arch: disconnect the BPF arch token from the libseccomp token

Unfortunately, the x32 ABI shares the same architecture token with
x86_64 in the kernel so we need to separate the arch token we use
in the BPF filter with the arch token we use for idenitfying the
arch/ABI to libseccomp callers.

Signed-off-by: Paul Moore <pmoore@redhat.com>

8 files changed, 37 insertions, 52 deletions

diff --git a/src/api.c b/src/api.c
index aa8edf0..d524c26 100644
--- a/src/api.c
+++ b/src/api.c
@@ -76,7 +76,7 @@ scmp_filter_ctx seccomp_init(uint32_t def_action)
 	col = db_col_init(def_action);
 	if (col == NULL)
 		return NULL;
-	db = db_init(&arch_def_native);
+	db = db_init(arch_def_native);
 	if (db == NULL)
 		goto init_failure_col;
 
@@ -104,7 +104,7 @@ int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
 
 	db_col_reset(col, def_action);
 
-	db = db_init(&arch_def_native);
+	db = db_init(arch_def_native);
 	if (db == NULL)
 		return -ENOMEM;
 	rc = db_col_db_add(col, db);
@@ -143,7 +143,7 @@ int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src)
 /* NOTE - function header comment in include/seccomp.h */
 uint32_t seccomp_arch_native(void)
 {
-	return arch_def_native.token;
+	return arch_def_native->token;
 }
 
 /* NOTE - function header comment in include/seccomp.h */
@@ -152,7 +152,7 @@ int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token)
 	struct db_filter_col *col = (struct db_filter_col *)ctx;
 
 	if (arch_token == 0)
-		arch_token = arch_def_native.token;
+		arch_token = arch_def_native->token;
 
 	if (arch_valid(arch_token))
 		return -EINVAL;
@@ -169,7 +169,7 @@ int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token)
 	struct db_filter_col *col = (struct db_filter_col *)ctx;
 
 	if (arch_token == 0)
-		arch_token = arch_def_native.token;
+		arch_token = arch_def_native->token;
 
 	if (arch_valid(arch_token))
 		return -EINVAL;
@@ -195,7 +195,7 @@ int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token)
 	struct db_filter_col *col = (struct db_filter_col *)ctx;
 
 	if (arch_token == 0)
-		arch_token = arch_def_native.token;
+		arch_token = arch_def_native->token;
 
 	if (arch_valid(arch_token))
 		return -EINVAL;
@@ -261,7 +261,7 @@ char *seccomp_syscall_resolve_num_arch(uint32_t arch_token, int num)
 	const char *name;
 
 	if (arch_token == 0)
-		arch_token = arch_def_native.token;
+		arch_token = arch_def_native->token;
 	if (arch_valid(arch_token))
 		return NULL;
 	arch = arch_def_lookup(arch_token);
@@ -284,7 +284,7 @@ int seccomp_syscall_resolve_name_arch(uint32_t arch_token, const char *name)
 		return -EINVAL;
 
 	if (arch_token == 0)
-		arch_token = arch_def_native.token;
+		arch_token = arch_def_native->token;
 	if (arch_valid(arch_token))
 		return -EINVAL;
 	arch = arch_def_lookup(arch_token);
diff --git a/src/arch-i386.c b/src/arch-i386.c
index 8605e25..3738da7 100644
--- a/src/arch-i386.c
+++ b/src/arch-i386.c
@@ -31,7 +31,8 @@
 #define __i386_NR_ipc			117
 
 const struct arch_def arch_def_i386 = {
-	.token = AUDIT_ARCH_I386,
+	.token = SCMP_ARCH_X86,
+	.token_bpf = AUDIT_ARCH_I386,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_LITTLE,
 };
diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c
index 9f6af9c..55656c2 100644
--- a/src/arch-x86_64.c
+++ b/src/arch-x86_64.c
@@ -27,7 +27,8 @@
 #include "arch-x86_64.h"
 
 const struct arch_def arch_def_x86_64 = {
-	.token = AUDIT_ARCH_X86_64,
+	.token = SCMP_ARCH_X86_64,
+	.token_bpf = AUDIT_ARCH_X86_64,
 	.size = ARCH_SIZE_64,
 	.endian = ARCH_ENDIAN_LITTLE,
 };
diff --git a/src/arch.c b/src/arch.c
index 4758296..c515e34 100644
--- a/src/arch.c
+++ b/src/arch.c
@@ -32,32 +32,14 @@
 #include "arch-x86_64.h"
 #include "system.h"
 
-const struct arch_def arch_def_native = {
 #if __i386__
-	.token = AUDIT_ARCH_I386,
+const struct arch_def *arch_def_native = &arch_def_i386;
 #elif __x86_64__
-	.token = AUDIT_ARCH_X86_64,
+const struct arch_def *arch_def_native = &arch_def_x86_64;
 #else
 #error the arch code needs to know about your machine type
 #endif /* machine type guess */
 
-#if __BITS_PER_LONG == 32
-	.size = ARCH_SIZE_32,
-#elif __BITS_PER_LONG == 64
-	.size = ARCH_SIZE_64,
-#else
-	.size = ARCH_SIZE_UNSPEC,
-#endif /* BITS_PER_LONG */
-
-#if __BYTE_ORDER == __LITTLE_ENDIAN
-	.endian = ARCH_ENDIAN_LITTLE,
-#elif __BYTE_ORDER == __BIG_ENDIAN
-	.endian = ARCH_ENDIAN_BIG,
-#else
-	.endian = ARCH_ENDIAN_UNSPEC,
-#endif /* __BYTE_ORDER */
-};
-
 /**
  * Validate the architecture token
  * @param arch the architecture token
@@ -68,8 +50,8 @@ const struct arch_def arch_def_native = {
 int arch_valid(uint32_t arch)
 {
 	switch (arch) {
-	case AUDIT_ARCH_I386:
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86:
+	case SCMP_ARCH_X86_64:
 		return 0;
 	}
 
@@ -86,10 +68,10 @@ int arch_valid(uint32_t arch)
 static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token)
 {
 	switch (token) {
-	case AUDIT_ARCH_I386:
+	case SCMP_ARCH_X86:
 		return i386_syscall_table;
 		break;
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return x86_64_syscall_table;
 		break;
 	}
@@ -107,10 +89,10 @@ static const struct arch_syscall_def *_arch_syscall_lookup(uint32_t token)
 const struct arch_def *arch_def_lookup(uint32_t token)
 {
 	switch (token) {
-	case AUDIT_ARCH_I386:
+	case SCMP_ARCH_X86:
 		return &arch_def_i386;
 		break;
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return &arch_def_x86_64;
 		break;
 	}
@@ -129,9 +111,9 @@ const struct arch_def *arch_def_lookup(uint32_t token)
 int arch_arg_count_max(const struct arch_def *arch)
 {
 	switch (arch->token) {
-	case AUDIT_ARCH_I386:
+	case SCMP_ARCH_X86:
 		return i386_arg_count_max;
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return x86_64_arg_count_max;
 	default:
 		return -EDOM;
@@ -151,7 +133,7 @@ int arch_arg_count_max(const struct arch_def *arch)
 int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg)
 {
 	switch (arch->token) {
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return x86_64_arg_offset_lo(arg);
 	default:
 		return -EDOM;
@@ -171,7 +153,7 @@ int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg)
 int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg)
 {
 	switch (arch->token) {
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return x86_64_arg_offset_hi(arg);
 	default:
 		return -EDOM;
@@ -249,8 +231,8 @@ int arch_syscall_translate(const struct arch_def *arch, int *syscall)
 	int sc_num;
 	const char *sc_name;
 
-	if (arch->token != arch_def_native.token) {
-		sc_name = arch_syscall_resolve_num(&arch_def_native, *syscall);
+	if (arch->token != arch_def_native->token) {
+		sc_name = arch_syscall_resolve_num(arch_def_native, *syscall);
 		if (sc_name == NULL)
 			return -EFAULT;
 
@@ -292,7 +274,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
 	} else if (sys <= -100 && sys > -10000) {
 		/* rewritable syscalls */
 		switch (arch->token) {
-		case AUDIT_ARCH_I386:
+		case SCMP_ARCH_X86:
 			return i386_syscall_rewrite(arch, strict, syscall);
 		}
 		/* NOTE: we fall through to the default handling (strict?) if
@@ -335,7 +317,7 @@ int arch_filter_rewrite(const struct arch_def *arch,
 	} else if (sys <= -100 && sys > -10000) {
 		/* rewritable syscalls */
 		switch (arch->token) {
-		case AUDIT_ARCH_I386:
+		case SCMP_ARCH_X86:
 			return i386_filter_rewrite(arch,
 						   strict, syscall, chain);
 		}
diff --git a/src/arch.h b/src/arch.h
index 98f2dc0..061c2cc 100644
--- a/src/arch.h
+++ b/src/arch.h
@@ -33,6 +33,7 @@ struct db_api_arg;
 
 struct arch_def {
 	uint32_t token;
+	uint32_t token_bpf;
 	enum {
 		ARCH_SIZE_UNSPEC = 0,
 		ARCH_SIZE_32 = 32,
@@ -46,7 +47,7 @@ struct arch_def {
 };
 
 /* arch_def for the current architecture */
-extern const struct arch_def arch_def_native;
+extern const struct arch_def *arch_def_native;
 
 /* NOTE: Syscall mappings can be found by running the following commands
  *	 on the specific architecture's include file:
diff --git a/src/gen_bpf.c b/src/gen_bpf.c
index 7fec966..b1287e5 100644
--- a/src/gen_bpf.c
+++ b/src/gen_bpf.c
@@ -1150,7 +1150,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state,
 		_BPF_INSTR(instr, BPF_JMP+BPF_JEQ,
 			   _BPF_JMP_HSH(b_head->hash),
 			   _BPF_JMP_NXT(blk_cnt),
-			   _BPF_K(db->arch->token));
+			   _BPF_K(db->arch->token_bpf));
 		b_head->prev = _blk_append(state, NULL, &instr);
 		if (b_head->prev == NULL)
 			goto arch_failure;
@@ -1160,7 +1160,7 @@ static struct bpf_blk *_gen_bpf_arch(struct bpf_state *state,
 		/* arch check */
 		_BPF_INSTR(instr, BPF_JMP+BPF_JEQ,
 			   _BPF_JMP_HSH(state->def_hsh), _BPF_JMP_NXT(0),
-			   _BPF_K(db->arch->token));
+			   _BPF_K(db->arch->token_bpf));
 		b_head = _blk_append(state, NULL, &instr);
 		if (b_head == NULL)
 			goto arch_failure;
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
index 7d4463b..e19d053 100644
--- a/src/gen_pfc.c
+++ b/src/gen_pfc.c
@@ -49,9 +49,9 @@ struct pfc_sys_list {
 static const char *_pfc_arch(const struct arch_def *arch)
 {
 	switch (arch->token) {
-	case AUDIT_ARCH_I386:
+	case SCMP_ARCH_X86:
 		return "x86";
-	case AUDIT_ARCH_X86_64:
+	case SCMP_ARCH_X86_64:
 		return "x86_64";
 	default:
 		return "UNKNOWN";
@@ -261,8 +261,8 @@ static int _gen_pfc_arch(const struct db_filter_col *col,
 	}
 
 	fprintf(fds, "# filter for arch %s (%u)\n",
-		_pfc_arch(db->arch), db->arch->token);
-	fprintf(fds, "if ($arch == %u)\n", db->arch->token);
+		_pfc_arch(db->arch), db->arch->token_bpf);
+	fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf);
 	p_iter = p_head;
 	while (p_iter != NULL) {
 		if (p_iter->sys->valid == 0)
diff --git a/tools/sys_resolver.c b/tools/sys_resolver.c
index 6358b30..8a7f361 100644
--- a/tools/sys_resolver.c
+++ b/tools/sys_resolver.c
@@ -51,7 +51,7 @@ int main(int argc, char *argv[])
 {
 	int opt;
 	int translate = 0;
-	const struct arch_def *arch = &arch_def_native;
+	const struct arch_def *arch = arch_def_native;
 	int sys_num;
 
 	/* parse the command line */