diff options
author | Vitaly Vi Shukela <vi0oss@gmail.com> | 2013-03-26 10:58:28 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2013-03-26 10:58:28 -0400 |
commit | 10e75c277a14ce7ea4f03ba13042a915f1439060 (patch) | |
tree | 2628ea854424553cec9bff307e72f127d61ca9ef | |
parent | 746ee19e3e253ce7580a2aad0d03e51029d2259f (diff) | |
download | libseccomp-10e75c277a14ce7ea4f03ba13042a915f1439060.tar.gz |
api: Add array versions of seccomp_rule_add functions
Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r-- | include/seccomp.h.in | 41 | ||||
-rw-r--r-- | src/api.c | 57 |
2 files changed, 92 insertions, 6 deletions
diff --git a/include/seccomp.h.in b/include/seccomp.h.in index b21205c..2c5f7cd 100644 --- a/include/seccomp.h.in +++ b/include/seccomp.h.in @@ -389,6 +389,27 @@ int seccomp_syscall_priority(scmp_filter_ctx ctx, int seccomp_rule_add(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule needs to be adjusted due to architecture specifics it + * will be adjusted without notification. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_rule_add_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + /** * Add a new rule to the filter * @param ctx the filter context @@ -408,6 +429,26 @@ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...); /** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule can not be represented on the architecture the + * function will fail. Returns zero on success, negative values on failure. + * + */ +int seccomp_rule_add_exact_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, + unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + +/** * Generate seccomp Pseudo Filter Code (PFC) and export it to a file * @param ctx the filter context * @param fd the destination fd @@ -365,7 +365,8 @@ syscall_priority_failure: */ static int _seccomp_rule_add(struct db_filter_col *col, unsigned int strict, uint32_t action, int syscall, - unsigned int arg_cnt, va_list arg_list) + unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array) { int rc = 0, rc_tmp; int sc_tmp; @@ -377,6 +378,9 @@ static int _seccomp_rule_add(struct db_filter_col *col, struct db_api_arg *chain = NULL, *chain_tmp; struct scmp_arg_cmp arg_data; + if (arg_cnt > 0 && arg_array == NULL) + return -EINVAL; + if (db_col_valid(col) || _syscall_valid(syscall)) return -EINVAL; @@ -397,7 +401,7 @@ static int _seccomp_rule_add(struct db_filter_col *col, return -ENOMEM; memset(chain, 0, chain_size); for (iter = 0; iter < arg_cnt; iter++) { - arg_data = va_arg(arg_list, struct scmp_arg_cmp); + arg_data = arg_array[iter]; arg_num = arg_data.arg; if (arg_num < chain_len && chain[arg_num].valid == 0) { chain[arg_num].valid = 1; @@ -479,30 +483,71 @@ rule_add_return: } /* NOTE - function header comment in include/seccomp.h */ +int seccomp_rule_add_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array) +{ + if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX) + return -EINVAL; + + return _seccomp_rule_add((struct db_filter_col *)ctx, + 0, action, syscall, arg_cnt, arg_array); +} + + +/* NOTE - function header comment in include/seccomp.h */ int seccomp_rule_add(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...) { int rc; + int iter; + struct scmp_arg_cmp arg_array[ARG_COUNT_MAX]; va_list arg_list; + if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX) + return -EINVAL; + va_start(arg_list, arg_cnt); - rc = _seccomp_rule_add((struct db_filter_col *)ctx, - 0, action, syscall, arg_cnt, arg_list); + for (iter = 0; iter < arg_cnt; ++iter) + arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp); + rc = seccomp_rule_add_array(ctx, action, syscall, arg_cnt, arg_array); va_end(arg_list); return rc; } + +/* NOTE - function header comment in include/seccomp.h */ +int seccomp_rule_add_exact_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, + unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array) +{ + if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX) + return -EINVAL; + + return _seccomp_rule_add((struct db_filter_col *)ctx, + 1, action, syscall, arg_cnt, arg_array); +} + + /* NOTE - function header comment in include/seccomp.h */ int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...) { int rc; + int iter; + struct scmp_arg_cmp arg_array[ARG_COUNT_MAX]; va_list arg_list; + if (arg_cnt < 0 || arg_cnt > ARG_COUNT_MAX) + return -EINVAL; + va_start(arg_list, arg_cnt); - rc = _seccomp_rule_add((struct db_filter_col *)ctx, - 1, action, syscall, arg_cnt, arg_list); + for (iter = 0; iter < arg_cnt; ++iter) + arg_array[iter] = va_arg(arg_list, struct scmp_arg_cmp); + rc = seccomp_rule_add_exact_array(ctx, + action, syscall, arg_cnt, arg_array); va_end(arg_list); return rc; |