diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c index be293a39f4..1e1602b9c6 100644 --- a/src/libcrun/seccomp.c +++ b/src/libcrun/seccomp.c @@ -107,36 +107,61 @@ syscall_seccomp (unsigned int operation, unsigned int flags, void *args) return (int) syscall (__NR_seccomp, operation, flags, args); } -static unsigned long -get_seccomp_operator (const char *name, libcrun_error_t *err) -{ #ifdef HAVE_SECCOMP - if (strcmp (name, "SCMP_CMP_NE") == 0) - return SCMP_CMP_NE; - if (strcmp (name, "SCMP_CMP_LT") == 0) - return SCMP_CMP_LT; - if (strcmp (name, "SCMP_CMP_LE") == 0) - return SCMP_CMP_LE; - if (strcmp (name, "SCMP_CMP_EQ") == 0) - return SCMP_CMP_EQ; - if (strcmp (name, "SCMP_CMP_GE") == 0) - return SCMP_CMP_GE; - if (strcmp (name, "SCMP_CMP_GT") == 0) - return SCMP_CMP_GT; - if (strcmp (name, "SCMP_CMP_MASKED_EQ") == 0) - return SCMP_CMP_MASKED_EQ; - - crun_make_error (err, 0, "seccomp get operator `%s`", name); - return 0; -#else - return 0; -#endif +static int +get_seccomp_operator (const char *name, enum scmp_compare *op, libcrun_error_t *err) +{ + const char *p; + + p = name; + if (strncmp (p, "SCMP_CMP_", 9)) + goto fail; + + p += 9; + + if (strcmp (p, "NE") == 0) + { + *op = SCMP_CMP_NE; + return 0; + } + if (strcmp (p, "LT") == 0) + { + *op = SCMP_CMP_LT; + return 0; + } + if (strcmp (p, "LE") == 0) + { + *op = SCMP_CMP_LE; + return 0; + } + if (strcmp (p, "EQ") == 0) + { + *op = SCMP_CMP_EQ; + return 0; + } + if (strcmp (p, "GE") == 0) + { + *op = SCMP_CMP_GE; + return 0; + } + if (strcmp (p, "GT") == 0) + { + *op = SCMP_CMP_GT; + return 0; + } + if (strcmp (p, "MASKED_EQ") == 0) + { + *op = SCMP_CMP_MASKED_EQ; + return 0; + } + +fail: + return crun_make_error (err, 0, "seccomp get operator `%s`", name); } -static unsigned long long -get_seccomp_action (const char *name, int errno_ret, libcrun_error_t *err) +static int +get_seccomp_action (const char *name, int errno_ret, uint32_t *action, libcrun_error_t *err) { -#ifdef HAVE_SECCOMP const char *p; p = name; @@ -146,39 +171,63 @@ get_seccomp_action (const char *name, int errno_ret, libcrun_error_t *err) p += 9; if (strcmp (p, "ALLOW") == 0) - return SCMP_ACT_ALLOW; - else if (strcmp (p, "ERRNO") == 0) - return SCMP_ACT_ERRNO (errno_ret); - else if (strcmp (p, "KILL") == 0) - return SCMP_ACT_KILL; + { + *action = SCMP_ACT_ALLOW; + return 0; + } + if (strcmp (p, "ERRNO") == 0) + { + *action = SCMP_ACT_ERRNO (errno_ret); + return 0; + } + if (strcmp (p, "KILL") == 0) + { + *action = SCMP_ACT_KILL; + return 0; + } # ifdef SCMP_ACT_LOG - else if (strcmp (p, "LOG") == 0) - return SCMP_ACT_LOG; + if (strcmp (p, "LOG") == 0) + { + *action = SCMP_ACT_LOG; + return 0; + } # endif - else if (strcmp (p, "TRAP") == 0) - return SCMP_ACT_TRAP; - else if (strcmp (p, "TRACE") == 0) - return SCMP_ACT_TRACE (errno_ret); + if (strcmp (p, "TRAP") == 0) + { + *action = SCMP_ACT_TRAP; + return 0; + } + if (strcmp (p, "TRACE") == 0) + { + *action = SCMP_ACT_TRACE (errno_ret); + return 0; + } # ifdef SCMP_ACT_KILL_PROCESS - else if (strcmp (p, "KILL_PROCESS") == 0) - return SCMP_ACT_KILL_PROCESS; + if (strcmp (p, "KILL_PROCESS") == 0) + { + *action = SCMP_ACT_KILL_PROCESS; + return 0; + } # endif # ifdef SCMP_ACT_KILL_THREAD - else if (strcmp (p, "KILL_THREAD") == 0) - return SCMP_ACT_KILL_THREAD; + if (strcmp (p, "KILL_THREAD") == 0) + { + *action = SCMP_ACT_KILL_THREAD; + return 0; + } # endif # ifdef SCMP_ACT_NOTIFY - else if (strcmp (p, "NOTIFY") == 0) - return SCMP_ACT_NOTIFY; + if (strcmp (p, "NOTIFY") == 0) + { + *action = SCMP_ACT_NOTIFY; + return 0; + } # endif fail: - crun_make_error (err, 0, "seccomp get action `%s`", name); - return 0; -#else - return 0; -#endif + return crun_make_error (err, 0, "seccomp get action `%s`", name); } +#endif static void make_lowercase (char *str) @@ -671,7 +720,8 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err int ret; size_t i; cleanup_seccomp scmp_filter_ctx ctx = NULL; - int action, default_action, default_errno_value = EPERM; + int default_errno_value = EPERM; + uint32_t action, default_action; const char *def_action = NULL; /* The bpf filter was loaded from the cache, nothing to do here. */ @@ -701,9 +751,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err default_errno_value = seccomp->default_errno_ret; } - default_action = get_seccomp_action (def_action, default_errno_value, err); - if (UNLIKELY (err && *err != NULL)) - return -1; + ret = get_seccomp_action (def_action, default_errno_value, &default_action, err); + if (UNLIKELY (ret < 0)) + return ret; ctx = seccomp_init (default_action); if (ctx == NULL) @@ -746,9 +796,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err errno_ret = seccomp->syscalls[i]->errno_ret; } - action = get_seccomp_action (seccomp->syscalls[i]->action, errno_ret, err); - if (UNLIKELY (err && *err != NULL)) - return -1; + ret = get_seccomp_action (seccomp->syscalls[i]->action, errno_ret, &action, err); + if (UNLIKELY (ret < 0)) + return ret; if (action == default_action) continue; @@ -800,9 +850,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err char *op = seccomp->syscalls[i]->args[k]->op; arg_cmp[k].arg = seccomp->syscalls[i]->args[k]->index; - arg_cmp[k].op = get_seccomp_operator (op, err); - if (arg_cmp[k].op == 0) - return crun_make_error (err, 0, "get_seccomp_operator"); + ret = get_seccomp_operator (op, &(arg_cmp[k].op), err); + if (UNLIKELY (ret < 0)) + return ret; arg_cmp[k].datum_a = seccomp->syscalls[i]->args[k]->value; arg_cmp[k].datum_b = seccomp->syscalls[i]->args[k]->value_two; }