From 00614c5e6702db8ac3f18a9e193c7a8382f16e6b Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 14 Jun 2023 07:25:52 +0200
Subject: cooker: Support for read(), OP_STORE, field-based filters

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 cooker/example.hjson | 42 +++++++++++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 11 deletions(-)

(limited to 'cooker/example.hjson')

diff --git a/cooker/example.hjson b/cooker/example.hjson
index 458961c..c3dc657 100644
--- a/cooker/example.hjson
+++ b/cooker/example.hjson
@@ -20,26 +20,46 @@
   },
   {
     "match": [ /* CVE-2022-0185-style */
-      { "unshare": { "flags": { "has": { "newuser": true, "newnet": false } } } }
+      { "unshare": { "flags": "CLONE_NEWUSER" } }
     ],
-    "block": { }
+    "return": { "value": 0, "error": -1 }
   },
   {
     "match": [ /* passt */
-      { "unshare": { "flags": { "has": [ "ipc", "mount", "uts", "pid" ] } } }
+      { "unshare": { "flags": { "all": [ "CLONE_NEWIPC", "CLONE_NEWNS", "CLONE_NEWUTS", "CLONE_NEWPID" ] } } }
     ],
-    "block": { }
+    "return": { "value": 0, "error": 0 }
   },
   {
     "match": [ /* Giuseppe's example */
-      { "mknodat": { "path": { "tag": "path" }, "mode": "c", "major": 1, "minor": { "value": { "in": [ 3, 5, 7, 8, 9 ] }, "tag": "minor" } } }
+      { "mknodat":
+        { "path": { "tag": "path" },
+          "mode": { "tag": "mode" },
+          "type": { "tag": "type" },
+          "major": 1,
+          "minor": { "value": { "in": [ 3, 5, 7, 8, 9 ] }, "tag": "minor" }
+        }
+      },
+      { "mknod":
+        { "path": { "tag": "path" },
+          "mode": { "tag": "mode" },
+          "type": { "tag": "type" },
+          "major": 1,
+          "minor": { "value": { "in": [ 3, 5, 7, 8, 9 ] }, "tag": "minor" }
+        }
+      }
     ],
-    "call": {
-      "mknod": { "path": { "tag": { "get": "path" } }, "mode": "c", "major": 1, "minor": { "tag": { "get": "minor" } } },
-      "ret": "x",
-      "context": { "user": "init", "mnt": "caller" }
-    },
-    "return": { "tag": "x" }
+    "call":
+      { "mknod":
+        { "path": { "tag": { "get": "path" } },
+          "mode": { "tag": { "get": "mode" } },
+          "type": { "tag": { "get": "type" } },
+          "major": 1,
+          "minor": { "tag": { "get": "minor" } }
+        },
+        "context": { "mnt": "caller" }
+      },
+    "return": { "value": 0 }
   }
 ]
 
-- 
cgit v1.2.3