diff options
author | Paul Moore <pmoore@redhat.com> | 2012-03-06 12:50:15 -0500 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2012-03-06 12:50:15 -0500 |
commit | 308ad5f1ef3efc0437bd428af4ff116c740b2754 (patch) | |
tree | ea334140bc44351e996ef8d4961caf3d8050a7f7 /tools | |
parent | e1d255f504953e55cb89d58dd8da88b93140e871 (diff) | |
download | libseccomp-308ad5f1ef3efc0437bd428af4ff116c740b2754.tar.gz |
all: add support for new actions
The latest seccomp patches support a number of actions, not just
allow/deny, so extend our code to support them.
#define SECCOMP_RET_KILL 0x00000000U
#define SECCOMP_RET_TRAP 0x00020000U
#define SECCOMP_RET_ERRNO 0x00030000U
#define SECCOMP_RET_ALLOW 0x7fff0000U
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/bpf_disasm.c | 11 | ||||
-rw-r--r-- | tools/bpf_sim.c | 43 |
2 files changed, 27 insertions, 27 deletions
diff --git a/tools/bpf_disasm.c b/tools/bpf_disasm.c index 699ff3a..62c634f 100644 --- a/tools/bpf_disasm.c +++ b/tools/bpf_disasm.c @@ -211,9 +211,14 @@ static void bpf_decode_args(const struct bpf_instr *bpf, unsigned int line) /* XXX - accumulator? */ printf("$acc"); } else if (BPF_SRC(bpf->op) == BPF_K) { - if (bpf->k == 0) - printf("DENY"); - else if (bpf->k == 0xffffffff) + if (bpf->k == 0x00000000) + printf("KILL"); + else if (bpf->k == 0x00020000) + printf("TRAP"); + else if ((bpf->k & 0xffff0000) == 0x00030000) + printf("ERRNO(%u)", + (bpf->k & 0x0000ffff)); + else if (bpf->k == 0x7fff0000) printf("ALLOW"); else printf("0x%.8x", bpf->k); diff --git a/tools/bpf_sim.c b/tools/bpf_sim.c index 6d9e686..17c76cc 100644 --- a/tools/bpf_sim.c +++ b/tools/bpf_sim.c @@ -21,6 +21,7 @@ #include <errno.h> #include <fcntl.h> +#include <inttypes.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -83,6 +84,7 @@ static void exit_fault(unsigned int rc) /** * Handle a BPF program error * @param rc the error or return code + * @param line the line number * * Print an "ERROR" to stderr to indicate a program error, and an errno value * if the simulator is running in verbose mode, then exit with ENOEXEC. @@ -98,28 +100,25 @@ static void exit_error(unsigned int rc, unsigned int line) } /** - * Handle a simulator ALLOW action + * Handle a simulator return/action + * @param action the return value + * @param line the line number * - * Print an "ALLOW" to stdout to indicate that the BPF program would allow the - * syscall/arguments provided on the command line and exit with 0. + * Display the action to stdout and exit with 0. * */ -static void end_allow(void) +static void end_action(uint32_t action, unsigned int line) { - fprintf(stdout, "ALLOW\n"); - exit(0); -} - -/** - * Handle a simulator DENY action - * - * Print a "DENY" to stdout to indicate that the BPF program would not allow - * the syscall/arguments provided on the command line and exit with 0. - * - */ -static void end_deny(void) -{ - fprintf(stdout, "DENY\n"); + if (action == 0x00000000) + fprintf(stdout, "KILL"); + else if (action == 0x00020000) + fprintf(stdout, "TRAP"); + else if ((action & 0xffff0000) == 0x00030000) + fprintf(stdout, "ERRNO(%u)", (action & 0x0000ffff)); + else if (action == 0x7fff0000) + fprintf(stdout, "ALLOW"); + else + exit_error(EDOM, line); exit(0); } @@ -183,12 +182,8 @@ static void bpf_execute(const struct bpf_program *prg, ip += bpf->jf; break; case BPF_RET+BPF_K: - if (bpf->k == BPF_SCMP_DENY) - end_deny(); - else if (bpf->k == BPF_SCMP_ALLOW) - end_allow(); - else - exit_error(EDOM, ip_c); + end_action(bpf->k, ip_c); + break; default: /* XXX - since we don't support the full bpf language * just yet, this could be either a fault or |