diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c index 4b12f22f8d..b484dd165d 100644 --- a/src/libcrun/seccomp.c +++ b/src/libcrun/seccomp.c @@ -102,36 +102,54 @@ syscall_seccomp (unsigned int operation, unsigned int flags, void *args) return (int) syscall (__NR_seccomp, operation, flags, args); } -static unsigned long -get_seccomp_operator (const char *name, libcrun_error_t *err) -{ #ifdef HAVE_SECCOMP +static int +get_seccomp_operator (const char *name, enum scmp_compare *op, libcrun_error_t *err) +{ if (strcmp (name, "SCMP_CMP_NE") == 0) - return SCMP_CMP_NE; - if (strcmp (name, "SCMP_CMP_LT") == 0) - return SCMP_CMP_LT; - if (strcmp (name, "SCMP_CMP_LE") == 0) - return SCMP_CMP_LE; - if (strcmp (name, "SCMP_CMP_EQ") == 0) - return SCMP_CMP_EQ; - if (strcmp (name, "SCMP_CMP_GE") == 0) - return SCMP_CMP_GE; - if (strcmp (name, "SCMP_CMP_GT") == 0) - return SCMP_CMP_GT; - if (strcmp (name, "SCMP_CMP_MASKED_EQ") == 0) - return SCMP_CMP_MASKED_EQ; - - crun_make_error (err, 0, "seccomp get operator `%s`", name); - return 0; -#else - return 0; -#endif + { + *op = SCMP_CMP_NE; + return 0; + } + else if (strcmp (name, "SCMP_CMP_LT") == 0) + { + *op = SCMP_CMP_LT; + return 0; + } + else if (strcmp (name, "SCMP_CMP_LE") == 0) + { + *op = SCMP_CMP_LE; + return 0; + } + else if (strcmp (name, "SCMP_CMP_EQ") == 0) + { + *op = SCMP_CMP_EQ; + return 0; + } + else if (strcmp (name, "SCMP_CMP_GE") == 0) + { + *op = SCMP_CMP_GE; + return 0; + } + else if (strcmp (name, "SCMP_CMP_GT") == 0) + { + *op = SCMP_CMP_GT; + return 0; + } + else if (strcmp (name, "SCMP_CMP_MASKED_EQ") == 0) + { + *op = SCMP_CMP_MASKED_EQ; + return 0; + } + + return crun_make_error (err, 0, "seccomp get operator `%s`", name); } +#endif -static unsigned long long -get_seccomp_action (const char *name, int errno_ret, libcrun_error_t *err) -{ #ifdef HAVE_SECCOMP +static int +get_seccomp_action (const char *name, int errno_ret, uint32_t *action, libcrun_error_t *err) +{ const char *p; p = name; @@ -141,39 +159,63 @@ get_seccomp_action (const char *name, int errno_ret, libcrun_error_t *err) p += 9; if (strcmp (p, "ALLOW") == 0) - return SCMP_ACT_ALLOW; + { + *action = SCMP_ACT_ALLOW; + return 0; + } else if (strcmp (p, "ERRNO") == 0) - return SCMP_ACT_ERRNO (errno_ret); + { + *action = SCMP_ACT_ERRNO (errno_ret); + return 0; + } else if (strcmp (p, "KILL") == 0) - return SCMP_ACT_KILL; + { + *action = SCMP_ACT_KILL; + return 0; + } # ifdef SCMP_ACT_LOG else if (strcmp (p, "LOG") == 0) - return SCMP_ACT_LOG; + { + *action = SCMP_ACT_LOG; + return 0; + } # endif else if (strcmp (p, "TRAP") == 0) - return SCMP_ACT_TRAP; + { + *action = SCMP_ACT_TRAP; + return 0; + } else if (strcmp (p, "TRACE") == 0) - return SCMP_ACT_TRACE (errno_ret); + { + *action = SCMP_ACT_TRACE (errno_ret); + return 0; + } # ifdef SCMP_ACT_KILL_PROCESS else if (strcmp (p, "KILL_PROCESS") == 0) - return SCMP_ACT_KILL_PROCESS; + { + *action = SCMP_ACT_KILL_PROCESS; + return 0; + } # endif # ifdef SCMP_ACT_KILL_THREAD else if (strcmp (p, "KILL_THREAD") == 0) - return SCMP_ACT_KILL_THREAD; + { + *action = SCMP_ACT_KILL_THREAD; + return 0; + } # endif # ifdef SCMP_ACT_NOTIFY else if (strcmp (p, "NOTIFY") == 0) - return SCMP_ACT_NOTIFY; + { + *action = SCMP_ACT_NOTIFY; + return 0; + } # endif fail: - crun_make_error (err, 0, "seccomp get action `%s`", name); - return 0; -#else - return 0; -#endif + return crun_make_error (err, 0, "seccomp get action `%s`", name); } +#endif static void make_lowercase (char *str) @@ -666,7 +708,8 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err int ret; size_t i; cleanup_seccomp scmp_filter_ctx ctx = NULL; - int action, default_action, default_errno_value = EPERM; + int default_errno_value = EPERM; + uint32_t action, default_action; const char *def_action = NULL; /* The bpf filter was loaded from the cache, nothing to do here. */ @@ -696,9 +739,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err default_errno_value = seccomp->default_errno_ret; } - default_action = get_seccomp_action (def_action, default_errno_value, err); - if (UNLIKELY (err && *err != NULL)) - return -1; + ret = get_seccomp_action (def_action, default_errno_value, &default_action, err); + if (UNLIKELY (ret < 0)) + return ret; ctx = seccomp_init (default_action); if (ctx == NULL) @@ -741,9 +784,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err errno_ret = seccomp->syscalls[i]->errno_ret; } - action = get_seccomp_action (seccomp->syscalls[i]->action, errno_ret, err); - if (UNLIKELY (err && *err != NULL)) - return -1; + ret = get_seccomp_action (seccomp->syscalls[i]->action, errno_ret, &action, err); + if (UNLIKELY (ret < 0)) + return ret; if (action == default_action) continue; @@ -795,9 +838,9 @@ libcrun_generate_seccomp (struct libcrun_seccomp_gen_ctx_s *gen_ctx, libcrun_err char *op = seccomp->syscalls[i]->args[k]->op; arg_cmp[k].arg = seccomp->syscalls[i]->args[k]->index; - arg_cmp[k].op = get_seccomp_operator (op, err); - if (arg_cmp[k].op == 0) - return crun_make_error (err, 0, "get_seccomp_operator"); + ret = get_seccomp_operator (op, &(arg_cmp[k].op), err); + if (UNLIKELY (ret < 0)) + return ret; arg_cmp[k].datum_a = seccomp->syscalls[i]->args[k]->value; arg_cmp[k].datum_b = seccomp->syscalls[i]->args[k]->value_two; }