aboutgitcodelistschat:MatrixIRC
path: root/cooker/match.c
Commit message (Collapse)AuthorAgeFilesLines
* Add fsetxattr(), fremovexattr(), open_by_handle_at(), and "virtiofsd demo"Stefano Brivio2024-05-151-1/+2
| | | | | | | | Mostly assorted fixes, a new FDGET operation (get a copy of the target file descriptor via pidfd_getfd()) and a new "FD" flag that means we have to do that on direct tag reference. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routesStefano Brivio2023-12-211-2/+54
| | | | | | | A bit rough at the moment, but it does the trick. Bonus: setsockopt() (with magic values only, not used in any demo yet). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: simplify tag and add caller metadataAlice Frosi2023-08-301-2/+4
| | | | | | | | | | | | Group the metadata information: - simplify the json by removing the 'tag' and only using 'get' and 'set' keys - get uid and gid at runtime for the target ('caller'). This can be useful when the the UID and GID of the target are only known at runtime and they need to be used for setting the permissions of files - updated example demo/mknod.hjson Signed-off-by: Alice Frosi <afrosi@redhat.com>
* cooker: generate OCI seccomp profileAlice Frosi2023-08-241-5/+13
| | | | | | | | | | | | | | | | | | Generate the OCI seccomp profile instead of directly the BPF filter. The seccomp profile will be used consquently by the container runtime as input in order to generate the BPF filter. Example with mknod: $ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson $ seitan -s /tmp/seitan.sock -i /tmp/gluten $ podman run --cap-drop ALL --security-opt=seccomp=/tmp/scmp_prof.json \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock \ -ti fedora \ sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol' /dev/lol Signed-off-by: Alice Frosi <afrosi@redhat.com>
* test: fix filter-build test and bugsAlice Frosi2023-07-031-0/+1
| | | | | | | | | | | | The tests for checking the filter build recompile and are successfull. Changes: - spotted a couple of bugs for adding the arguments in the filter - readded function `filter_flush_args` to flush_args; this is needed to distinguish when the arguments belong to the same block or are different entries to the same syscall - build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we don't need to awkwardly negate the operations (still TODO for AND_EQ)
* cooker/match: Fix mask calculation for GNU_DEV_MINORStefano Brivio2023-06-271-2/+2
| | | | | | | | Starting from Linux 2.6 series, we have 20 bits of minor (not 32) and the gap between low and high bits is 12 bits, meaning the high ones are shifted by 20 (not 12). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Support for read(), OP_STORE, field-based filtersStefano Brivio2023-06-141-3/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Pass arguments to filterStefano Brivio2023-06-091-4/+15
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Full support for flags and masks, assorted fixesStefano Brivio2023-06-081-12/+49
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* mknod/mknodat values, initial support for MASK flag, OP_BITWISEStefano Brivio2023-06-071-13/+31
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan,cooker: op_resolvefdAlice Frosi2023-06-071-1/+12
| | | | | | | | | ops: - update resolvefd with the description - add debug prints cooker: - add emit_resolvefd when match has type FDPATH
* cooker: Draft quality: mknod/mknodat, sets of values with "in"Stefano Brivio2023-06-061-8/+65
| | | | | | | | While at it: - directly assign 'fd' in eater from install_filter() - turn op_cmp into a description-style thing Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: use unsigned short for family with connectAlice Frosi2023-06-051-0/+1
|
* treewide: Change to GPLv2, add LICENSES, missing headersStefano Brivio2023-06-041-1/+1
| | | | | | As discussed with Alice -- 'reuse lint' passes now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: OP_CALL arguments and contextStefano Brivio2023-06-021-32/+3
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: OP_CALL and OP_COPY stuffStefano Brivio2023-06-011-165/+96
| | | | | | ...mostly. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: Now with 100% more glutenStefano Brivio2023-05-161-0/+361
Pseudorandom changes and progress around cooker and seitan: - cooker: - rename matching functions, split match.c - fix up SELECT semantics - add some form of handling for all syscalls in the example (some stubs) - OP_CMP for all basic and compound types except for flags - link jumps to next block and next match - completed implementation of tags - gluten write - filter clean-ups, write filters (probably not working) - seitan: - load gluten and source instructions and data from there $ ./seitan-cooker cooker/example.hjson example.gluten example.bpf Parsing block 0 Parsing match 0: connect Found description for connect 0: OP_NR: if syscall number is not 0, jump to next block Parsing match argument fd setting tag reference 'fd' tag 'fd' now refers to seccomp data at 0 Parsing match argument addr allocating 128 at offset 0 1: OP_LOAD: #0 < args[1] (size: 128) C#0: (INT) 1 2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block C#4: (STRING:24) /var/run/pr-helper.sock 3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block Linking match... Linking block... linked jump of instruction #0 to #4 linked jump of instruction #2 to #4 linked jump of instruction #3 to #4 Parsing block 1 Parsing match 0: ioctl Found description for ioctl 4: OP_NR: if syscall number is not 112, jump to next block Parsing match argument path Parsing match argument request C#28: (INT) 1074025674 5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block Parsing match argument ifr allocating 40 at offset 128 6: OP_LOAD: #128 < args[2] (size: 40) C#32: (STRING:5) tap0 7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block C#37: (INT) 1 8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block Linking match... Linking block... linked jump of instruction #4 to #9 linked jump of instruction #5 to #9 linked jump of instruction #7 to #9 linked jump of instruction #8 to #9 Parsing block 2 Parsing match 0: unshare Found description for unshare 9: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #9 to #10 Parsing block 3 Parsing match 0: unshare Found description for unshare 10: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #10 to #11 Parsing block 4 Parsing match 0: mknod Found description for mknod 11: OP_NR: if syscall number is not 164, jump to next block Parsing match argument path allocating 1 at offset 168 12: OP_LOAD: #168 < args[0] (size: 1) setting tag reference 'path' tag 'path' now refers to temporary data at 168 Parsing match argument mode Parsing match argument major Parsing match argument minor setting tag reference 'minor' tag 'minor' now refers to seccomp data at 2 Linking match... Linking block... linked jump of instruction #11 to #13 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 08:28:39 +0000