[libseccomp-discuss] [RFC PATCH 1/3] api: Add array versions of seccomp_rule_add functions

Paul Moore Tue, 26 Mar 2013 14:32:16 -0700

From: Vitaly Vi Shukela <[email protected]>

Signed-off-by: Vitaly Vi Shukela <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
---
 include/seccomp.h.in |   41 ++++++++++++++++++++++++++++++++++++
 src/api.c            |   57 +++++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 92 insertions(+), 6 deletions(-)


diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index b21205c..2c5f7cd 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -389,6 +389,27 @@ int seccomp_syscall_priority(scmp_filter_ctx ctx,
 int seccomp_rule_add(scmp_filter_ctx ctx,
                     uint32_t action, int syscall, unsigned int arg_cnt, ...);
 
+
+/**
+ * Add a new rule to the filter
+ * @param ctx the filter context
+ * @param action the filter action
+ * @param syscall the syscall number
+ * @param arg_cnt the number of elements in the arg_array parameter
+ * @param arg_array array of scmp_arg_cmp structs
+ *
+ * This function adds a series of new argument/value checks to the seccomp
+ * filter for the given syscall; multiple argument/value checks can be
+ * specified and they will be chained together (AND'd together) in the filter.
+ * If the specified rule needs to be adjusted due to architecture specifics it
+ * will be adjusted without notification.  Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+                          uint32_t action, int syscall, unsigned int arg_cnt,
+                          const struct scmp_arg_cmp *arg_array);
+
 /**
  * Add a new rule to the filter
  * @param ctx the filter context
@@ -408,6 +429,26 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t 
action,
                           int syscall, unsigned int arg_cnt, ...);
 
 /**
+ * Add a new rule to the filter
+ * @param ctx the filter context
+ * @param action the filter action
+ * @param syscall the syscall number
+ * @param arg_cnt  the number of elements in the arg_array parameter
+ * @param arg_array array of scmp_arg_cmp structs
+ *
+ * This function adds a series of new argument/value checks to the seccomp
+ * filter for the given syscall; multiple argument/value checks can be
+ * specified and they will be chained together (AND'd together) in the filter.
+ * If the specified rule can not be represented on the architecture the
+ * function will fail.  Returns zero on success, negative values on failure.
+ *
+ */
+int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
+                                uint32_t action, int syscall,
+                                unsigned int arg_cnt,
+                                const struct scmp_arg_cmp *arg_array);
+
+/**
  * Generate seccomp Pseudo Filter Code (PFC) and export it to a file
  * @param ctx the filter context
  * @param fd the destination fd
diff --git a/src/api.c b/src/api.c
index d70cc69..aa8edf0 100644
--- a/src/api.c
+++ b/src/api.c
@@ -365,7 +365,8 @@ syscall_priority_failure:
  */
 static int _seccomp_rule_add(struct db_filter_col *col,
                             unsigned int strict, uint32_t action, int syscall,
-                            unsigned int arg_cnt, va_list arg_list)
+                            unsigned int arg_cnt,
+                            const struct scmp_arg_cmp *arg_array)
 {
        int rc = 0, rc_tmp;
        int sc_tmp;
@@ -377,6 +378,9 @@ static int _seccomp_rule_add(struct db_filter_col *col,
        struct db_api_arg *chain = NULL, *chain_tmp;
        struct scmp_arg_cmp arg_data;
 
+       if (arg_cnt > 0 && arg_array == NULL)
+               return -EINVAL;
+
        if (db_col_valid(col) || _syscall_valid(syscall))
                return -EINVAL;
 
@@ -397,7 +401,7 @@ static int _seccomp_rule_add(struct db_filter_col *col,
                return -ENOMEM;
        memset(chain, 0, chain_size);
        for (iter = 0; iter < arg_cnt; iter++) {
-               arg_data = va_arg(arg_list, struct scmp_arg_cmp);
+               arg_data = arg_array[iter];
                arg_num = arg_data.arg;
                if (arg_num < chain_len && chain[arg_num].valid == 0) {
                        chain[arg_num].valid = 1;
@@ -479,30 +483,71 @@ rule_add_return:
 }
 
 /* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_array(scmp_filter_ctx ctx,
+                          uint32_t action, int syscall, unsigned int arg_cnt,
+                          const struct scmp_arg_cmp *arg_array)
+{
+       if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX)
+               return -EINVAL;
+
+       return _seccomp_rule_add((struct db_filter_col *)ctx,
+                                0, action, syscall, arg_cnt, arg_array);
+}
+
+
+/* NOTE - function header comment in include/seccomp.h */
 int seccomp_rule_add(scmp_filter_ctx ctx,
                     uint32_t action, int syscall, unsigned int arg_cnt, ...)
 {
        int rc;
+       int iter;
+       struct scmp_arg_cmp arg_array[ARG_COUNT_MAX];
        va_list arg_list;
 
+       if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX)
+               return -EINVAL;
+
        va_start(arg_list, arg_cnt);
-       rc = _seccomp_rule_add((struct db_filter_col *)ctx,
-                              0, action, syscall, arg_cnt, arg_list);
+       for (iter = 0; iter < arg_cnt; ++iter)
+               arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp);
+       rc = seccomp_rule_add_array(ctx, action, syscall, arg_cnt, arg_array);
        va_end(arg_list);
 
        return rc;
 }
 
+
+/* NOTE - function header comment in include/seccomp.h */
+int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
+                                uint32_t action, int syscall,
+                                unsigned int arg_cnt,
+                                const struct scmp_arg_cmp *arg_array)
+{
+       if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX)
+               return -EINVAL;
+
+       return _seccomp_rule_add((struct db_filter_col *)ctx,
+                                1, action, syscall, arg_cnt, arg_array);
+}
+
+
 /* NOTE - function header comment in include/seccomp.h */
 int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action,
                           int syscall, unsigned int arg_cnt, ...)
 {
        int rc;
+       int iter;
+       struct scmp_arg_cmp arg_array[ARG_COUNT_MAX];
        va_list arg_list;
 
+       if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX)
+               return -EINVAL;
+
        va_start(arg_list, arg_cnt);
-       rc = _seccomp_rule_add((struct db_filter_col *)ctx,
-                              1, action, syscall, arg_cnt, arg_list);
+       for (iter = 0; iter < arg_cnt; ++iter)
+               arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp);
+       rc = seccomp_rule_add_exact_array(ctx,
+                                         action, syscall, arg_cnt, arg_array);
        va_end(arg_list);
 
        return rc;


------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss

[libseccomp-discuss] [RFC PATCH 1/3] api: Add array versions of seccomp_rule_add functions

Reply via email to