From: Dmitry V. Levin <ldv@altlinux.org>
Date: Thu, 2 Nov 2017 00:21:57 +0000 (+0000)
Subject: seccomp: decode SECCOMP_GET_ACTION_AVAIL operation
X-Git-Tag: v4.20~25
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5d460ae383b1b8a871eeaddb2e170739a2dda6ba;p=strace

seccomp: decode SECCOMP_GET_ACTION_AVAIL operation

* defs.h (seccomp_ret_action): New xlat prototype.
* seccomp.c (decode_seccomp_set_mode_strict): Remove.
(SYS_FUNC(seccomp)): Decode SECCOMP_GET_ACTION_AVAIL operation.
* NEWS: Mention this.
* tests/seccomp_get_action_avail.c: New file.
* tests/gen_tests.in (seccomp_get_action_avail): New entry.
* tests/pure_executables.list: Add seccomp_get_action_avail.
* tests/.gitignore: Likewise.
---

diff --git a/NEWS b/NEWS
index 1f3b3972..79b655ba 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ Noteworthy changes in release ?.?? (????-??-??)
 
 * Improvements
   * Implemented decoding of NETLINK_NETFILTER netlink message types and flags.
+  * Implemented decoding of SECCOMP_GET_ACTION_AVAIL operation of seccomp
+    syscall.
   * Updated lists of ARPHRD_*, BPF_*, ETH_P_*, LOOP_*, MADV_*,
     MEMBARRIER_CMD_*, MFD_*, SECCOMP_*, SO_*, SOL_*, TCP_*, and UFFD_FEATURE_*
     constants.
diff --git a/defs.h b/defs.h
index 34261f2e..06a4baf6 100644
--- a/defs.h
+++ b/defs.h
@@ -295,6 +295,7 @@ extern const struct xlat resource_flags[];
 extern const struct xlat routing_scopes[];
 extern const struct xlat routing_table_ids[];
 extern const struct xlat routing_types[];
+extern const struct xlat seccomp_ret_action[];
 extern const struct xlat setns_types[];
 extern const struct xlat sg_io_info[];
 extern const struct xlat socketlayers[];
diff --git a/seccomp.c b/seccomp.c
index 6c190844..99597d04 100644
--- a/seccomp.c
+++ b/seccomp.c
@@ -33,29 +33,37 @@
 #include "xlat/seccomp_ops.h"
 #include "xlat/seccomp_filter_flags.h"
 
-static void
-decode_seccomp_set_mode_strict(const unsigned int flags,
-			       const kernel_ulong_t addr)
-{
-	tprintf("%u, ", flags);
-	printaddr(addr);
-}
-
 SYS_FUNC(seccomp)
 {
 	unsigned int op = tcp->u_arg[0];
+	unsigned int flags = tcp->u_arg[1];
+	unsigned int act;
 
 	printxval(seccomp_ops, op, "SECCOMP_SET_MODE_???");
 	tprints(", ");
 
-	if (op == SECCOMP_SET_MODE_FILTER) {
-		printflags(seccomp_filter_flags, tcp->u_arg[1],
+	switch (op) {
+	case SECCOMP_GET_ACTION_AVAIL:
+		tprintf("%u, ", flags);
+		if (!umove_or_printaddr(tcp, tcp->u_arg[2], &act)) {
+			tprints("[");
+			printxval(seccomp_ret_action, act, "SECCOMP_RET_???");
+			tprints("]");
+		}
+		break;
+
+	case SECCOMP_SET_MODE_FILTER:
+		printflags(seccomp_filter_flags, flags,
 			   "SECCOMP_FILTER_FLAG_???");
 		tprints(", ");
 		decode_seccomp_fprog(tcp, tcp->u_arg[2]);
-	} else {
-		decode_seccomp_set_mode_strict(tcp->u_arg[1],
-					       tcp->u_arg[2]);
+		break;
+
+	case SECCOMP_SET_MODE_STRICT:
+	default:
+		tprintf("%u, ", flags);
+		printaddr(tcp->u_arg[2]);
+		break;
 	}
 
 	return RVAL_DECODED;
diff --git a/tests/.gitignore b/tests/.gitignore
index c9277acb..cd4dcc57 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -359,6 +359,7 @@ scno.h
 seccomp-filter
 seccomp-filter-v
 seccomp-strict
+seccomp_get_action_avail
 select
 semop
 sendfile
diff --git a/tests/gen_tests.in b/tests/gen_tests.in
index 923e4d94..091bbe59 100644
--- a/tests/gen_tests.in
+++ b/tests/gen_tests.in
@@ -309,6 +309,7 @@ sched_xetscheduler	-a22 -e trace=sched_getscheduler,sched_setscheduler
 sched_yield	-a14
 seccomp-filter	-e trace=seccomp
 seccomp-filter-v	-v -e trace=seccomp
+seccomp_get_action_avail	-e trace=seccomp
 select	-a36
 semop	-a32 -e trace=semop,semtimedop
 sendfile	-a27
diff --git a/tests/pure_executables.list b/tests/pure_executables.list
index c4384daf..d98b17db 100755
--- a/tests/pure_executables.list
+++ b/tests/pure_executables.list
@@ -298,6 +298,7 @@ sched_xetparam
 sched_xetscheduler
 sched_yield
 seccomp-filter
+seccomp_get_action_avail
 select
 semop
 sendfile
diff --git a/tests/seccomp_get_action_avail.c b/tests/seccomp_get_action_avail.c
new file mode 100644
index 00000000..ed231e17
--- /dev/null
+++ b/tests/seccomp_get_action_avail.c
@@ -0,0 +1,125 @@
+/*
+ * Check decoding of seccomp SECCOMP_GET_ACTION_AVAIL.
+ *
+ * Copyright (c) 2017 Dmitry V. Levin <ldv@altlinux.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "tests.h"
+#include <asm/unistd.h>
+
+#ifdef __NR_seccomp
+
+# include <stdio.h>
+# include <stdint.h>
+# include <unistd.h>
+
+# ifdef HAVE_LINUX_SECCOMP_H
+#  include <linux/seccomp.h>
+# endif
+
+# ifndef SECCOMP_GET_ACTION_AVAIL
+#  define SECCOMP_GET_ACTION_AVAIL 2
+# endif
+
+static const char *errstr;
+
+static long
+k_seccomp(const kernel_ulong_t op, const kernel_ulong_t flags,
+	  const kernel_ulong_t args)
+{
+	const long rc = syscall(__NR_seccomp, op, flags, args);
+	errstr = sprintrc(rc);
+	return rc;
+}
+
+int
+main(void)
+{
+	TAIL_ALLOC_OBJECT_CONST_PTR(uint32_t, act);
+	kernel_ulong_t op = (kernel_ulong_t) 0xfacefeed00000000ULL
+				| SECCOMP_GET_ACTION_AVAIL;
+	kernel_ulong_t flags = (kernel_ulong_t) 0xdeadbeef00000000ULL;
+	unsigned int i;
+
+	struct {
+		uint32_t val;
+		const char *str;
+	} actions [] = {
+		{ 0, "SECCOMP_RET_KILL_THREAD" },
+# ifdef SECCOMP_RET_KILL_PROCESS
+		{ ARG_STR(SECCOMP_RET_KILL_PROCESS) },
+# endif
+# ifdef SECCOMP_RET_TRAP
+		{ ARG_STR(SECCOMP_RET_TRAP) },
+# endif
+# ifdef SECCOMP_RET_ERRNO
+		{ ARG_STR(SECCOMP_RET_ERRNO) },
+# endif
+# ifdef SECCOMP_RET_TRACE
+		{ ARG_STR(SECCOMP_RET_TRACE) },
+# endif
+# ifdef SECCOMP_RET_LOG
+		{ ARG_STR(SECCOMP_RET_LOG) },
+# endif
+# ifdef SECCOMP_RET_ALLOW
+		{ ARG_STR(SECCOMP_RET_ALLOW) },
+# endif
+		{ 0xffffffff, "0xffffffff /* SECCOMP_RET_??? */" }
+	};
+
+	for (i = 0; i < ARRAY_SIZE(actions); ++i) {
+		*act = actions[i].val;
+		k_seccomp(op, flags, (uintptr_t) act);
+		printf("seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [%s]) = %s\n",
+		       actions[i].str, errstr);
+	}
+
+	*act = actions[0].val;
+
+	k_seccomp(op, flags, (uintptr_t) (act + 1));
+	printf("seccomp(SECCOMP_GET_ACTION_AVAIL, 0, %p) = %s\n",
+	       act + 1, errstr);
+
+	if (F8ILL_KULONG_SUPPORTED) {
+		k_seccomp(op, flags, f8ill_ptr_to_kulong(act));
+		printf("seccomp(SECCOMP_GET_ACTION_AVAIL, 0, %#jx) = %s\n",
+		       (uintmax_t) f8ill_ptr_to_kulong(act), errstr);
+	}
+
+	flags |= 0xcafef00d;
+	k_seccomp(op, flags, 0);
+	printf("seccomp(SECCOMP_GET_ACTION_AVAIL, %u, NULL) = %s\n",
+	       (unsigned int) flags, errstr);
+
+	puts("+++ exited with 0 +++");
+	return 0;
+}
+
+#else
+
+SKIP_MAIN_UNDEFINED("__NR_seccomp")
+
+#endif