From: Vitaly _Vi Shukela <[email protected]>
---
include/seccomp.h.in | 20 +++++++++++++++
src/api.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 85 insertions(+), 6 deletions(-)
diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index b21205c..e2003ce 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -25,6 +25,7 @@
#include <inttypes.h>
#include <asm/unistd.h>
#include <linux/audit.h>
+#include <stdarg.h>
#ifdef __cplusplus
extern "C" {
@@ -389,6 +390,16 @@ int seccomp_syscall_priority(scmp_filter_ctx ctx,
int seccomp_rule_add(scmp_filter_ctx ctx,
uint32_t action, int syscall, unsigned int arg_cnt, ...);
+/** va_list analogue of seccomp_rule_add */
+int seccomp_rule_add_valist(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ va_list arg_list);
+
+/** array version of seccomp_rule_add */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array);
+
/**
* Add a new rule to the filter
* @param ctx the filter context
@@ -407,6 +418,15 @@ int seccomp_rule_add(scmp_filter_ctx ctx,
int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action,
int syscall, unsigned int arg_cnt, ...);
+/** va_list analogue of seccomp_rule_add_exact */
+int seccomp_rule_add_valist_exact(scmp_filter_ctx ctx, uint32_t action,
+ int syscall, unsigned int arg_cnt, va_list arg_list);
+
+/** array version of seccomp_rule_add_exact */
+int seccomp_rule_add_array_exact(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array);
+
/**
* Generate seccomp Pseudo Filter Code (PFC) and export it to a file
* @param ctx the filter context
diff --git a/src/api.c b/src/api.c
index 5072afc..c524fa9 100644
--- a/src/api.c
+++ b/src/api.c
@@ -366,7 +366,8 @@ syscall_priority_failure:
*/
static int _seccomp_rule_add(struct db_filter_col *col,
unsigned int strict, uint32_t action, int syscall,
- unsigned int arg_cnt, va_list arg_list)
+ unsigned int arg_cnt,
+ const struct scmp_arg_cmp* arg_array)
{
int rc = 0, rc_tmp;
int syscall_tmp;
@@ -396,7 +397,7 @@ static int _seccomp_rule_add(struct db_filter_col *col,
return -ENOMEM;
memset(chain, 0, sizeof(*chain) * chain_len_max);
for (iter = 0; iter < arg_cnt; iter++) {
- arg_data = va_arg(arg_list, struct scmp_arg_cmp);
+ arg_data = arg_array[iter];
arg_num = arg_data.arg;
if (arg_num < chain_len_max && chain[arg_num].valid == 0) {
chain[arg_num].valid = 1;
@@ -462,6 +463,35 @@ rule_add_return:
}
/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array)
+{
+ return _seccomp_rule_add((struct db_filter_col *)ctx,
+ 0, action, syscall, arg_cnt, arg_array);
+}
+
+
+/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_valist(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ va_list arg_list)
+{
+ int i;
+ struct scmp_arg_cmp arg_array[6];
+
+ if (arg_cnt > sizeof(arg_array)/sizeof(arg_array[0]) || arg_cnt<0) {
+ return -1;
+ }
+
+ for (i=0; i<arg_cnt; ++i) {
+ arg_array[i] = va_arg(arg_list, struct scmp_arg_cmp);
+ }
+
+ return seccomp_rule_add_array(ctx, action, syscall, arg_cnt, arg_array);
+}
+
+/* NOTE - function header comment in include/seccomp.h */
int seccomp_rule_add(scmp_filter_ctx ctx,
uint32_t action, int syscall, unsigned int arg_cnt, ...)
{
@@ -469,13 +499,43 @@ int seccomp_rule_add(scmp_filter_ctx ctx,
va_list arg_list;
va_start(arg_list, arg_cnt);
- rc = _seccomp_rule_add((struct db_filter_col *)ctx,
- 0, action, syscall, arg_cnt, arg_list);
+ rc = seccomp_rule_add_valist(ctx, action, syscall, arg_cnt, arg_list);
va_end(arg_list);
return rc;
}
+
+/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_array_exact(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array)
+{
+ return _seccomp_rule_add((struct db_filter_col *)ctx,
+ 1, action, syscall, arg_cnt, arg_array);
+}
+
+
+/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_valist_exact(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ va_list arg_list)
+{
+ int i;
+ struct scmp_arg_cmp arg_array[6];
+
+ if (arg_cnt > sizeof(arg_array)/sizeof(arg_array[0]) || arg_cnt<0) {
+ return -1;
+ }
+
+ for (i=0; i<arg_cnt; ++i) {
+ arg_array[i] = va_arg(arg_list, struct scmp_arg_cmp);
+ }
+
+ return seccomp_rule_add_array_exact(ctx, action, syscall, arg_cnt,
+ arg_array);
+}
+
/* NOTE - function header comment in include/seccomp.h */
int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action,
int syscall, unsigned int arg_cnt, ...)
@@ -484,8 +544,7 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t
action,
va_list arg_list;
va_start(arg_list, arg_cnt);
- rc = _seccomp_rule_add((struct db_filter_col *)ctx,
- 1, action, syscall, arg_cnt, arg_list);
+ rc = seccomp_rule_add_valist_exact(ctx, action, syscall, arg_cnt,
arg_list);
va_end(arg_list);
return rc;
--
1.7.11.6.1.gada05e2
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
