Generation of bpf program

The build binary creates the bpf filter based on the syscalls defined in
struct bpf_call. E.g:
  ./build test.bpf

First, a table with the filtered syscalls is built in ascending order of
syscall number and including the amount of syscalls of that type.
After, the BPF filter with a binary search tree is constructed with:
  1. the nodes for the tree search
  2. the leaves with all the syscall numbers
  3. every syscall arguments if present

Then, the BPF instructions are written in the input file.

Signed-off-by: Alice Frosi <afrosi@redhat.com>

1 files changed, 39 insertions, 0 deletions

diff --git a/filter.h b/filter.h
new file mode 100644
index 0000000..134a16b
--- /dev/null
+++ b/filter.h
@@ -0,0 +1,39 @@
+#ifndef FILTER_H_
+#define FILTER_H_
+
+#include <linux/filter.h>
+#include <linux/audit.h>
+#include <linux/seccomp.h>
+
+#define JGE(nr, right, left) \
+	BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, (nr), (right), (left))
+#define JUMPA(jump) BPF_JUMP(BPF_JMP | BPF_JA, (jump), 0, 0)
+#define EQ(nr, a1, a2) BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (nr), (a1), (a2))
+
+#define MAX_FILTER 1024
+
+#define MAX_JUMPS 128
+#define EMPTY -1
+
+struct bpf_call {
+	char *name;
+	int args[6];
+	bool check_arg[6];
+};
+
+struct syscall_entry {
+	unsigned int count;
+	long nr;
+	const struct bpf_call *entry;
+};
+
+void create_lookup_nodes(int jumps[], unsigned int n);
+unsigned int left_child(unsigned int parent_index);
+unsigned int right_child(unsigned int parent_index);
+
+unsigned int create_bfp_program(struct syscall_entry table[],
+				struct sock_filter filter[],
+				unsigned int n_syscall);
+int convert_bpf(char *file, struct bpf_call *entries, int n);
+
+#endif