IMPORTANT: WILL CAUSE BREAKAGE WITH v0.1.x API The current API relies on the library storing internal state about the filter context. While this is okay in several cases, it may cause problems in others, e.g. threaded applications.
Since the bulk of the library already operates on a filter context, known as "struct db_filter", this patch simply adds an additional parameter to the public API, exporting this context as an opaque context/handle. Signed-off-by: Paul Moore <[email protected]> --- include/seccomp.h | 54 ++++++++++++------ src/api.c | 102 +++++++++++++++++------------------ src/db.c | 53 +++++++++++++----- src/db.h | 3 + tests/01-allow.c | 9 ++- tests/02-basic.c | 20 ++++--- tests/03-basic-chains.c | 20 ++++--- tests/04-multilevel-chains.c | 24 ++++---- tests/05-long-jumps.c | 18 +++--- tests/06-actions.c | 20 ++++--- tests/07-db-bug-looping.c | 15 +++-- tests/08-subtree-checks.c | 55 ++++++++++--------- tests/09-syscall-priority-pre.c | 23 ++++---- tests/10-syscall-priority-post.c | 23 ++++---- tests/11-basic-errors.c | 112 ++++++++++++++++++++------------------ tests/12-basic-masked-ops.c | 21 ++++--- tests/13-attrs.c | 19 +++--- tests/util.c | 8 ++- tests/util.h | 3 + 19 files changed, 342 insertions(+), 260 deletions(-) diff --git a/include/seccomp.h b/include/seccomp.h index 246e410..42ad4fb 100644 --- a/include/seccomp.h +++ b/include/seccomp.h @@ -30,6 +30,11 @@ */ /** + * Filter context/handle + */ +typedef void * scmp_filter_ctx; + +/** * Filter attributes */ enum scmp_filter_attr { @@ -154,48 +159,51 @@ struct scmp_arg_cmp { * * This function initializes the internal seccomp filter state and should * be called before any other functions in this library to ensure the filter - * state is initialized. Returns zero on success, negative values on failure. + * state is initialized. Returns a filter context on success, NULL on failure. * */ -int seccomp_init(uint32_t def_action); +scmp_filter_ctx seccomp_init(uint32_t def_action); /** * Reset the current filter state + * @param ctx the filter context * @param def_action the default filter action * - * This function resets the internal seccomp filter state and ensures the + * This function resets the given seccomp filter state and ensures the * filter state is reinitialized. This function does not reset any seccomp * filters already loaded into the kernel. Returns zero on success, negative * values on failure. * */ -int seccomp_reset(uint32_t def_action); +int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); /** * Destroys the current filter state and releases any resources + * @param ctx the filter context * - * This functions destroys the internal seccomp filter state and releases any + * This functions destroys the given seccomp filter state and releases any * resources, including memory, associated with the filter state. This * function does not reset any seccomp filters already loaded into the kernel. - * The function seccomp_reset() must be called before the filter can be - * reconfigured after calling this function. + * The filter context can no longer be used after calling this function. * */ -void seccomp_release(void); +void seccomp_release(scmp_filter_ctx ctx); /** * Loads the current filter into the kernel + * @param ctx the filter context * - * This function loads the currently configured seccomp filter into the kernel. - * If the filter was loaded correctly, the kernel will be enforcing the filter + * This function loads the given seccomp filter context into the kernel. If + * the filter was loaded correctly, the kernel will be enforcing the filter * when this function returns. Returns zero on success, negative values on * error. * */ -int seccomp_load(void); +int seccomp_load(const scmp_filter_ctx ctx); /** * Get the value of a filter attribute + * @param ctx the filter context * @param attr the filter attribute name * @param value the filter attribute value * @@ -203,10 +211,12 @@ int seccomp_load(void); * via @value. Returns zero on success, negative values on failure. * */ -int seccomp_attr_get(enum scmp_filter_attr attr, uint32_t *value); +int seccomp_attr_get(const scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t *value); /** * Set the value of a filter attribute + * @param ctx the filter context * @param attr the filter attribute name * @param value the filter attribute value * @@ -214,10 +224,12 @@ int seccomp_attr_get(enum scmp_filter_attr attr, uint32_t *value); * success, negative values on failure. * */ -int seccomp_attr_set(enum scmp_filter_attr attr, uint32_t value); +int seccomp_attr_set(scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t value); /** * Set the priority of a given syscall + * @param ctx the filter context * @param syscall the syscall number * @param priority priority value, higher value == higher priority * @@ -227,10 +239,12 @@ int seccomp_attr_set(enum scmp_filter_attr attr, uint32_t value); * filter. Returns zero on success, negative values on failure. * */ -int seccomp_syscall_priority(int syscall, uint8_t priority); +int seccomp_syscall_priority(scmp_filter_ctx ctx, + int syscall, uint8_t priority); /** * Add a new rule to the current filter + * @param ctx the filter context * @param action the filter action * @param syscall the syscall number * @param arg_cnt the number of argument filters in the argument filter chain @@ -244,10 +258,12 @@ int seccomp_syscall_priority(int syscall, uint8_t priority); * values on failure. * */ -int seccomp_rule_add(uint32_t action, int syscall, unsigned int arg_cnt, ...); +int seccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, ...); /** * Add a new rule to the current filter + * @param ctx the filter context * @param action the filter action * @param syscall the syscall number * @param arg_cnt the number of argument filters in the argument filter chain @@ -260,28 +276,30 @@ int seccomp_rule_add(uint32_t action, int syscall, unsigned int arg_cnt, ...); * function will fail. Returns zero on success, negative values on failure. * */ -int seccomp_rule_add_exact(uint32_t action, +int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...); /** * Generate seccomp Pseudo Filter Code (PFC) and export it to a file + * @param ctx the filter context * @param fd the destination fd * * This function generates seccomp Pseudo Filter Code (PFC) and writes it to * the given fd. Returns zero on success, negative values on failure. * */ -int seccomp_export_pfc(int fd); +int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd); /** * Generate seccomp Berkley Packet Filter (BPF) code and export it to a file + * @param ctx the filter context * @param fd the destination fd * * This function generates seccomp Berkley Packer Filter (BPF) code and writes * it to the given fd. Returns zero on success, negative values on failure. * */ -int seccomp_export_bpf(int fd); +int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); /* * pseudo syscall definitions diff --git a/src/api.c b/src/api.c index 641cff2..6d6cd02 100644 --- a/src/api.c +++ b/src/api.c @@ -36,53 +36,44 @@ #include "gen_bpf.h" #include "system.h" -/* the underlying code supports multiple simultaneous seccomp filters, but in - * practice we really only need one per-process right now, and this is it */ -static struct db_filter *filter = NULL; - /* NOTE - function header comment in include/seccomp.h */ -int seccomp_init(uint32_t def_action) +scmp_filter_ctx seccomp_init(uint32_t def_action) { - int rc; - - rc = db_action_valid(def_action); - if (rc < 0) - return rc; - - if (filter != NULL) - return -EEXIST; - filter = db_init(&arch_def_native, def_action); + if (db_action_valid(def_action) < 0) + return NULL; - return (filter ? 0 : -ENOMEM); + return db_init(&arch_def_native, def_action); } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_reset(uint32_t def_action) +int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) { - if (filter != NULL) - db_release(filter); + if (ctx == NULL || db_action_valid(def_action) < 0) + return -EINVAL; - return seccomp_init(def_action); + db_reset((struct db_filter *)ctx, def_action); + return 0; } /* NOTE - function header comment in include/seccomp.h */ -void seccomp_release(void) +void seccomp_release(scmp_filter_ctx ctx) { - if (filter == NULL) + if (ctx == NULL) return; - db_release(filter); - filter = NULL; + db_release((struct db_filter *)ctx); } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_load(void) +int seccomp_load(const scmp_filter_ctx ctx) { int rc; + struct db_filter *filter; struct bpf_program *program; - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; + filter = (struct db_filter *)ctx; program = gen_bpf_generate(filter); if (program == NULL) @@ -103,30 +94,34 @@ int seccomp_load(void) } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_attr_get(enum scmp_filter_attr attr, uint32_t *value) +int seccomp_attr_get(const scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t *value) { - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; - return db_attr_get(filter, attr, value); + return db_attr_get((const struct db_filter *)ctx, attr, value); } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_attr_set(enum scmp_filter_attr attr, uint32_t value) +int seccomp_attr_set(scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t value) { - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; - return db_attr_set(filter, attr, value); + return db_attr_set((struct db_filter *)ctx, attr, value); } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_syscall_priority(int syscall, uint8_t priority) +int seccomp_syscall_priority(scmp_filter_ctx ctx, int syscall, uint8_t priority) { int rc; + struct db_filter *filter; - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; + filter = (struct db_filter *)ctx; /* if this is a pseudo syscall (syscall < 0) then we need to rewrite * the syscall for some arch specific reason */ @@ -141,6 +136,7 @@ int seccomp_syscall_priority(int syscall, uint8_t priority) /** * Add a new rule to the current filter + * @param filter the DB filter * @param strict the strict flag * @param action the filter action * @param syscall the syscall number @@ -156,7 +152,8 @@ int seccomp_syscall_priority(int syscall, uint8_t priority) * zero on success, negative values on failure. * */ -static int _seccomp_rule_add(unsigned int strict, uint32_t action, int syscall, +static int _seccomp_rule_add(struct db_filter *filter, + unsigned int strict, uint32_t action, int syscall, unsigned int arg_cnt, va_list arg_list) { int rc; @@ -167,7 +164,7 @@ static int _seccomp_rule_add(unsigned int strict, uint32_t action, int syscall, struct scmp_arg_cmp arg_data; if (filter == NULL) - return -EFAULT; + return -EINVAL; rc = db_action_valid(action); if (rc < 0) @@ -232,51 +229,54 @@ rule_add_return: } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_rule_add(uint32_t action, int syscall, unsigned int arg_cnt, ...) +int seccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, ...) { int rc; va_list arg_list; va_start(arg_list, arg_cnt); - rc = _seccomp_rule_add(0, action, syscall, arg_cnt, arg_list); + rc = _seccomp_rule_add((struct db_filter *)ctx, + 0, action, syscall, arg_cnt, arg_list); va_end(arg_list); return rc; } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_rule_add_exact(uint32_t action, +int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, ...) { int rc; va_list arg_list; va_start(arg_list, arg_cnt); - rc = _seccomp_rule_add(1, action, syscall, arg_cnt, arg_list); + rc = _seccomp_rule_add((struct db_filter *)ctx, + 1, action, syscall, arg_cnt, arg_list); va_end(arg_list); return rc; } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_export_pfc(int fd) +int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd) { - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; - return gen_pfc_generate(filter, fd); + return gen_pfc_generate((struct db_filter *)ctx, fd); } /* NOTE - function header comment in include/seccomp.h */ -int seccomp_export_bpf(int fd) +int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd) { int rc; struct bpf_program *program; - if (filter == NULL) - return -EFAULT; + if (ctx == NULL) + return -EINVAL; - program = gen_bpf_generate(filter); + program = gen_bpf_generate((struct db_filter *)ctx); if (program == NULL) return -ENOMEM; rc = write(fd, program->blks, BPF_PGM_SIZE(program)); diff --git a/src/db.c b/src/db.c index add3711..a1ae3ed 100644 --- a/src/db.c +++ b/src/db.c @@ -307,6 +307,40 @@ int db_action_valid(uint32_t action) } /** + * Free and reset the seccomp filter DB + * @param db the seccomp filter DB + * @param def_action the default filter action + * + * This function frees any existing filters and resets the filter DB to a + * default state; only the DB architecture is preserved. + * + */ +void db_reset(struct db_filter *db, uint32_t def_action) +{ + struct db_sys_list *s_iter; + + if (db == NULL) + return; + + /* free any filters */ + if (db->syscalls != NULL) { + s_iter = db->syscalls; + while (s_iter != NULL) { + db->syscalls = s_iter->next; + _db_tree_free(s_iter->chains); + free(s_iter); + s_iter = db->syscalls; + } + db->syscalls = NULL; + } + + /* set the default attribute values */ + db->attr.act_default = def_action; + db->attr.act_badarch = SCMP_ACT_KILL; + db->attr.nnp_enable = 1; +} + +/** * Intitalize a seccomp filter DB * @param arch the architecture definition * @param def_action the default filter action @@ -325,10 +359,8 @@ struct db_filter *db_init(const struct arch_def *arch, uint32_t def_action) memset(db, 0, sizeof(*db)); db->arch = arch; - /* default attribute values */ - db->attr.act_default = def_action; - db->attr.act_badarch = SCMP_ACT_KILL; - db->attr.nnp_enable = 1; + /* reset the DB to a known state */ + db_reset(db, def_action); return db; } @@ -343,18 +375,11 @@ struct db_filter *db_init(const struct arch_def *arch, uint32_t def_action) */ void db_release(struct db_filter *db) { - struct db_sys_list *s_iter; - if (db == NULL) return; - s_iter = db->syscalls; - while (s_iter != NULL) { - db->syscalls = s_iter->next; - _db_tree_free(s_iter->chains); - free(s_iter); - s_iter = db->syscalls; - } + /* free and reset the DB */ + db_reset(db, 0); free(db); } @@ -368,7 +393,7 @@ void db_release(struct db_filter *db) * on success, negative values on failure. * */ -int db_attr_get(struct db_filter *db, +int db_attr_get(const struct db_filter *db, enum scmp_filter_attr attr, uint32_t *value) { switch (attr) { diff --git a/src/db.h b/src/db.h index bcfa80f..34734c4 100644 --- a/src/db.h +++ b/src/db.h @@ -154,10 +154,11 @@ struct db_filter { int db_action_valid(uint32_t action); +void db_reset(struct db_filter *db, uint32_t def_action); struct db_filter *db_init(const struct arch_def *arch, uint32_t def_action); void db_release(struct db_filter *db); -int db_attr_get(struct db_filter *db, +int db_attr_get(const struct db_filter *db, enum scmp_filter_attr attr, uint32_t *value); int db_attr_set(struct db_filter *db, enum scmp_filter_attr attr, uint32_t value); diff --git a/tests/01-allow.c b/tests/01-allow.c index e39c994..5f4f74d 100644 --- a/tests/01-allow.c +++ b/tests/01-allow.c @@ -29,20 +29,21 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/02-basic.c b/tests/02-basic.c index e999470..b601554 100644 --- a/tests/02-basic.c +++ b/tests/02-basic.c @@ -24,6 +24,8 @@ * read, write, exit, and rt_sigreturn */ +#include <unistd.h> + #include <seccomp.h> #include "util.h" @@ -32,37 +34,39 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/03-basic-chains.c b/tests/03-basic-chains.c index f656a6b..6e7309b 100644 --- a/tests/03-basic-chains.c +++ b/tests/03-basic-chains.c @@ -29,43 +29,45 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/04-multilevel-chains.c b/tests/04-multilevel-chains.c index 80f7e22..aeff58b 100644 --- a/tests/04-multilevel-chains.c +++ b/tests/04-multilevel-chains.c @@ -30,56 +30,58 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/05-long-jumps.c b/tests/05-long-jumps.c index 2be30a1..370d7f6 100644 --- a/tests/05-long-jumps.c +++ b/tests/05-long-jumps.c @@ -19,6 +19,7 @@ * along with this library; if not, see <http://www.gnu.org/licenses>. */ +#include <unistd.h> #include <limits.h> #include <seccomp.h> @@ -30,24 +31,25 @@ int main(int argc, char *argv[]) int rc; int iter; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; /* NOTE - syscalls referenced by number to make the test simpler */ - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1, 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1, 0); if (rc != 0) goto out; /* same syscall, many chains */ for (iter = 0; iter < 600; iter++) { - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, iter), SCMP_A1(SCMP_CMP_NE, 0x0), SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); @@ -57,21 +59,21 @@ int main(int argc, char *argv[]) /* many syscalls, same chain */ for (iter = 100; iter < 700; iter++) { - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, iter, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, iter, 1, SCMP_A0(SCMP_CMP_NE, 0)); if (rc != 0) goto out; } - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 4, 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 4, 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/06-actions.c b/tests/06-actions.c index 219d716..9aff9ef 100644 --- a/tests/06-actions.c +++ b/tests/06-actions.c @@ -20,6 +20,7 @@ */ #include <errno.h> +#include <unistd.h> #include <seccomp.h> @@ -29,36 +30,39 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0); + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_TRAP, SCMP_SYS(close), 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/07-db-bug-looping.c b/tests/07-db-bug-looping.c index e44deb5..53fb048 100644 --- a/tests/07-db-bug-looping.c +++ b/tests/07-db-bug-looping.c @@ -29,38 +29,39 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; /* The next three seccomp_rule_add_exact() calls for read must * go together in this order to catch an infinite loop. */ - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A1(SCMP_CMP_EQ, 0x0)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/08-subtree-checks.c b/tests/08-subtree-checks.c index 74f8789..2e6577c 100644 --- a/tests/08-subtree-checks.c +++ b/tests/08-subtree-checks.c @@ -19,6 +19,8 @@ * along with this library; if not, see <http://www.gnu.org/licenses>. */ +#include <unistd.h> + #include <seccomp.h> #include "util.h" @@ -27,57 +29,58 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; /* the syscall and argument numbers are all fake to make the test * simpler */ - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1, SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1001, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1001, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1002, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), SCMP_A3(SCMP_CMP_EQ, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1002, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 2, SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1003, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 2, SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1003, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), @@ -85,49 +88,49 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1004, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), SCMP_A3(SCMP_CMP_EQ, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1004, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 11)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1004, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), SCMP_A3(SCMP_CMP_EQ, 33)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1004, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2, SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1005, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2, SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1005, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), SCMP_A3(SCMP_CMP_EQ, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1005, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 11)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1005, 4, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2), @@ -135,41 +138,41 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1006, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2, SCMP_A1(SCMP_CMP_NE, 1), SCMP_A2(SCMP_CMP_EQ, 0)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1006, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2, SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1006, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1, SCMP_A1(SCMP_CMP_NE, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_TRAP, 1007, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1007, 2, SCMP_A2(SCMP_CMP_EQ, 1), SCMP_A3(SCMP_CMP_EQ, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1007, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 2, SCMP_A2(SCMP_CMP_EQ, 1), SCMP_A3(SCMP_CMP_NE, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1007, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1, SCMP_A3(SCMP_CMP_NE, 3)); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/09-syscall-priority-pre.c b/tests/09-syscall-priority-pre.c index 1a2a57c..5de45bf 100644 --- a/tests/09-syscall-priority-pre.c +++ b/tests/09-syscall-priority-pre.c @@ -19,6 +19,8 @@ * along with this library; if not, see <http://www.gnu.org/licenses>. */ +#include <unistd.h> + #include <seccomp.h> #include "util.h" @@ -27,46 +29,47 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; /* the syscall and argument numbers are all fake to make the test * simpler */ - rc = seccomp_syscall_priority(1000, 3); + rc = seccomp_syscall_priority(ctx, 1000, 3); if (rc != 0) goto out; - rc = seccomp_syscall_priority(1001, 2); + rc = seccomp_syscall_priority(ctx, 1001, 2); if (rc != 0) goto out; - rc = seccomp_syscall_priority(1002, 1); + rc = seccomp_syscall_priority(ctx, 1002, 1); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1001, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, SCMP_A0(SCMP_CMP_EQ, 0)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1002, 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/10-syscall-priority-post.c b/tests/10-syscall-priority-post.c index f6659fc..bafa5dd 100644 --- a/tests/10-syscall-priority-post.c +++ b/tests/10-syscall-priority-post.c @@ -19,6 +19,8 @@ * along with this library; if not, see <http://www.gnu.org/licenses>. */ +#include <unistd.h> + #include <seccomp.h> #include "util.h" @@ -27,46 +29,47 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; /* the syscall and argument numbers are all fake to make the test * simpler */ - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 2, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1001, 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, SCMP_A0(SCMP_CMP_EQ, 0)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1002, 0); + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0); if (rc != 0) goto out; - rc = seccomp_syscall_priority(1000, 3); + rc = seccomp_syscall_priority(ctx, 1000, 3); if (rc != 0) goto out; - rc = seccomp_syscall_priority(1001, 2); + rc = seccomp_syscall_priority(ctx, 1001, 2); if (rc != 0) goto out; - rc = seccomp_syscall_priority(1002, 1); + rc = seccomp_syscall_priority(ctx, 1002, 1); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/11-basic-errors.c b/tests/11-basic-errors.c index d9af600..615a7de 100644 --- a/tests/11-basic-errors.c +++ b/tests/11-basic-errors.c @@ -27,42 +27,42 @@ int main(int argc, char *argv[]) { int rc; + scmp_filter_ctx ctx; /* seccomp_init errors */ - rc = seccomp_init(SCMP_ACT_ALLOW+1); - if (rc != -EINVAL) + ctx = seccomp_init(SCMP_ACT_ALLOW+1); + if (ctx != NULL) return -1; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; - else { - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != -EEXIST) - return -1; - } - seccomp_release(); + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + seccomp_release(ctx); + ctx = NULL; /* seccomp_reset error */ - rc = seccomp_reset(SCMP_ACT_KILL+1); + rc = seccomp_reset(ctx, SCMP_ACT_KILL+1); + if (rc != -EINVAL) + return -1; + rc = seccomp_reset(ctx, SCMP_ACT_KILL); if (rc != -EINVAL) return -1; /* seccomp_load error */ - rc = seccomp_load(); - if (rc != -EFAULT) + rc = seccomp_load(ctx); + if (rc != -EINVAL) return -1; /* seccomp_syscall_priority errors */ - rc = seccomp_syscall_priority(SCMP_SYS(read), 1); - if (rc != -EFAULT) + rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 1); + if (rc != -EINVAL) return -1; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; else { - rc = seccomp_syscall_priority(-1000, 1); + rc = seccomp_syscall_priority(ctx, -1000, 1); #if __i386__ if (rc != -EINVAL) return -1; @@ -71,28 +71,29 @@ int main(int argc, char *argv[]) return -1; #endif } - seccomp_release(); + seccomp_release(ctx); + ctx = NULL; /* seccomp_rule_add errors */ - rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, 0)); - if (rc != -EFAULT) + if (rc != -EINVAL) return -1; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; else { - rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); if (rc != -EPERM) return -1; - rc = seccomp_rule_add(SCMP_ACT_KILL-1, SCMP_SYS(read), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL-1, SCMP_SYS(read), 0); if (rc != -EINVAL) return -1; - rc = seccomp_rule_add(SCMP_ACT_KILL, SCMP_SYS(read), 6); + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 6); if (rc != -EINVAL) return -1; - rc = seccomp_rule_add(SCMP_ACT_KILL, SCMP_SYS(read), 7, + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 7, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 0), SCMP_A2(SCMP_CMP_EQ, 0), @@ -102,65 +103,70 @@ int main(int argc, char *argv[]) SCMP_CMP(6, SCMP_CMP_EQ, 0)); if (rc != -EINVAL) return -1; - rc = seccomp_rule_add(SCMP_ACT_KILL, SCMP_SYS(read), 1, + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1, SCMP_A0(_SCMP_CMP_MIN, 0)); if (rc != -EINVAL) return -1; - rc = seccomp_rule_add(SCMP_ACT_KILL, SCMP_SYS(read), 1, + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1, SCMP_A0(_SCMP_CMP_MAX, 0)); if (rc != -EINVAL) return -1; #if __i386__ - rc = seccomp_rule_add(SCMP_ACT_KILL, -1001, 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, -1001, 0); if (rc != -EINVAL) return -1; #endif } - seccomp_release(); + seccomp_release(ctx); + ctx = NULL; /* seccomp_rule_add_exact error */ - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; else { #if __i386__ - rc = seccomp_rule_add_exact(SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_KILL, SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, 2)); if (rc != -EINVAL) return -1; #endif } - seccomp_release(); + seccomp_release(ctx); + ctx = NULL; /* seccomp_export_pfc errors */ - rc = seccomp_export_pfc(STDOUT_FILENO); - if (rc != -EFAULT) + rc = seccomp_export_pfc(ctx, STDOUT_FILENO); + if (rc != -EINVAL) return -1; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; else { - rc = seccomp_export_pfc(sysconf(_SC_OPEN_MAX)-1); + rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX)-1); if (rc != EBADF) return -1; } - seccomp_release(); + seccomp_release(ctx); + ctx = NULL; /* seccomp_export_bpf errors */ - rc = seccomp_export_bpf(STDOUT_FILENO); - if (rc != -EFAULT) + rc = seccomp_export_bpf(ctx, STDOUT_FILENO); + if (rc != -EINVAL) return -1; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) - return rc; + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; else { - rc = seccomp_export_bpf(sysconf(_SC_OPEN_MAX)-1); + rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX)-1); if (rc != -EBADF) return -1; } - seccomp_release(); + seccomp_release(ctx); + ctx = NULL; return 0; } diff --git a/tests/12-basic-masked-ops.c b/tests/12-basic-masked-ops.c index 8a4cd12..c213a69 100644 --- a/tests/12-basic-masked-ops.c +++ b/tests/12-basic-masked-ops.c @@ -19,6 +19,8 @@ * along with this library; if not, see <http://www.gnu.org/licenses>. */ +#include <unistd.h> + #include <seccomp.h> #include "util.h" @@ -27,55 +29,56 @@ int main(int argc, char *argv[]) { int rc; struct util_options opts; + scmp_filter_ctx ctx; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - rc = seccomp_init(SCMP_ACT_KILL); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_MASKED_EQ, 0x00ff, 1), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 11), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 111), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(SCMP_ACT_ALLOW, 1000, 3, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_MASKED_EQ, 0xff00, 1000), SCMP_A2(SCMP_CMP_EQ, 2)); if (rc != 0) goto out; - rc = util_filter_output(&opts); + rc = util_filter_output(&opts, ctx); if (rc) goto out; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/13-attrs.c b/tests/13-attrs.c index 2fd6398..46518a5 100644 --- a/tests/13-attrs.c +++ b/tests/13-attrs.c @@ -30,28 +30,29 @@ int main(int argc, char *argv[]) { int rc; uint32_t val = (uint32_t)-1; + scmp_filter_ctx ctx; - rc = seccomp_init(SCMP_ACT_ALLOW); - if (rc != 0) + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) goto out; - rc = seccomp_attr_get(SCMP_FLTATR_ACT_DEFAULT, &val); + rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_DEFAULT, &val); if (rc != 0) goto out; if (val != SCMP_ACT_ALLOW) { rc = -1; goto out; } - rc = seccomp_attr_set(SCMP_FLTATR_ACT_DEFAULT, val); + rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_DEFAULT, val); if (rc != -EACCES) { rc = -1; goto out; } - rc = seccomp_attr_set(SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW); + rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW); if (rc != 0) goto out; - rc = seccomp_attr_get(SCMP_FLTATR_ACT_BADARCH, &val); + rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_BADARCH, &val); if (rc != 0) goto out; if (val != SCMP_ACT_ALLOW) { @@ -59,10 +60,10 @@ int main(int argc, char *argv[]) goto out; } - rc = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); if (rc != 0) goto out; - rc = seccomp_attr_get(SCMP_FLTATR_CTL_NNP, &val); + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_NNP, &val); if (rc != 0) goto out; if (val != 0) { @@ -72,6 +73,6 @@ int main(int argc, char *argv[]) rc = 0; out: - seccomp_release(); + seccomp_release(ctx); return (rc < 0 ? -rc : rc); } diff --git a/tests/util.c b/tests/util.c index 1294794..d4dc1ff 100644 --- a/tests/util.c +++ b/tests/util.c @@ -86,12 +86,14 @@ int util_getopt(int argc, char *argv[], struct util_options *opts) /** * Output the filter in either BPF or PFC * @param opts the options structure + * @param ctx the filter context * * This function outputs the seccomp filter to in either BPF or PFC format * depending on the test paramaeters supplied by @opts. * */ -int util_filter_output(const struct util_options *opts) +int util_filter_output(const struct util_options *opts, + const scmp_filter_ctx ctx) { int rc; @@ -99,9 +101,9 @@ int util_filter_output(const struct util_options *opts) return -EFAULT; if (opts->bpf_flg) - rc = seccomp_export_bpf(STDOUT_FILENO); + rc = seccomp_export_bpf(ctx, STDOUT_FILENO); else - rc = seccomp_export_pfc(STDOUT_FILENO); + rc = seccomp_export_pfc(ctx, STDOUT_FILENO); return rc; } diff --git a/tests/util.h b/tests/util.h index 3931440..68af8a0 100644 --- a/tests/util.h +++ b/tests/util.h @@ -28,6 +28,7 @@ struct util_options { int util_getopt(int argc, char *argv[], struct util_options *opts); -int util_filter_output(const struct util_options *opts); +int util_filter_output(const struct util_options *opts, + const scmp_filter_ctx ctx); #endif ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
