From 5a9302bab9c9bb3d1577f04678d074fb7af4115f Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 15 May 2024 08:49:56 +0200
Subject: Add fsetxattr(), fremovexattr(), open_by_handle_at(), and "virtiofsd
 demo"

Mostly assorted fixes, a new FDGET operation (get a copy of the
target file descriptor via pidfd_getfd()) and a new "FD" flag that
means we have to do that on direct tag reference.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 cooker/filter.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'cooker/filter.c')

diff --git a/cooker/filter.c b/cooker/filter.c
index e0c8081..765fa25 100644
--- a/cooker/filter.c
+++ b/cooker/filter.c
@@ -540,6 +540,11 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n)
 
 	/* pre-check instruction + load syscall number (4 instructions) */
 	accept = size + n_nodes + n;
+
+	/* FIXME: See below */
+	if (n > 1 && n % 2)
+		accept++;
+
 	notify = accept + 1;
 
 	/* Insert nodes */
@@ -570,6 +575,13 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n)
 		 */
 		next_offset += get_n_args_syscall_instr(nr) - 1;
 	}
+
+	/* FIXME: If we have an odd number of leaves, duplicate the last one,
+	 * otherwise, left_child() will miscalculate terminal jump offsets.
+	 */
+	if (n > 1 && n % 2)
+		filter[size++] = EQ(nr, offset - 1, accept - size);
+
 	/* Seccomp accept and notify instruction */
 	filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
 	filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF);
-- 
cgit v1.2.3