diff options
| author | Alice Frosi <afrosi@redhat.com> | 2023-04-12 11:06:27 +0200 |
|---|---|---|
| committer | Alice Frosi <afrosi@redhat.com> | 2023-04-12 11:06:27 +0200 |
| commit | c54051101e95998b3070d5ccea46f6c7e33dfe57 (patch) | |
| tree | 9a86cafce8f9c53ebcc685ee30c849c5e1b9b027 /cooker/filter.c | |
| parent | be8d1f5f3aac134218ccbeec49108844293796bc (diff) | |
| download | seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar.gz seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar.bz2 seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar.lz seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar.xz seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.tar.zst seitan-c54051101e95998b3070d5ccea46f6c7e33dfe57.zip | |
Add other comparison operation for the BPF filter
Diffstat (limited to 'cooker/filter.c')
| -rw-r--r-- | cooker/filter.c | 141 |
1 files changed, 106 insertions, 35 deletions
diff --git a/cooker/filter.c b/cooker/filter.c index 9a2c9f1..a46e8ce 100644 --- a/cooker/filter.c +++ b/cooker/filter.c @@ -259,19 +259,106 @@ unsigned int create_bpf_program_log(struct sock_filter filter[]) return 4; } -static unsigned int eq_u64_filter(struct sock_filter filter[], int idx, - uint64_t v, unsigned int jtrue, - unsigned int jfalse) +static unsigned int eq(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) { - uint32_t hi = get_hi(v); - uint32_t lo = get_lo(v); + unsigned int size = 0; + uint32_t hi, lo; + + switch (entry->args[idx].type) { + case U64: + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)EQ(lo, 0, jfalse); + filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); + filter[size++] = (struct sock_filter)EQ(hi, jtrue, jfalse); + break; + case U32: + + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)EQ( + entry->args[idx].value.v32, jtrue, jfalse); + break; + } - filter[0] = (struct sock_filter)LOAD(LO_ARG(idx)); - filter[1] = (struct sock_filter)EQ(lo, 0, jfalse); - filter[2] = (struct sock_filter)LOAD(HI_ARG(idx)); - filter[3] = (struct sock_filter)EQ(hi, jtrue, jfalse); + return size; +} - return 4; +static unsigned int gt(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) +{ + unsigned int size = 0; + uint32_t hi, lo; + + switch (entry->args[idx].type) { + case U64: + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); + filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); + filter[size++] = (struct sock_filter)GT(hi, jtrue, jfalse); + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)GT(lo, jtrue, jfalse); + break; + case U32: + + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)GT( + entry->args[idx].value.v32, jtrue, jfalse); + break; + } + + return size; +} + +static unsigned int lt(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) +{ + unsigned int size = 0; + uint32_t hi, lo; + + switch (entry->args[idx].type) { + case U64: + hi = get_hi((entry->args[idx]).value.v64); + lo = get_lo((entry->args[idx]).value.v64); + filter[size++] = (struct sock_filter)LOAD(HI_ARG(idx)); + filter[size++] = (struct sock_filter)LT(hi, jtrue, jfalse); + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)LT(lo, jtrue, jfalse); + break; + case U32: + + filter[size++] = (struct sock_filter)LOAD(LO_ARG(idx)); + filter[size++] = (struct sock_filter)LT( + entry->args[idx].value.v32, jtrue, jfalse); + break; + } + + return size; +} + +static unsigned int neq(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) +{ + return eq(filter, idx, entry, jfalse, jtrue); +} + +static unsigned int ge(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) +{ + return lt(filter, idx, entry, jfalse, jtrue); +} + +static unsigned int le(struct sock_filter filter[], int idx, + const struct bpf_call *entry, unsigned int jtrue, + unsigned int jfalse) +{ + return gt(filter, idx, entry, jfalse, jtrue); } unsigned int create_bfp_program(struct syscall_entry table[], @@ -284,7 +371,6 @@ unsigned int create_bfp_program(struct syscall_entry table[], unsigned int notify, accept; unsigned int i, j, k, size; unsigned int next_offset, offset; - unsigned int next_args_off; int nodes[MAX_JUMPS]; create_lookup_nodes(nodes, n_syscall); @@ -349,36 +435,21 @@ unsigned int create_bfp_program(struct syscall_entry table[], for (j = 0; j < (table[i]).count; j++) { unsigned n_checks = 0; entry = table[i].entry + j; - next_args_off = get_n_args_syscall_entry(entry); for (k = 0; k < 6; k++) { - if (entry->args[k].cmp == NO_CHECK) + switch (entry->args[k].cmp) { + case NO_CHECK: continue; - offset = next_args_off - n_checks; - switch (entry->args[k].type) { - case U64: - size += eq_u64_filter( - &filter[size], k, - entry->args[k].value.v64, 0, - offset); - n_checks++; - has_arg = true; - break; - case U32: - filter[size++] = (struct sock_filter) - LOAD((offsetof( - struct seccomp_data, - args[k]))); - filter[size++] = (struct sock_filter)EQ( - entry->args[k].value.v32, 0, - offset); - n_checks++; - has_arg = true; + case EQ: + size += eq(&filter[size], k, entry, 0, + offset); break; default: fprintf(stderr, - "value for args not recognized\n"); - return -1; + "operation not recognized\n"); + continue; } + n_checks++; + has_arg = true; } if (check_args_syscall_entry(table[i].entry)) filter[size++] = (struct sock_filter)JUMPA( |