++ b/common/common.h @@ -1,6 +1,8 @@ #ifndef COMMON_H_ #define COMMON_H_ -int find_fd_seccomp_notifier(const char *pid); +#include <linux/filter.h> +int find_fd_seccomp_notifier(const char *pid); +int install_filter(struct sock_filter *filter, unsigned short len); #endif diff --git a/eater/eater.c b/eater/eater.c index 96a7b61..3396c78 100644 --- a/eater/eater.c +++ b/eater/eater.c @@ -17,15 +17,8 @@ #include <fcntl.h> #include <unistd.h> #include <argp.h> -#include <sys/prctl.h> -#include <sys/syscall.h> -#include <sys/socket.h> #include <signal.h> -#include <linux/audit.h> -#include <linux/filter.h> -#include <linux/seccomp.h> - #include <dirent.h> #include <sys/stat.h> @@ -76,11 +69,6 @@ static struct argp argp = { .options = options, .help_filter = NULL, .argp_domain = NULL }; -static int seccomp(unsigned int operation, unsigned int flags, void *args) -{ - return syscall(__NR_seccomp, operation, flags, args); -} - static void signal_handler(__attribute__((unused)) int s) { } @@ -96,27 +84,16 @@ int main(int argc, char **argv) { struct sock_filter filter[1024]; struct arguments arguments; - struct sock_fprog prog; struct sigaction act; - size_t n; int fd, flags; + size_t n; argp_parse(&argp, argc, argv, 0, 0, &arguments); fd = open(arguments.input_file, O_CLOEXEC | O_RDONLY); n = read(fd, filter, sizeof(filter)); close(fd); - prog.filter = filter; - prog.len = (unsigned short)(n / sizeof(filter[0])); - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { - perror("prctl"); - exit(EXIT_FAILURE); - } - if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, - &prog) < 0) { - perror("seccomp"); - exit(EXIT_FAILURE); - } + install_filter(filter, (unsigned short)(n / sizeof(filter[0]))); /* * close-on-exec flag is set for the file descriptor by seccomp. * We want to preserve the fd on the exec in this way we are able diff --git a/tests/unit/Makefile b/tests/unit/Makefile index bdd419b..aad8549 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -7,8 +7,8 @@ OP_DIR := ../../ COOKER_DIR := ../../cooker DBG_DIR := ../../debug -SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c -HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h +SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c +HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h HEADERS_OP_CALL := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h SRCS_OP_CALL := $(OP_DIR)/operations.c diff --git a/tests/unit/test_operations.c b/tests/unit/test_operations.c index a743aa4..c60fa4f 100644 --- a/tests/unit/test_operations.c +++ b/tests/unit/test_operations.c @@ -28,6 +28,7 @@ #include "gluten.h" #include "operations.h" #include "common.h" +#include "util.h" #define MAX_TEST_PATH 250 @@ -64,20 +65,8 @@ static int install_notification_filter(int nr) BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), }; - struct sock_fprog prog; - - prog.filter = filter; - prog.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])); - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { - perror("prctl"); - return -1; - } - if ((fd = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, - SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog)) < 0) { - perror("seccomp"); - return -1; - } - return fd; + return install_filter( + &filter, (unsigned short)(sizeof(filter) / sizeof(filter[0]))); } static int create_test_fd() |