From: Vitaly _Vi Shukela <[email protected]>
---
include/seccomp.h.in | 40 ++++++++++++++++++++++++++++++++++++++++
src/api.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 86 insertions(+), 6 deletions(-)
diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index b21205c..d3dce57 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -389,6 +389,27 @@ int seccomp_syscall_priority(scmp_filter_ctx ctx,
int seccomp_rule_add(scmp_filter_ctx ctx,
uint32_t action, int syscall, unsigned int arg_cnt, ...);
+
+/**
+ * Add a new rule to the filter
+ * @param ctx the filter context
+ * @param action the filter action
+ * @param syscall the syscall number
+ * @param arg_cnt the number of argument filters in the argument filter chain
+ * @param scmp_arg_cmp array of scmp_arg_cmp structs (use of SCMP_ARG_CMP()
recommended)
+ *
+ * This function adds a series of new argument/value checks to the seccomp
+ * filter for the given syscall; multiple argument/value checks can be
+ * specified and they will be chained together (AND'd together) in the filter.
+ * If the specified rule needs to be adjusted due to architecture specifics it
+ * will be adjusted without notification. Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array);
+
/**
* Add a new rule to the filter
* @param ctx the filter context
@@ -408,6 +429,25 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t
action,
int syscall, unsigned int arg_cnt, ...);
/**
+ * Add a new rule to the filter
+ * @param ctx the filter context
+ * @param action the filter action
+ * @param syscall the syscall number
+ * @param arg_cnt the number of argument filters in the argument filter chain
+ * @param arg_array array of scmp_arg_cmp structs (use of SCMP_ARG_CMP()
recommended)
+ *
+ * This function adds a series of new argument/value checks to the seccomp
+ * filter for the given syscall; multiple argument/value checks can be
+ * specified and they will be chained together (AND'd together) in the filter.
+ * If the specified rule can not be represented on the architecture the
+ * function will fail. Returns zero on success, negative values on failure.
+ *
+ */
+int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array);
+
+/**
* Generate seccomp Pseudo Filter Code (PFC) and export it to a file
* @param ctx the filter context
* @param fd the destination fd
diff --git a/src/api.c b/src/api.c
index d70cc69..b8f30b3 100644
--- a/src/api.c
+++ b/src/api.c
@@ -365,7 +365,8 @@ syscall_priority_failure:
*/
static int _seccomp_rule_add(struct db_filter_col *col,
unsigned int strict, uint32_t action, int syscall,
- unsigned int arg_cnt, va_list arg_list)
+ unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array)
{
int rc = 0, rc_tmp;
int sc_tmp;
@@ -377,6 +378,9 @@ static int _seccomp_rule_add(struct db_filter_col *col,
struct db_api_arg *chain = NULL, *chain_tmp;
struct scmp_arg_cmp arg_data;
+ if (arg_array == NULL)
+ return -EINVAL;
+
if (db_col_valid(col) || _syscall_valid(syscall))
return -EINVAL;
@@ -397,7 +401,7 @@ static int _seccomp_rule_add(struct db_filter_col *col,
return -ENOMEM;
memset(chain, 0, chain_size);
for (iter = 0; iter < arg_cnt; iter++) {
- arg_data = va_arg(arg_list, struct scmp_arg_cmp);
+ arg_data = arg_array[iter];
arg_num = arg_data.arg;
if (arg_num < chain_len && chain[arg_num].valid == 0) {
chain[arg_num].valid = 1;
@@ -479,35 +483,71 @@ rule_add_return:
}
/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array)
+{
+ return _seccomp_rule_add((struct db_filter_col *)ctx,
+ 0, action, syscall, arg_cnt, arg_array);
+}
+
+
+/* NOTE - function header comment in include/seccomp.h */
int seccomp_rule_add(scmp_filter_ctx ctx,
uint32_t action, int syscall, unsigned int arg_cnt, ...)
{
int rc;
+ int iter;
+ struct scmp_arg_cmp arg_array[ARG_COUNT_MAX];
va_list arg_list;
+ if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX)
+ return -1;
+
va_start(arg_list, arg_cnt);
- rc = _seccomp_rule_add((struct db_filter_col *)ctx,
- 0, action, syscall, arg_cnt, arg_list);
+ for (iter = 0; iter < arg_cnt; ++iter)
+ arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp);
+
+ rc = seccomp_rule_add_array(ctx, action, syscall, arg_cnt, arg_array);
va_end(arg_list);
return rc;
}
+
+/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
+ uint32_t action, int syscall, unsigned int arg_cnt,
+ const struct scmp_arg_cmp *arg_array)
+{
+ return _seccomp_rule_add((struct db_filter_col *)ctx,
+ 1, action, syscall, arg_cnt, arg_array);
+}
+
+
/* NOTE - function header comment in include/seccomp.h */
int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action,
int syscall, unsigned int arg_cnt, ...)
{
int rc;
+ int iter;
+ struct scmp_arg_cmp arg_array[ARG_COUNT_MAX];
va_list arg_list;
+ if (arg_cnt > ARG_COUNT_MAX || arg_cnt<0)
+ return -1;
+
va_start(arg_list, arg_cnt);
- rc = _seccomp_rule_add((struct db_filter_col *)ctx,
- 1, action, syscall, arg_cnt, arg_list);
+ for (iter = 0; iter < arg_cnt; ++iter)
+ arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp);
+
+ rc = seccomp_rule_add_exact_array(ctx, action, syscall, arg_cnt,
arg_array);
va_end(arg_list);
return rc;
}
+
/* NOTE - function header comment in include/seccomp.h */
int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd)
{
--
1.7.11.6.1.gada05e2
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
