#include "bpf-helper.h"
-int bpf_resolve_jumps(struct bpf_labels *labels,
- struct sock_filter *filter, size_t count)
+int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count)
{
struct sock_filter *begin = filter;
__u8 insn = count - 1;
if (count < 1)
return -1;
/*
- * Walk it once, backwards, to build the label table and do fixups.
- * Since backward jumps are disallowed by BPF, this is easy.
- */
+ * Walk it once, backwards, to build the label table and do fixups.
+ * Since backward jumps are disallowed by BPF, this is easy.
+ */
filter += insn;
for (; filter >= begin; --insn, --filter) {
- if (filter->code != (BPF_JMP+BPF_JA))
+ if (filter->code != (BPF_JMP + BPF_JA))
continue;
- switch ((filter->jt<<8)|filter->jf) {
- case (JUMP_JT<<8)|JUMP_JF:
+ switch ((filter->jt << 8) | filter->jf) {
+ case (JUMP_JT << 8) | JUMP_JF:
if (labels->labels[filter->k].location == 0xffffffff) {
- fprintf(stderr, "Unresolved label: '%s'\n",
- labels->labels[filter->k].label);
+ fprintf(stderr, "Unresolved label: '%s'\n", labels->labels[filter->k].label);
return 1;
}
- filter->k = labels->labels[filter->k].location -
- (insn + 1);
+ filter->k = labels->labels[filter->k].location - (insn + 1);
filter->jt = 0;
filter->jf = 0;
continue;
- case (LABEL_JT<<8)|LABEL_JF:
+ case (LABEL_JT << 8) | LABEL_JF:
if (labels->labels[filter->k].location != 0xffffffff) {
- fprintf(stderr, "Duplicate label use: '%s'\n",
- labels->labels[filter->k].label);
+ fprintf(stderr, "Duplicate label use: '%s'\n", labels->labels[filter->k].label);
return 1;
}
labels->labels[filter->k].location = insn;
- filter->k = 0; /* fall through */
+ filter->k = 0; /* fall through */
filter->jt = 0;
filter->jf = 0;
continue;
}
/* Simple lookup table for labels. */
-__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
+__u32 seccomp_bpf_label(struct bpf_labels * labels, const char *label)
{
struct __bpf_label *begin = labels->labels, *end;
int id;
void seccomp_bpf_print(struct sock_filter *filter, size_t count)
{
struct sock_filter *end = filter + count;
- for ( ; filter < end; ++filter)
- printf("{ code=%u,jt=%u,jf=%u,k=%u },\n",
- filter->code, filter->jt, filter->jf, filter->k);
+ for (; filter < end; ++filter)
+ printf("{ code=%u,jt=%u,jf=%u,k=%u },\n", filter->code, filter->jt, filter->jf, filter->k);
}
#include <asm/bitsperlong.h> /* for __BITS_PER_LONG */
#include <endian.h>
+#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h> /* for seccomp_data */
#include <linux/types.h>
} labels[BPF_LABELS_MAX];
};
-int bpf_resolve_jumps(struct bpf_labels *labels,
- struct sock_filter *filter, size_t count);
+int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter, size_t count);
__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label);
void seccomp_bpf_print(struct sock_filter *filter, size_t count);
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define DENY \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+#define ERRNO(val) \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | (val & SECCOMP_RET_DATA))
+
#define JUMP(labels, label) \
BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL((labels), (label)), \
JUMP_JT, JUMP_JF)
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, HI_ARG(idx)), \
- BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
+ BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
#define JEQ32(value, jt) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (value), 0, 1), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 0, 2), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JNE64(lo, hi, jt) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 5, 0), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 2, 0), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JA32(value, jt) \
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (value), 0, 1), \
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (lo), 0, 2), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JGE32(value, jt) \
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 0, 1), \
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (lo), 0, 2), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JLT64(lo, hi, jt) \
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (hi), 0, 4), \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JGT32(value, jt) \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 0, 1), \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 0, 2), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define JLE64(lo, hi, jt) \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (hi), 6, 0), \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
#define LOAD_SYSCALL_NR \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
offsetof(struct seccomp_data, nr))
-#endif /* __BPF_HELPER_H__ */
+#define LOAD_ARCH \
+ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \
+ offsetof(struct seccomp_data, arch))
+
+#endif /* __BPF_HELPER_H__ */
projects / platform / upstream / nsjail.git / commitdiff