diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-12-18 10:27:16 -0800 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-12-18 10:28:28 -0800 |
commit | 03226cd95055aee73d4e4dfcb4954490b4fd8a2d (patch) | |
tree | 8d7fad1c742f44825746e55f5f3c2ef8a9ee65b2 /pkg/seccomp | |
parent | e7b47844d969673cec06ea745d577155131ecf3b (diff) |
Add BPFAction type with Stringer
PiperOrigin-RevId: 226018694
Change-Id: I98965e26fe565f37e98e5df5f997363ab273c91b
Diffstat (limited to 'pkg/seccomp')
-rw-r--r-- | pkg/seccomp/seccomp.go | 32 | ||||
-rw-r--r-- | pkg/seccomp/seccomp_test.go | 14 |
2 files changed, 18 insertions, 28 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index 9d714d02d..ba2955752 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -33,16 +33,6 @@ const ( defaultLabel = "default_action" ) -func actionName(a uint32) string { - switch a { - case linux.SECCOMP_RET_KILL_PROCESS: - return "kill process" - case linux.SECCOMP_RET_TRAP: - return "trap" - } - panic(fmt.Sprintf("invalid action: %d", a)) -} - // Install generates BPF code based on the set of syscalls provided. It only // allows syscalls that conform to the specification. Syscalls that violate the // specification will trigger RET_KILL_PROCESS, except for the cases below. @@ -67,12 +57,12 @@ func Install(rules SyscallRules) error { // Uncomment to get stack trace when there is a violation. // defaultAction = uint32(linux.SECCOMP_RET_TRAP) - log.Infof("Installing seccomp filters for %d syscalls (action=%s)", len(rules), actionName(defaultAction)) + log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction) instrs, err := BuildProgram([]RuleSet{ RuleSet{ Rules: rules, - Action: uint32(linux.SECCOMP_RET_ALLOW), + Action: linux.SECCOMP_RET_ALLOW, }, }, defaultAction) if log.IsLogging(log.Debug) { @@ -95,21 +85,21 @@ func Install(rules SyscallRules) error { return nil } -func defaultAction() (uint32, error) { +func defaultAction() (linux.BPFAction, error) { available, err := isKillProcessAvailable() if err != nil { return 0, err } if available { - return uint32(linux.SECCOMP_RET_KILL_PROCESS), nil + return linux.SECCOMP_RET_KILL_PROCESS, nil } - return uint32(linux.SECCOMP_RET_TRAP), nil + return linux.SECCOMP_RET_TRAP, nil } // RuleSet is a set of rules and associated action. type RuleSet struct { Rules SyscallRules - Action uint32 + Action linux.BPFAction // Vsyscall indicates that a check is made for a function being called // from kernel mappings. This is where the vsyscall page is located @@ -127,7 +117,7 @@ var SyscallName = func(sysno uintptr) string { // BuildProgram builds a BPF program from the given map of actions to matching // SyscallRules. The single generated program covers all provided RuleSets. -func BuildProgram(rules []RuleSet, defaultAction uint32) ([]linux.BPFInstruction, error) { +func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFInstruction, error) { program := bpf.NewProgramBuilder() // Be paranoid and check that syscall is done in the expected architecture. @@ -147,7 +137,7 @@ func BuildProgram(rules []RuleSet, defaultAction uint32) ([]linux.BPFInstruction if err := program.AddLabel(defaultLabel); err != nil { return nil, err } - program.AddStmt(bpf.Ret|bpf.K, defaultAction) + program.AddStmt(bpf.Ret|bpf.K, uint32(defaultAction)) return program.Instructions() } @@ -217,7 +207,7 @@ func checkArgsLabel(sysno uintptr) string { // not insert a jump to the default action at the end and it is the // responsibility of the caller to insert an appropriate jump after calling // this function. -func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action uint32, ruleSetIdx int, sysno uintptr) error { +func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action linux.BPFAction, ruleSetIdx int, sysno uintptr) error { for ruleidx, rule := range rules { labelled := false for i, arg := range rule { @@ -240,7 +230,7 @@ func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action uint32, rul } // Matched, emit the given action. - p.AddStmt(bpf.Ret|bpf.K, action) + p.AddStmt(bpf.Ret|bpf.K, uint32(action)) // Label the end of the rule if necessary. This is added for // the jumps above when the argument check fails. @@ -319,7 +309,7 @@ func buildBSTProgram(n *node, rules []RuleSet, program *bpf.ProgramBuilder) erro // Emit matchers. if len(rs.Rules[sysno]) == 0 { // This is a blanket action. - program.AddStmt(bpf.Ret|bpf.K, rs.Action) + program.AddStmt(bpf.Ret|bpf.K, uint32(rs.Action)) emitted = true } else { // Add an argument check for these particular diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go index f2b903e42..11ed90eb4 100644 --- a/pkg/seccomp/seccomp_test.go +++ b/pkg/seccomp/seccomp_test.go @@ -72,12 +72,12 @@ func TestBasic(t *testing.T) { data seccompData // want is the expected return value of the BPF program. - want uint32 + want linux.BPFAction } for _, test := range []struct { ruleSets []RuleSet - defaultAction uint32 + defaultAction linux.BPFAction specs []spec }{ { @@ -357,7 +357,7 @@ func TestBasic(t *testing.T) { t.Errorf("%s: bpf.Exec() got error: %v", spec.desc, err) continue } - if got != spec.want { + if got != uint32(spec.want) { t.Errorf("%s: bpd.Exec() = %d, want: %d", spec.desc, got, spec.want) } } @@ -380,9 +380,9 @@ func TestRandom(t *testing.T) { instrs, err := BuildProgram([]RuleSet{ RuleSet{ Rules: syscallRules, - Action: uint32(linux.SECCOMP_RET_ALLOW), + Action: linux.SECCOMP_RET_ALLOW, }, - }, uint32(linux.SECCOMP_RET_TRAP)) + }, linux.SECCOMP_RET_TRAP) if err != nil { t.Fatalf("buildProgram() got error: %v", err) } @@ -397,11 +397,11 @@ func TestRandom(t *testing.T) { t.Errorf("bpf.Exec() got error: %v, for syscall %d", err, i) continue } - want := uint32(linux.SECCOMP_RET_TRAP) + want := linux.SECCOMP_RET_TRAP if _, ok := syscallRules[uintptr(i)]; ok { want = linux.SECCOMP_RET_ALLOW } - if got != want { + if got != uint32(want) { t.Errorf("bpf.Exec() = %d, want: %d, for syscall %d", got, want, i) } } |