summaryrefslogtreecommitdiffhomepage
path: root/pkg/seccomp
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-12-18 10:27:16 -0800
committerShentubot <shentubot@google.com>2018-12-18 10:28:28 -0800
commit03226cd95055aee73d4e4dfcb4954490b4fd8a2d (patch)
tree8d7fad1c742f44825746e55f5f3c2ef8a9ee65b2 /pkg/seccomp
parente7b47844d969673cec06ea745d577155131ecf3b (diff)
Add BPFAction type with Stringer
PiperOrigin-RevId: 226018694 Change-Id: I98965e26fe565f37e98e5df5f997363ab273c91b
Diffstat (limited to 'pkg/seccomp')
-rw-r--r--pkg/seccomp/seccomp.go32
-rw-r--r--pkg/seccomp/seccomp_test.go14
2 files changed, 18 insertions, 28 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
index 9d714d02d..ba2955752 100644
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -33,16 +33,6 @@ const (
defaultLabel = "default_action"
)
-func actionName(a uint32) string {
- switch a {
- case linux.SECCOMP_RET_KILL_PROCESS:
- return "kill process"
- case linux.SECCOMP_RET_TRAP:
- return "trap"
- }
- panic(fmt.Sprintf("invalid action: %d", a))
-}
-
// Install generates BPF code based on the set of syscalls provided. It only
// allows syscalls that conform to the specification. Syscalls that violate the
// specification will trigger RET_KILL_PROCESS, except for the cases below.
@@ -67,12 +57,12 @@ func Install(rules SyscallRules) error {
// Uncomment to get stack trace when there is a violation.
// defaultAction = uint32(linux.SECCOMP_RET_TRAP)
- log.Infof("Installing seccomp filters for %d syscalls (action=%s)", len(rules), actionName(defaultAction))
+ log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction)
instrs, err := BuildProgram([]RuleSet{
RuleSet{
Rules: rules,
- Action: uint32(linux.SECCOMP_RET_ALLOW),
+ Action: linux.SECCOMP_RET_ALLOW,
},
}, defaultAction)
if log.IsLogging(log.Debug) {
@@ -95,21 +85,21 @@ func Install(rules SyscallRules) error {
return nil
}
-func defaultAction() (uint32, error) {
+func defaultAction() (linux.BPFAction, error) {
available, err := isKillProcessAvailable()
if err != nil {
return 0, err
}
if available {
- return uint32(linux.SECCOMP_RET_KILL_PROCESS), nil
+ return linux.SECCOMP_RET_KILL_PROCESS, nil
}
- return uint32(linux.SECCOMP_RET_TRAP), nil
+ return linux.SECCOMP_RET_TRAP, nil
}
// RuleSet is a set of rules and associated action.
type RuleSet struct {
Rules SyscallRules
- Action uint32
+ Action linux.BPFAction
// Vsyscall indicates that a check is made for a function being called
// from kernel mappings. This is where the vsyscall page is located
@@ -127,7 +117,7 @@ var SyscallName = func(sysno uintptr) string {
// BuildProgram builds a BPF program from the given map of actions to matching
// SyscallRules. The single generated program covers all provided RuleSets.
-func BuildProgram(rules []RuleSet, defaultAction uint32) ([]linux.BPFInstruction, error) {
+func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFInstruction, error) {
program := bpf.NewProgramBuilder()
// Be paranoid and check that syscall is done in the expected architecture.
@@ -147,7 +137,7 @@ func BuildProgram(rules []RuleSet, defaultAction uint32) ([]linux.BPFInstruction
if err := program.AddLabel(defaultLabel); err != nil {
return nil, err
}
- program.AddStmt(bpf.Ret|bpf.K, defaultAction)
+ program.AddStmt(bpf.Ret|bpf.K, uint32(defaultAction))
return program.Instructions()
}
@@ -217,7 +207,7 @@ func checkArgsLabel(sysno uintptr) string {
// not insert a jump to the default action at the end and it is the
// responsibility of the caller to insert an appropriate jump after calling
// this function.
-func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action uint32, ruleSetIdx int, sysno uintptr) error {
+func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action linux.BPFAction, ruleSetIdx int, sysno uintptr) error {
for ruleidx, rule := range rules {
labelled := false
for i, arg := range rule {
@@ -240,7 +230,7 @@ func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action uint32, rul
}
// Matched, emit the given action.
- p.AddStmt(bpf.Ret|bpf.K, action)
+ p.AddStmt(bpf.Ret|bpf.K, uint32(action))
// Label the end of the rule if necessary. This is added for
// the jumps above when the argument check fails.
@@ -319,7 +309,7 @@ func buildBSTProgram(n *node, rules []RuleSet, program *bpf.ProgramBuilder) erro
// Emit matchers.
if len(rs.Rules[sysno]) == 0 {
// This is a blanket action.
- program.AddStmt(bpf.Ret|bpf.K, rs.Action)
+ program.AddStmt(bpf.Ret|bpf.K, uint32(rs.Action))
emitted = true
} else {
// Add an argument check for these particular
diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go
index f2b903e42..11ed90eb4 100644
--- a/pkg/seccomp/seccomp_test.go
+++ b/pkg/seccomp/seccomp_test.go
@@ -72,12 +72,12 @@ func TestBasic(t *testing.T) {
data seccompData
// want is the expected return value of the BPF program.
- want uint32
+ want linux.BPFAction
}
for _, test := range []struct {
ruleSets []RuleSet
- defaultAction uint32
+ defaultAction linux.BPFAction
specs []spec
}{
{
@@ -357,7 +357,7 @@ func TestBasic(t *testing.T) {
t.Errorf("%s: bpf.Exec() got error: %v", spec.desc, err)
continue
}
- if got != spec.want {
+ if got != uint32(spec.want) {
t.Errorf("%s: bpd.Exec() = %d, want: %d", spec.desc, got, spec.want)
}
}
@@ -380,9 +380,9 @@ func TestRandom(t *testing.T) {
instrs, err := BuildProgram([]RuleSet{
RuleSet{
Rules: syscallRules,
- Action: uint32(linux.SECCOMP_RET_ALLOW),
+ Action: linux.SECCOMP_RET_ALLOW,
},
- }, uint32(linux.SECCOMP_RET_TRAP))
+ }, linux.SECCOMP_RET_TRAP)
if err != nil {
t.Fatalf("buildProgram() got error: %v", err)
}
@@ -397,11 +397,11 @@ func TestRandom(t *testing.T) {
t.Errorf("bpf.Exec() got error: %v, for syscall %d", err, i)
continue
}
- want := uint32(linux.SECCOMP_RET_TRAP)
+ want := linux.SECCOMP_RET_TRAP
if _, ok := syscallRules[uintptr(i)]; ok {
want = linux.SECCOMP_RET_ALLOW
}
- if got != want {
+ if got != uint32(want) {
t.Errorf("bpf.Exec() = %d, want: %d, for syscall %d", got, want, i)
}
}