#ifdef HAVE_LINUX_SECCOMP_H
# include <linux/seccomp.h>
#endif
-
-#ifndef SECCOMP_SET_MODE_STRICT
-# define SECCOMP_SET_MODE_STRICT 1
-#endif
-#ifndef SECCOMP_SET_MODE_FILTER
-# define SECCOMP_SET_MODE_FILTER 1
-#endif
#include "xlat/seccomp_ops.h"
-
-#ifndef SECCOMP_FILTER_FLAG_TSYNC
-# define SECCOMP_FILTER_FLAG_TSYNC 1
-#endif
#include "xlat/seccomp_filter_flags.h"
#ifdef HAVE_LINUX_FILTER_H
switch (BPF_CLASS(code)) {
case BPF_LD:
case BPF_LDX:
- tprints(" | ");
+ tprints("|");
printxval(bpf_size, BPF_SIZE(code), "BPF_???");
- tprints(" | ");
+ tprints("|");
printxval(bpf_mode, BPF_MODE(code), "BPF_???");
break;
case BPF_ST:
case BPF_STX:
if (i)
- tprintf(" | %#x /* %s */", i, "BPF_???");
+ tprintf("|%#x /* %s */", i, "BPF_???");
break;
case BPF_ALU:
- tprints(" | ");
+ tprints("|");
printxval(bpf_src, BPF_SRC(code), "BPF_???");
- tprints(" | ");
+ tprints("|");
printxval(bpf_op_alu, BPF_OP(code), "BPF_???");
break;
case BPF_JMP:
- tprints(" | ");
+ tprints("|");
printxval(bpf_src, BPF_SRC(code), "BPF_???");
- tprints(" | ");
+ tprints("|");
printxval(bpf_op_jmp, BPF_OP(code), "BPF_???");
break;
case BPF_RET:
- tprints(" | ");
+ tprints("|");
printxval(bpf_rval, BPF_RVAL(code), "BPF_???");
i &= ~BPF_RVAL(code);
if (i)
- tprintf(" | %#x /* %s */", i, "BPF_???");
+ tprintf("|%#x /* %s */", i, "BPF_???");
break;
case BPF_MISC:
- tprints(" | ");
+ tprints("|");
printxval(bpf_miscop, BPF_MISCOP(code), "BPF_???");
i &= ~BPF_MISCOP(code);
if (i)
- tprintf(" | %#x /* %s */", i, "BPF_???");
+ tprintf("|%#x /* %s */", i, "BPF_???");
break;
}
}
+#endif /* HAVE_LINUX_FILTER_H */
+
static void
decode_bpf_stmt(const struct bpf_filter *filter)
{
printxval(seccomp_ret_action, action, "SECCOMP_RET_???");
if (data)
- tprintf(" | %#x)", data);
+ tprintf("|%#x)", data);
else
tprints(")");
} else {
#endif /* HAVE_LINUX_FILTER_H */
}
-static void
-decode_filter(const struct bpf_filter *filter)
+#ifndef BPF_MAXINSNS
+# define BPF_MAXINSNS 4096
+#endif
+
+static bool
+print_bpf_filter(struct tcb *tcp, void *elem_buf, size_t elem_size, void *data)
{
+ const struct bpf_filter *filter = elem_buf;
+ unsigned int *pn = data;
+
+ if ((*pn)++ >= BPF_MAXINSNS) {
+ tprints("...");
+ return false;
+ }
+
if (filter->jt || filter->jf)
decode_bpf_jump(filter);
else
decode_bpf_stmt(filter);
-}
-
-#endif /* HAVE_LINUX_FILTER_H */
-#ifndef BPF_MAXINSNS
-# define BPF_MAXINSNS 4096
-#endif
+ return true;
+}
-static void
-decode_fprog(struct tcb *tcp, unsigned short len, unsigned long addr)
+void
+print_seccomp_fprog(struct tcb *tcp, unsigned long addr, unsigned short len)
{
- if (!len || abbrev(tcp)) {
- tprintf("{len = %u, filter = %#lx}", len, addr);
+ if (abbrev(tcp)) {
+ printaddr(addr);
} else {
- unsigned int i = 0;
+ unsigned int insns = 0;
+ struct bpf_filter filter;
- tprints("[");
- while (i < len && i < BPF_MAXINSNS) {
- struct bpf_filter filter;
-
- if (umove(tcp, addr, &filter) < 0)
- break;
- if (i)
- tprints(", ");
- decode_filter(&filter);
-
- addr += sizeof(filter);
- ++i;
- }
- if (i < len)
- tprints("...");
- tprints("]");
+ print_array(tcp, addr, len, &filter, sizeof(filter),
+ umoven_or_printaddr, print_bpf_filter, &insns);
}
}
+#include "seccomp_fprog.h"
+
void
print_seccomp_filter(struct tcb *tcp, unsigned long addr)
{
- if (addr) {
-#if SUPPORTED_PERSONALITIES > 1 && SIZEOF_LONG > 4
- if (current_wordsize == 4) {
- struct {
- unsigned short len;
- uint32_t filter;
- } fprog;
- if (umove(tcp, addr, &fprog) < 0)
- tprintf("%#lx", addr);
- else
- decode_fprog(tcp, fprog.len, fprog.filter);
- } else {
-#endif
- struct {
- unsigned short len;
- unsigned long filter;
- } fprog;
- if (umove(tcp, addr, &fprog) < 0)
- tprintf("%#lx", addr);
- else
- decode_fprog(tcp, fprog.len, fprog.filter);
-#if SUPPORTED_PERSONALITIES > 1 && SIZEOF_LONG > 4
- }
-#endif
- } else {
- tprints("NULL");
+ struct seccomp_fprog fprog;
+
+ if (fetch_seccomp_fprog(tcp, addr, &fprog)) {
+ tprintf("{len=%hu, filter=", fprog.len);
+ print_seccomp_fprog(tcp, fprog.filter, fprog.len);
+ tprints("}");
}
}
decode_seccomp_set_mode_strict(unsigned int flags, unsigned long addr)
{
tprintf("%u, ", flags);
- if (addr)
- tprintf("%#lx", addr);
- else
- tprints("NULL");
+ printaddr(addr);
}
-int
-sys_seccomp(struct tcb *tcp)
+SYS_FUNC(seccomp)
{
- if (entering(tcp)) {
- unsigned int op = tcp->u_arg[0];
+ unsigned int op = tcp->u_arg[0];
- printxval(seccomp_ops, op, "SECCOMP_SET_MODE_???");
- tprints(", ");
+ printxval(seccomp_ops, op, "SECCOMP_SET_MODE_???");
+ tprints(", ");
- if (op == SECCOMP_SET_MODE_FILTER) {
- printflags(seccomp_filter_flags, tcp->u_arg[1],
- "SECCOMP_FILTER_FLAG_???");
- tprints(", ");
- print_seccomp_filter(tcp, tcp->u_arg[2]);
- } else {
- decode_seccomp_set_mode_strict(tcp->u_arg[1],
- tcp->u_arg[2]);
- }
+ if (op == SECCOMP_SET_MODE_FILTER) {
+ printflags(seccomp_filter_flags, tcp->u_arg[1],
+ "SECCOMP_FILTER_FLAG_???");
+ tprints(", ");
+ print_seccomp_filter(tcp, tcp->u_arg[2]);
+ } else {
+ decode_seccomp_set_mode_strict(tcp->u_arg[1],
+ tcp->u_arg[2]);
}
- return 0;
+
+ return RVAL_DECODED;
}