linux/samples/seccomp/bpf-helper.c

/*
 * Seccomp BPF helper functions
 *
 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
 * Author: Will Drewry <wad@chromium.org>
 *
 * The code may be used by anyone for any purpose,
 * and can serve as a starting point for developing
 * applications using prctl(PR_ATTACH_SECCOMP_FILTER).
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "bpf-helper.h"

int bpf_resolve_jumps(struct bpf_labels *labels,
		      struct sock_filter *filter, size_t count)
{
	struct sock_filter *begin = filter;
	__u8 insn = count - 1;

	if (count < 1)
		return -1;
	/*
	* Walk it once, backwards, to build the label table and do fixups.
	* Since backward jumps are disallowed by BPF, this is easy.
	*/
	filter += insn;
	for (; filter >= begin; --insn, --filter) {
		if (filter->code != (BPF_JMP+BPF_JA))
			continue;
		switch ((filter->jt<<8)|filter->jf) {
		case (JUMP_JT<<8)|JUMP_JF:
			if (labels->labels[filter->k].location == 0xffffffff) {
				fprintf(stderr, "Unresolved label: '%s'\n",
					labels->labels[filter->k].label);
				return 1;
			}
			filter->k = labels->labels[filter->k].location -
				    (insn + 1);
			filter->jt = 0;
			filter->jf = 0;
			continue;
		case (LABEL_JT<<8)|LABEL_JF:
			if (labels->labels[filter->k].location != 0xffffffff) {
				fprintf(stderr, "Duplicate label use: '%s'\n",
					labels->labels[filter->k].label);
				return 1;
			}
			labels->labels[filter->k].location = insn;
			filter->k = 0; /* fall through */
			filter->jt = 0;
			filter->jf = 0;
			continue;
		}
	}
	return 0;
}

/* Simple lookup table for labels. */
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
{
	struct __bpf_label *begin = labels->labels, *end;
	int id;

	if (labels->count == BPF_LABELS_MAX) {
		fprintf(stderr, "Too many labels\n");
		exit(1);
	}
	if (labels->count == 0) {
		begin->label = label;
		begin->location = 0xffffffff;
		labels->count++;
		return 0;
	}
	end = begin + labels->count;
	for (id = 0; begin < end; ++begin, ++id) {
		if (!strcmp(label, begin->label))
			return id;
	}
	begin->label = label;
	begin->location = 0xffffffff;
	labels->count++;
	return id;
}

void seccomp_bpf_print(struct sock_filter *filter, size_t count)
{
	struct sock_filter *end = filter + count;
	for ( ; filter < end; ++filter)
		printf("{ code=%u,jt=%u,jf=%u,k=%u },\n",
			filter->code, filter->jt, filter->jf, filter->k);
}
Documentation: prctl/seccomp_filter Documents how system call filtering using Berkeley Packet Filter programs works and how it may be used. Includes an example for x86 and a semi-generic example using a macro-based code generator. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> v18: - added acked by - update no new privs numbers v17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org) v16: - v15: - v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-next v11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS) v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option use v9: - updated bpf-direct.c for SIGILL v8: - add PR_SET_NO_NEW_PRIVS to the samples. v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disabler v6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu) v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net) v4: - update for no_new_privs use - minor tweaks v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64 v2: - move code to samples (corbet@lwn.net) Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-13 01:48:04 +04:00			`/*`
			`* Seccomp BPF helper functions`
			`*`
			`* Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>`
			`* Author: Will Drewry <wad@chromium.org>`
			`*`
			`* The code may be used by anyone for any purpose,`
			`* and can serve as a starting point for developing`
			`* applications using prctl(PR_ATTACH_SECCOMP_FILTER).`
			`*/`

			`#include <stdio.h>`
samples/seccomp: improve label helper Fixes a potential corruption with uninitialized stack memory in the seccomp BPF sample program. [akpm@linux-foundation.org: coding-style fixlet] Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Robert Swiecki <swiecki@google.com> Tested-by: Robert Swiecki <swiecki@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-02-18 00:47:58 +03:00			`#include <stdlib.h>`
Documentation: prctl/seccomp_filter Documents how system call filtering using Berkeley Packet Filter programs works and how it may be used. Includes an example for x86 and a semi-generic example using a macro-based code generator. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> v18: - added acked by - update no new privs numbers v17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org) v16: - v15: - v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-next v11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS) v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option use v9: - updated bpf-direct.c for SIGILL v8: - add PR_SET_NO_NEW_PRIVS to the samples. v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disabler v6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu) v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net) v4: - update for no_new_privs use - minor tweaks v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64 v2: - move code to samples (corbet@lwn.net) Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-13 01:48:04 +04:00			`#include <string.h>`

			`#include "bpf-helper.h"`

			`int bpf_resolve_jumps(struct bpf_labels *labels,`
			`struct sock_filter *filter, size_t count)`
			`{`
			`struct sock_filter *begin = filter;`
			`__u8 insn = count - 1;`

			`if (count < 1)`
			`return -1;`
			`/*`
			`* Walk it once, backwards, to build the label table and do fixups.`
			`* Since backward jumps are disallowed by BPF, this is easy.`
			`*/`
			`filter += insn;`
			`for (; filter >= begin; --insn, --filter) {`
			`if (filter->code != (BPF_JMP+BPF_JA))`
			`continue;`
			`switch ((filter->jt<<8)\|filter->jf) {`
			`case (JUMP_JT<<8)\|JUMP_JF:`
			`if (labels->labels[filter->k].location == 0xffffffff) {`
			`fprintf(stderr, "Unresolved label: '%s'\n",`
			`labels->labels[filter->k].label);`
			`return 1;`
			`}`
			`filter->k = labels->labels[filter->k].location -`
			`(insn + 1);`
			`filter->jt = 0;`
			`filter->jf = 0;`
			`continue;`
			`case (LABEL_JT<<8)\|LABEL_JF:`
			`if (labels->labels[filter->k].location != 0xffffffff) {`
			`fprintf(stderr, "Duplicate label use: '%s'\n",`
			`labels->labels[filter->k].label);`
			`return 1;`
			`}`
			`labels->labels[filter->k].location = insn;`
			`filter->k = 0; /* fall through */`
			`filter->jt = 0;`
			`filter->jf = 0;`
			`continue;`
			`}`
			`}`
			`return 0;`
			`}`

			`/* Simple lookup table for labels. */`
			`__u32 seccomp_bpf_label(struct bpf_labels labels, const char label)`
			`{`
			`struct __bpf_label begin = labels->labels, end;`
			`int id;`
samples/seccomp: improve label helper Fixes a potential corruption with uninitialized stack memory in the seccomp BPF sample program. [akpm@linux-foundation.org: coding-style fixlet] Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Robert Swiecki <swiecki@google.com> Tested-by: Robert Swiecki <swiecki@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-02-18 00:47:58 +03:00
			`if (labels->count == BPF_LABELS_MAX) {`
			`fprintf(stderr, "Too many labels\n");`
			`exit(1);`
			`}`
Documentation: prctl/seccomp_filter Documents how system call filtering using Berkeley Packet Filter programs works and how it may be used. Includes an example for x86 and a semi-generic example using a macro-based code generator. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> v18: - added acked by - update no new privs numbers v17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org) v16: - v15: - v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-next v11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS) v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option use v9: - updated bpf-direct.c for SIGILL v8: - add PR_SET_NO_NEW_PRIVS to the samples. v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disabler v6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu) v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net) v4: - update for no_new_privs use - minor tweaks v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64 v2: - move code to samples (corbet@lwn.net) Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-13 01:48:04 +04:00			`if (labels->count == 0) {`
			`begin->label = label;`
			`begin->location = 0xffffffff;`
			`labels->count++;`
			`return 0;`
			`}`
			`end = begin + labels->count;`
			`for (id = 0; begin < end; ++begin, ++id) {`
			`if (!strcmp(label, begin->label))`
			`return id;`
			`}`
			`begin->label = label;`
			`begin->location = 0xffffffff;`
			`labels->count++;`
			`return id;`
			`}`

			`void seccomp_bpf_print(struct sock_filter *filter, size_t count)`
			`{`
			`struct sock_filter *end = filter + count;`
			`for ( ; filter < end; ++filter)`
			`printf("{ code=%u,jt=%u,jf=%u,k=%u },\n",`
			`filter->code, filter->jt, filter->jf, filter->k);`
			`}`