diff options
| author | gVisor bot <gvisor-bot@google.com> | 2021-09-23 01:16:29 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-09-23 01:16:29 +0000 |
| commit | 827f5afc4abe3bf3f3e65e5bf9f2cba4b181bdc1 (patch) | |
| tree | 5c169872416372c5db9dff377fe0e97f4beaac8a /pkg/sentry/seccheck/seccheck_fieldenum.go | |
| parent | cb622a5dede506f187da67ba184ac09f8be95097 (diff) | |
| parent | de750eb1d3ef2c8c60274c62c4463392b29b45c7 (diff) | |
Merge release-20210921.0-13-gde750eb1d (automated)
Diffstat (limited to 'pkg/sentry/seccheck/seccheck_fieldenum.go')
| -rw-r--r-- | pkg/sentry/seccheck/seccheck_fieldenum.go | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/pkg/sentry/seccheck/seccheck_fieldenum.go b/pkg/sentry/seccheck/seccheck_fieldenum.go index b193b2973..4e2f691e8 100644 --- a/pkg/sentry/seccheck/seccheck_fieldenum.go +++ b/pkg/sentry/seccheck/seccheck_fieldenum.go @@ -67,6 +67,139 @@ func (fs *CloneFieldSet) AddFieldsLoadable(fields CloneFields) { } } +// A ExecveField represents a field in ExecveInfo. +type ExecveField uint + +// ExecveFieldX represents ExecveInfo field X. +const ( + ExecveFieldCredentials ExecveField = iota + ExecveFieldBinaryPath + ExecveFieldArgv + ExecveFieldEnv + ExecveFieldBinaryMode + ExecveFieldBinarySHA256 +) + +// ExecveFields represents a set of fields in ExecveInfo in a literal-friendly form. +// The zero value of ExecveFields represents an empty set. +type ExecveFields struct { + Invoker TaskFields + Credentials bool + BinaryPath bool + Argv bool + Env bool + BinaryMode bool + BinarySHA256 bool +} + +// ExecveFieldSet represents a set of fields in ExecveInfo in a compact form. +// The zero value of ExecveFieldSet represents an empty set. +type ExecveFieldSet struct { + Invoker TaskFieldSet + fields [1]uint32 +} + +// Contains returns true if f is present in the ExecveFieldSet. +func (fs ExecveFieldSet) Contains(f ExecveField) bool { + return fs.fields[0] & (uint32(1) << uint(f)) != 0 +} + +// Add adds f to the ExecveFieldSet. +func (fs *ExecveFieldSet) Add(f ExecveField) { + fs.fields[0] |= uint32(1) << uint(f) +} + +// Remove removes f from the ExecveFieldSet. +func (fs *ExecveFieldSet) Remove(f ExecveField) { + fs.fields[0] &^= uint32(1) << uint(f) +} + +// Load returns a copy of the ExecveFieldSet. +// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove. +func (fs *ExecveFieldSet) Load() (copied ExecveFieldSet) { + copied.Invoker = fs.Invoker.Load() + copied.fields[0] = atomic.LoadUint32(&fs.fields[0]) + return +} + +// AddFieldsLoadable adds the given fields to the ExecveFieldSet. +// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable). +func (fs *ExecveFieldSet) AddFieldsLoadable(fields ExecveFields) { + fs.Invoker.AddFieldsLoadable(fields.Invoker) + if fields.Credentials { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldCredentials))) + } + if fields.BinaryPath { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryPath))) + } + if fields.Argv { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldArgv))) + } + if fields.Env { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldEnv))) + } + if fields.BinaryMode { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryMode))) + } + if fields.BinarySHA256 { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinarySHA256))) + } +} + +// A ExitNotifyParentField represents a field in ExitNotifyParentInfo. +type ExitNotifyParentField uint + +// ExitNotifyParentFieldX represents ExitNotifyParentInfo field X. +const ( + ExitNotifyParentFieldExitStatus ExitNotifyParentField = iota +) + +// ExitNotifyParentFields represents a set of fields in ExitNotifyParentInfo in a literal-friendly form. +// The zero value of ExitNotifyParentFields represents an empty set. +type ExitNotifyParentFields struct { + Exiter TaskFields + ExitStatus bool +} + +// ExitNotifyParentFieldSet represents a set of fields in ExitNotifyParentInfo in a compact form. +// The zero value of ExitNotifyParentFieldSet represents an empty set. +type ExitNotifyParentFieldSet struct { + Exiter TaskFieldSet + fields [1]uint32 +} + +// Contains returns true if f is present in the ExitNotifyParentFieldSet. +func (fs ExitNotifyParentFieldSet) Contains(f ExitNotifyParentField) bool { + return fs.fields[0] & (uint32(1) << uint(f)) != 0 +} + +// Add adds f to the ExitNotifyParentFieldSet. +func (fs *ExitNotifyParentFieldSet) Add(f ExitNotifyParentField) { + fs.fields[0] |= uint32(1) << uint(f) +} + +// Remove removes f from the ExitNotifyParentFieldSet. +func (fs *ExitNotifyParentFieldSet) Remove(f ExitNotifyParentField) { + fs.fields[0] &^= uint32(1) << uint(f) +} + +// Load returns a copy of the ExitNotifyParentFieldSet. +// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove. +func (fs *ExitNotifyParentFieldSet) Load() (copied ExitNotifyParentFieldSet) { + copied.Exiter = fs.Exiter.Load() + copied.fields[0] = atomic.LoadUint32(&fs.fields[0]) + return +} + +// AddFieldsLoadable adds the given fields to the ExitNotifyParentFieldSet. +// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable). +func (fs *ExitNotifyParentFieldSet) AddFieldsLoadable(fields ExitNotifyParentFields) { + fs.Exiter.AddFieldsLoadable(fields.Exiter) + if fields.ExitStatus { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExitNotifyParentFieldExitStatus))) + } +} + // A TaskField represents a field in TaskInfo. type TaskField uint |