From: "Thiago Marcos P. Santos" <[email protected]> It is always nice to provide this alternative version of variadic functions since there is no portable way of wrapping them.
Signed-off-by: Thiago Marcos P. Santos <[email protected]> --- doc/Makefile | 4 +++- doc/man/man3/seccomp_rule_add.3 | 19 +++++++++++++++- doc/man/man3/vseccomp_rule_add.3 | 1 + doc/man/man3/vseccomp_rule_add_exact.3 | 1 + include/seccomp.h | 37 ++++++++++++++++++++++++++++++++ src/api.c | 18 ++++++++++++++++ 6 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 doc/man/man3/vseccomp_rule_add.3 create mode 100644 doc/man/man3/vseccomp_rule_add_exact.3 diff --git a/doc/Makefile b/doc/Makefile index c6d3f52..81536e5 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -44,7 +44,9 @@ MAN3 = \ man/man3/seccomp_export_bpf.3 \ man/man3/seccomp_export_pfc.3 \ man/man3/seccomp_attr_set.3 \ - man/man3/seccomp_attr_get.3 + man/man3/seccomp_attr_get.3 \ + man/man3/vseccomp_rule_add.3 \ + man/man3/vseccomp_rule_add_exact.3 # # targets diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index 77c64a0..7454c2f 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -2,7 +2,7 @@ .\" ////////////////////////////////////////////////////////////////////////// .SH NAME .\" ////////////////////////////////////////////////////////////////////////// -seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp filter rule +seccomp_rule_add, seccomp_rule_add_exact, vseccomp_rule_add, vseccomp_rule_add_exact \- Add a seccomp filter rule .\" ////////////////////////////////////////////////////////////////////////// .SH SYNOPSIS .\" ////////////////////////////////////////////////////////////////////////// @@ -26,6 +26,10 @@ seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp filter rule .BI " int " syscall ", unsigned int " arg_cnt ", " ... ");" .BI "int seccomp_rule_add_exact(scmp_filter_ctx " ctx ", uint32_t " action "," .BI " int " syscall ", unsigned int " arg_cnt ", " ... ");" +.BI "int vseccomp_rule_add(scmp_filter_ctx " ctx ", uint32_t " action "," +.BI " int " syscall ", unsigned int " arg_cnt ", va_list " arg_list ");" +.BI "int vseccomp_rule_add_exact(scmp_filter_ctx " ctx ", uint32_t " action "," +.BI " int " syscall ", unsigned int " arg_cnt ", va_list " arg_list ");" .fi .\" ////////////////////////////////////////////////////////////////////////// .SH DESCRIPTION @@ -46,6 +50,19 @@ differently on different architectures. While it does not guarantee a exact filter ruleset, .BR seccomp_rule_add () does guarantee the same behavior regardless of the architecture. +.BR vseccomp_rule_add () +and +.BR vseccomp_rule_add_exact () +work in the same way as +.BR seccomp_rule_add () +and +.BR seccomp_rule_add_exact () +respectively, but they take an initialized +.I va_list +as argument. These functions will not call +.I va_end +macro. See +.BR stdarg (3). .P The newly added filter rule does not take effect until the entire filter is loaded into the kernel using diff --git a/doc/man/man3/vseccomp_rule_add.3 b/doc/man/man3/vseccomp_rule_add.3 new file mode 100644 index 0000000..53714e7 --- /dev/null +++ b/doc/man/man3/vseccomp_rule_add.3 @@ -0,0 +1 @@ +.so man3/seccomp_rule_add.3 diff --git a/doc/man/man3/vseccomp_rule_add_exact.3 b/doc/man/man3/vseccomp_rule_add_exact.3 new file mode 100644 index 0000000..53714e7 --- /dev/null +++ b/doc/man/man3/vseccomp_rule_add_exact.3 @@ -0,0 +1 @@ +.so man3/seccomp_rule_add.3 diff --git a/include/seccomp.h b/include/seccomp.h index 42ad4fb..121411f 100644 --- a/include/seccomp.h +++ b/include/seccomp.h @@ -24,6 +24,7 @@ #include <inttypes.h> #include <asm/unistd.h> +#include <stdarg.h> /* * types @@ -267,6 +268,24 @@ int seccomp_rule_add(scmp_filter_ctx ctx, * @param action the filter action * @param syscall the syscall number * @param arg_cnt the number of argument filters in the argument filter chain + * @param arg_list initialized argument list + * + * This function works in the same way as seccomp_rule_add() but takes a + * initialized va_list as last argument. It will not call va_end macro and + * arg_list is undefined after the calling this function, being safe only + * to call va_end on it. + * + */ +int vseccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + va_list arg_list); + +/** + * Add a new rule to the current filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) * * This function adds a series of new argument/value checks to the seccomp @@ -280,6 +299,24 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...); /** + * Add a new rule to the current filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain + * @param arg_list initialized argument list + * + * This function works in the same way as seccomp_rule_add_exact() but takes a + * initialized va_list as last argument. It will not call va_end macro and + * arg_list is undefined after the calling this function, being safe only + * to call va_end on it. + * + */ +int vseccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, + int syscall, unsigned int arg_cnt, + va_list arg_list); + +/** * Generate seccomp Pseudo Filter Code (PFC) and export it to a file * @param ctx the filter context * @param fd the destination fd diff --git a/src/api.c b/src/api.c index 64ee4c6..57ba25e 100644 --- a/src/api.c +++ b/src/api.c @@ -257,6 +257,15 @@ int seccomp_rule_add(scmp_filter_ctx ctx, } /* NOTE - function header comment in include/seccomp.h */ +int vseccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + va_list arg_list) +{ + return _seccomp_rule_add((struct db_filter *)ctx, + 0, action, syscall, arg_cnt, arg_list); +} + +/* NOTE - function header comment in include/seccomp.h */ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...) { @@ -272,6 +281,15 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, } /* NOTE - function header comment in include/seccomp.h */ +int vseccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, + int syscall, unsigned int arg_cnt, + va_list arg_list) +{ + return _seccomp_rule_add((struct db_filter *)ctx, + 1, action, syscall, arg_cnt, arg_list); +} + +/* NOTE - function header comment in include/seccomp.h */ int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd) { if (_ctx_valid(ctx)) -- 1.7.9.5 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
