From f1f136577a52b1588da5f74683f41d14df410300 Mon Sep 17 00:00:00 2001
From: Alice Frosi <afrosi@redhat.com>
Date: Thu, 8 Jun 2023 17:43:56 +0200
Subject: seitan,cooker: add wd to change work directory and mknod

./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf

Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten

Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
        --security-opt label=disable \
        -v $(pwd)/test:/test \
        --annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
        --annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
        sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
---
 cooker/call.c | 47 ++++++++++++++++++++++++-----------------------
 cooker/emit.c | 18 +++++++++---------
 cooker/emit.h |  2 +-
 3 files changed, 34 insertions(+), 33 deletions(-)

(limited to 'cooker')

diff --git a/cooker/call.c b/cooker/call.c
index e2a5777..4e9cb9c 100644
--- a/cooker/call.c
+++ b/cooker/call.c
@@ -340,8 +340,9 @@ static struct gluten_offset parse_arg(struct gluten_ctx *g, struct arg *args,
 	return offset;
 }
 
-static void parse_call(struct gluten_ctx *g, struct ns_spec *ns, long nr,
-		       JSON_Object *obj, const char *ret, struct arg *args)
+static void parse_call(struct gluten_ctx *g, struct context_desc *cdesc,
+		       long nr, JSON_Object *obj, const char *ret,
+		       struct arg *args)
 {
 	struct gluten_offset offset[6] = { 0 }, ret_offset = { 0 };
 	bool is_ptr[6] = { false };
@@ -421,49 +422,49 @@ static void parse_call(struct gluten_ctx *g, struct ns_spec *ns, long nr,
 	if (count != json_object_get_count(obj))
 		die("  Stray elements in call");
 
-	emit_call(g, ns, nr, arg_max_pos + 1, is_ptr, offset, ret_offset);
+	emit_call(g, cdesc, nr, arg_max_pos + 1, is_ptr, offset, ret_offset);
 }
 
-static void parse_context(struct ns_spec *ns, JSON_Object *obj)
+static void parse_context(struct context_desc *cdesc, JSON_Object *obj)
 {
 	unsigned i, n = 0;
 
 	/* Key order gives setns() order */
 	for (i = 0; i < json_object_get_count(obj); i++) {
 		const char *name = json_object_get_name(obj, i);
-		const char **ns_name = ns_type_name, *str;
-		enum ns_type type;
+		const char **ctx_name, *str;
+		enum context_type type;
 		double num;
 
-		for (ns_name = ns_type_name; *ns_name; ns_name++) {
-			if (!strcmp(name, *ns_name))
+		for (ctx_name = context_type_name; *ctx_name; ctx_name++) {
+			if (!strcmp(name, *ctx_name))
 				break;
 		}
 
-		if (!*ns_name)
-			die("invalid namespace type \"%s\"", name);
+		if (!*ctx_name)
+			die("invalid context type \"%s\"", name);
 
-		type = ns_name - ns_type_name;
-		ns[n].ns = type;
+		type = ctx_name - context_type_name;
+		cdesc[n].type = type;
 		if ((str = json_object_get_string(obj, name))) {
 			if (!strcmp(str, "init"))
 				continue;
 
-			debug("   '%s' namespace: %s", name, str);
+			debug("   '%s' context: %s", name, str);
 
 			if (!strcmp(str, "caller")) {
-				ns[n].spec = NS_SPEC_CALLER;
+				cdesc[n].spec = CONTEXT_SPEC_CALLER;
 			} else {
-				ns[n].spec = NS_SPEC_PATH;
-				strncpy(ns[n].target.path, str, PATH_MAX);
+				cdesc[n].spec = CONTEXT_SPEC_PATH;
+				strncpy(cdesc[n].target.path, str, PATH_MAX);
 			}
 		} else if ((num = json_object_get_number(obj, name))) {
-			debug("   '%s' namespace: %lli", name, num);
+			debug("   '%s' context: %lli", name, num);
 
-			ns[n].spec = NS_SPEC_PID;
-			ns[n].target.pid = num;
+			cdesc[n].spec = CONTEXT_SPEC_PID;
+			cdesc[n].target.pid = num;
 		} else {
-			die("invalid namespace specification");
+			die("invalid context specification");
 		}
 		n++;
 	}
@@ -481,7 +482,7 @@ void handle_calls(struct gluten_ctx *g, JSON_Value *value)
 		count = 1;
 
 	for (i = 0; i < count; i++) {
-		struct ns_spec ns[NS_TYPE_MAX + 1] = { 0 };
+		struct context_desc cdesc[CONTEXT_TYPE_MAX + 1] = { 0 };
 		JSON_Object *obj, *args, *ctx;
 		struct call **set, *call;
 		const char *name, *ret;
@@ -509,7 +510,7 @@ void handle_calls(struct gluten_ctx *g, JSON_Value *value)
 		ret = json_object_get_string(obj, "ret");
 
 		ctx = json_object_get_object(obj, "context");
-		parse_context(ns, ctx);
+		parse_context(cdesc, ctx);
 
 		/* TODO: Factor this out into a function in calls.c */
 		for (set = call_sets, call = set[0]; *set; ) {
@@ -522,7 +523,7 @@ void handle_calls(struct gluten_ctx *g, JSON_Value *value)
 			if (!strcmp(name, call->name)) {
 				debug("  Found description for %s",
 				      name);
-				parse_call(g, ns, call->number,
+				parse_call(g, cdesc, call->number,
 					   args, ret, call->args);
 				break;
 			}
diff --git a/cooker/emit.c b/cooker/emit.c
index d4ca97b..41b64a6 100644
--- a/cooker/emit.c
+++ b/cooker/emit.c
@@ -81,31 +81,31 @@ void emit_fd(struct gluten_ctx *g, struct fd_desc *desc)
 /**
  * emit_call() - Emit OP_CALL instruction: execute a system call
  * @g:		gluten context
- * @ns:		NS_SPEC_NONE-terminated array of namespaces references
+ * @context:	CONTEXT_SPEC_NONE-terminated array of context references
  * @nr:		System call number
  * @count:	Argument count
  * @is_ptr:	Array indicating whether arguments need to be dereferenced
  * @args:	Offsets of arguments
  * @ret_offset:	Offset where return value must be saved, can be OFFSET_NULL
  */
-void emit_call(struct gluten_ctx *g, struct ns_spec *ns, long nr,
+void emit_call(struct gluten_ctx *g, struct context_desc *cdesc, long nr,
 	       unsigned count, bool is_ptr[6],
 	       struct gluten_offset offset[6], struct gluten_offset ret_offset)
 {
 	struct op *op = (struct op *)gluten_ptr(&g->g, g->ip);
 	struct gluten_offset o1 = { 0 }, o2 = { 0 };
 	struct op_call *call = &op->op.call;
+	struct context_desc *c = cdesc;
 	struct syscall_desc *desc;
-	unsigned ns_count, i;
-	struct ns_spec *ctx;
+	unsigned i;
 
 	op->type = OP_CALL;
-	for (ns_count = 0; ns[ns_count].spec != NS_SPEC_NONE; ns_count++);
 
-	if (ns_count) {
-		o1 = gluten_ro_alloc(g, sizeof(struct ns_spec) * ns_count);
-		ctx = (struct ns_spec *)gluten_ptr(&g->g, o1);
-		memcpy(ctx, ns, sizeof(struct ns_spec) * ns_count);
+	for (i = 0; c[i].spec != CONTEXT_SPEC_NONE; i++);
+	if (i) {
+		o1 = gluten_ro_alloc(g, sizeof(struct context_desc) * i);
+		c = (struct context_desc *)gluten_ptr(&g->g, o1);
+		memcpy(c, cdesc, sizeof(struct context_desc) * i);
 	}
 
 	o2 = gluten_ro_alloc(g, sizeof(struct syscall_desc) +
diff --git a/cooker/emit.h b/cooker/emit.h
index 978c9e0..b9d326f 100644
--- a/cooker/emit.h
+++ b/cooker/emit.h
@@ -8,7 +8,7 @@
 
 void emit_nr(struct gluten_ctx *g, struct gluten_offset number);
 void emit_fd(struct gluten_ctx *g, struct fd_desc *desc);
-void emit_call(struct gluten_ctx *g, struct ns_spec *ns, long nr,
+void emit_call(struct gluten_ctx *g, struct context_desc *cdesc, long nr,
 	       unsigned count, bool is_ptr[6],
 	       struct gluten_offset offset[6], struct gluten_offset ret_offset);
 void emit_load(struct gluten_ctx *g, struct gluten_offset dst,
-- 
cgit v1.2.3