Skip to content

RFE: add support for comparisons against 32-bit arguments #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jhenstridge wants to merge 8 commits into
base: main
Choose a base branch
from
+595 −399
Open

RFE: add support for comparisons against 32-bit arguments #384

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ad65b76
api: Add a SCMP_CMP_32BIT flag bit that can be combined with existing…
jhenstridge May 9, 2022
b6b2e21
db: extract per db_api_arg portion of _db_rule_gen_32 into its own fu…
jhenstridge May 10, 2022
9090c42
db: extract 64-bit comparison generation into _db_rule_gen_arg_64
jhenstridge May 11, 2022
0936a72
db: merge _db_rule_gen_64 and _db_rule_gen_32
jhenstridge May 11, 2022
b86348b
db: generate 32-bit comparisons on 64-bit architectures if SCMP_CMP_3…
jhenstridge May 11, 2022
3a13808
tests: add a test covering forced 32-bit comparisons
jhenstridge May 12, 2022
d472727
db: return EINVAL if there are any unknown flags set in the compariso…
jhenstridge May 12, 2022
518493f
tests: add Python version of 32-bit comparison test program
jhenstridge May 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions include/seccomp.h.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,9 @@ enum scmp_compare {
SCMP_CMP_GT = 6, /**< greater than */
SCMP_CMP_MASKED_EQ = 7, /**< masked equality */
_SCMP_CMP_MAX,

SCMP_CMP_OPMASK = 0xFFFF,
SCMP_CMP_32BIT = 1 << 16, /**< operation is 32-bit */
Copy link
Copy Markdown
Member

@pcmoore pcmoore May 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still working my way through this PR, but I think we want to move SCMP_CMP_OPMASK and SCMP_CMP_32BIT out of the enum and have them be standalone preprocessor macros/constants.

Copy link
Copy Markdown
Member

@pcmoore pcmoore May 27, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess if we do that we need to add a "filler" value to cause the enum to be a certain size, which feels a little icky but I think it's okay if we make sure to represent all of the flag space, e.g.

enum scmp_compare {
	_SCMP_CMP_MIN = 0,
	SCMP_CMP_NE = 1,
	SCMP_CMP_LT = 2,
	SCMP_CMP_LE = 3,
	SCMP_CMP_EQ = 4,
	SCMP_CMP_GE = 5,
	SCMP_CMP_GT = 6,
	SCMP_CMP_MASKED_EQ = 7,
	_SCMP_CMP_MAX,
	_SCMP_CMP_OPMASK = 0x0000FFFF,
	_SCMP_CMP_FLAGMASK = 0xFFFF0000,
};

Copy link
Copy Markdown
Member

@pcmoore pcmoore May 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... which somewhat questions the value of moving the flag definitions out of the enum and into their own macros/constants, but that still seems like a goodish idea to me at this point.

};

/**
Expand Down
3 changes: 2 additions & 1 deletion src/db.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2316,7 +2316,8 @@ int db_col_rule_add(struct db_filter_col *col,
if (arg_num < ARG_COUNT_MAX && chain[arg_num].valid == 0) {
chain[arg_num].valid = 1;
chain[arg_num].arg = arg_num;
chain[arg_num].op = arg_data.op;
chain[arg_num].op = arg_data.op & SCMP_CMP_OPMASK;
chain[arg_num].is_32bit = (arg_data.op & SCMP_CMP_32BIT) != 0;
/* TODO: we should check datum/mask size against the
* arch definition, e.g. 64 bit datum on x86 */
switch (chain[arg_num].op) {
Expand Down
1 change: 1 addition & 0 deletions src/db.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ struct db_api_arg {
scmp_datum_t datum;

bool valid;
bool is_32bit;
Copy link
Copy Markdown
Member

@pcmoore pcmoore May 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd prefer to drop the is_32bit flag and just preserve the SCMP_CMP_XXX flags in the db_api_arg::op field; there aren't that many places that check the comparison op so masking them shouldn't be too terrible. If necessary we can always wrap it in a preprocessor macro, e.g.

#define CMP_OP(x) (x & __SCMP_CMP_OPMASK)
#define CMP_FLAGS(x) (x & __SCMP_CMP_FLAGMASK)

};

struct db_api_rule_list {
Expand Down