filter: add logging mode

The logging mode creates a BPF filter where all the syscalls trigger a notification to the seccomp notifier.
author: Alice Frosi <afrosi@redhat.com> 2023-03-23 17:06:00 +0100
committer: Alice Frosi <afrosi@redhat.com> 2023-03-23 17:16:12 +0100
commit: 06b0f6d323c396ca1df000af96fdd07cc69b06e0 (patch)
tree: f3f900d0cd928d6ec2e6d1ce019d87e119998c0c /filter.c
parent: 018da5282e74504c0bf232facd7cb35b392d389f (diff)
download: seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.gz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.bz2
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.lz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.xz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.zst
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.zip
1 files changed, 19 insertions, 2 deletions
diff --git a/filter.c b/filter.c
index f8b782d..dbda7ca 100644
--- a/filter.c
+++ b/filter.c
@@ -174,6 +174,20 @@ static unsigned int get_total_args(const struct syscall_entry table[],
 	return n;
 }
 
+unsigned int create_bpf_program_log(struct sock_filter filter[])
+{
+	filter[0] = (struct sock_filter)BPF_STMT(
+		BPF_LD | BPF_W | BPF_ABS,
+		(offsetof(struct seccomp_data, arch)));
+	filter[1] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+						 SEITAN_AUDIT_ARCH, 0, 1);
+	filter[2] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+						 SECCOMP_RET_USER_NOTIF);
+	filter[3] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+						 SECCOMP_RET_ALLOW);
+	return 4;
+}
+
 unsigned int create_bfp_program(struct syscall_entry table[],
 				struct sock_filter filter[],
 				unsigned int n_syscall)
@@ -258,7 +272,7 @@ static int compare_names(const void *a, const void *b)
 		      ((struct syscall_numbers *)b)->name);
 }
 
-int convert_bpf(char *file, struct bpf_call *entries, int n)
+int convert_bpf(char *file, struct bpf_call *entries, int n, bool log)
 {
 	int nt, fd, fsize;
 	struct syscall_entry table[N_SYSCALL];
@@ -270,7 +284,10 @@ int convert_bpf(char *file, struct bpf_call *entries, int n)
 	qsort(entries, n, sizeof(struct bpf_call), compare_bpf_call_names);
 	nt = construct_table(entries, n, table);
 
-	fsize = create_bfp_program(table, filter, nt);
+	if (log)
+		fsize = create_bpf_program_log(filter);
+	else
+		fsize = create_bfp_program(table, filter, nt);
 
 	fd = open(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
 		  S_IRUSR | S_IWUSR);
author	Alice Frosi <afrosi@redhat.com>	2023-03-23 17:06:00 +0100
committer	Alice Frosi <afrosi@redhat.com>	2023-03-23 17:16:12 +0100
commit	06b0f6d323c396ca1df000af96fdd07cc69b06e0 (patch)
tree	f3f900d0cd928d6ec2e6d1ce019d87e119998c0c /filter.c
parent	018da5282e74504c0bf232facd7cb35b392d389f (diff)
download	seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.gz seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.bz2 seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.lz seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.xz seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.zst seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.zip