diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/api.c | 34 | ||||
-rw-r--r-- | src/python/libseccomp.pxd | 2 | ||||
-rw-r--r-- | src/python/seccomp.pyx | 25 |
3 files changed, 61 insertions, 0 deletions
@@ -83,6 +83,8 @@ static int _rc_filter(int err) * requested operation */ case -EOPNOTSUPP: /* NOTE: operation is not supported */ + case -ERANGE: + /* NOTE: provided buffer is too small */ case -ESRCH: /* NOTE: operation failed due to multi-threading */ return err; @@ -731,3 +733,35 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd) return 0; } + +/* NOTE - function header comment in include/seccomp.h */ +API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, + size_t *len) +{ + int rc; + size_t buf_len; + struct db_filter_col *col; + struct bpf_program *program; + + if (_ctx_valid(ctx) || !len) + return _rc_filter(-EINVAL); + col = (struct db_filter_col *)ctx; + + rc = gen_bpf_generate(col, &program); + if (rc < 0) + return _rc_filter(rc); + buf_len = *len; + *len = BPF_PGM_SIZE(program); + + rc = 0; + if (buf) { + /* If we have a big enough buffer, write the program. */ + if (*len > buf_len) + rc = _rc_filter(-ERANGE); + else + memcpy(buf, program->blks, *len); + } + gen_bpf_release(program); + + return rc; +} diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd index 0629bf1..6175c8a 100644 --- a/src/python/libseccomp.pxd +++ b/src/python/libseccomp.pxd @@ -167,6 +167,8 @@ cdef extern from "seccomp.h": int seccomp_export_pfc(scmp_filter_ctx ctx, int fd) int seccomp_export_bpf(scmp_filter_ctx ctx, int fd) + int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, + size_t *len) # kate: syntax python; # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 2eeabc1..73f6625 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -80,10 +80,12 @@ Example: __author__ = 'Paul Moore <paul@paul-moore.com>' __date__ = "3 February 2017" +from cpython cimport array from cpython.version cimport PY_MAJOR_VERSION from libc.stdint cimport int8_t, int16_t, int32_t, int64_t from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t from libc.stdlib cimport free +import array import errno cimport libseccomp @@ -1044,5 +1046,28 @@ cdef class SyscallFilter: if rc != 0: raise RuntimeError(str.format("Library error (errno = {0})", rc)) + def export_bpf_mem(self): + """ Export the filter in BPF format. + + Description: + Return the filter in Berkeley Packet Filter (BPF) as bytes. + The output is identical to what is loaded into the Linux Kernel. + """ + cdef size_t len = 0 + + # Figure out how big the program is. + rc = libseccomp.seccomp_export_bpf_mem(self._ctx, NULL, <size_t *>&len) + if rc != 0: + raise RuntimeError(str.format("Library error (errno = {0})", rc)) + + # Get the program. + cdef array.array data = array.array('b', bytes(len)) + cdef char[:] program = data + rc = libseccomp.seccomp_export_bpf_mem(self._ctx, <void *>&program[0], + <size_t *>&len) + if rc != 0: + raise RuntimeError(str.format("Library error (errno = {0})", rc)) + return program + # kate: syntax python; # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; |