SyscallRules merge and add were dropping AllowAny rules

PiperOrigin-RevId: 210131001
Change-Id: I285707c5143b3e4c9a6948c1d1a452b6f16e65b7

2 files changed, 66 insertions, 3 deletions

diff --git a/pkg/seccomp/seccomp_rules.go b/pkg/seccomp/seccomp_rules.go
index 892ccabb4..4b99792fd 100644
--- a/pkg/seccomp/seccomp_rules.go
+++ b/pkg/seccomp/seccomp_rules.go
@@ -34,7 +34,7 @@ func seccompDataOffsetArgLow(i int) uint32 {
 }
 
 func seccompDataOffsetArgHigh(i int) uint32 {
-	return uint32(seccompDataOffsetArgs + i*8 + 4)
+	return seccompDataOffsetArgLow(i) + 4
 }
 
 // AllowAny is marker to indicate any value will be accepted.
@@ -100,7 +100,11 @@ func NewSyscallRules() SyscallRules {
 // AddRule adds the given rule. It will create a new entry for a new syscall, otherwise
 // it will append to the existing rules.
 func (sr SyscallRules) AddRule(sysno uintptr, r Rule) {
-	if _, ok := sr[sysno]; ok {
+	if cur, ok := sr[sysno]; ok {
+		// An empty rules means allow all. Honor it when more rules are added.
+		if len(cur) == 0 {
+			sr[sysno] = append(sr[sysno], Rule{})
+		}
 		sr[sysno] = append(sr[sysno], r)
 	} else {
 		sr[sysno] = []Rule{r}
@@ -110,7 +114,14 @@ func (sr SyscallRules) AddRule(sysno uintptr, r Rule) {
 // Merge merges the given SyscallRules.
 func (sr SyscallRules) Merge(rules SyscallRules) {
 	for sysno, rs := range rules {
-		if _, ok := sr[sysno]; ok {
+		if cur, ok := sr[sysno]; ok {
+			// An empty rules means allow all. Honor it when more rules are added.
+			if len(cur) == 0 {
+				sr[sysno] = append(sr[sysno], Rule{})
+			}
+			if len(rs) == 0 {
+				rs = []Rule{Rule{}}
+			}
 			sr[sysno] = append(sr[sysno], rs...)
 		} else {
 			sr[sysno] = rs
diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go
index d3aca7ee9..9f9507228 100644
--- a/pkg/seccomp/seccomp_test.go
+++ b/pkg/seccomp/seccomp_test.go
@@ -355,3 +355,55 @@ func TestRealDeal(t *testing.T) {
 		}
 	}
 }
+
+// TestMerge ensures that empty rules are not erased when rules are merged.
+func TestMerge(t *testing.T) {
+	for _, tst := range []struct {
+		name  string
+		main  []Rule
+		merge []Rule
+		want  []Rule
+	}{
+		{
+			name:  "empty both",
+			main:  nil,
+			merge: nil,
+			want:  []Rule{Rule{}, Rule{}},
+		},
+		{
+			name:  "empty main",
+			main:  nil,
+			merge: []Rule{Rule{}},
+			want:  []Rule{Rule{}, Rule{}},
+		},
+		{
+			name:  "empty merge",
+			main:  []Rule{Rule{}},
+			merge: nil,
+			want:  []Rule{Rule{}, Rule{}},
+		},
+	} {
+		t.Run(tst.name, func(t *testing.T) {
+			mainRules := SyscallRules{1: tst.main}
+			mergeRules := SyscallRules{1: tst.merge}
+			mainRules.Merge(mergeRules)
+			if got, want := len(mainRules[1]), len(tst.want); got != want {
+				t.Errorf("wrong length, got: %d, want: %d", got, want)
+			}
+			for i, r := range mainRules[1] {
+				if r != tst.want[i] {
+					t.Errorf("result, got: %v, want: %v", r, tst.want[i])
+				}
+			}
+		})
+	}
+}
+
+// TestAddRule ensures that empty rules are not erased when rules are added.
+func TestAddRule(t *testing.T) {
+	rules := SyscallRules{1: {}}
+	rules.AddRule(1, Rule{})
+	if got, want := len(rules[1]), 2; got != want {
+		t.Errorf("len(rules[1]), got: %d, want: %d", got, want)
+	}
+}