merge branch 'pr-1424'

Update Travis config to use trusty-backports libseccomp
  Add integration tests for multi-argument Seccomp filters
  Vendor updated libseccomp-golang for bugfix

LGTMs: @crosbymichael @cyphar
Closes #1424
This commit is contained in:
Aleksa Sarai 2017-10-16 03:01:37 +11:00
commit 6d30f7a01b
No known key found for this signature in database
GPG Key ID: 9E18AA267DDB8DB4
6 changed files with 273 additions and 134 deletions

View File

@ -20,8 +20,9 @@ env:
- BUILDTAGS="seccomp apparmor selinux ambient" - BUILDTAGS="seccomp apparmor selinux ambient"
before_install: before_install:
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
- sudo apt-get -qq update - sudo apt-get -qq update
- sudo apt-get install -y libseccomp-dev libapparmor-dev - sudo apt-get install -y libapparmor-dev libseccomp-dev/trusty-backports
- go get -u github.com/golang/lint/golint - go get -u github.com/golang/lint/golint
- go get -u github.com/vbatts/git-validation - go get -u github.com/vbatts/git-validation
- env | grep TRAVIS_ - env | grep TRAVIS_

View File

@ -217,3 +217,107 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
t.Fatalf("Expected output %s but got %s\n", expected, actual) t.Fatalf("Expected output %s but got %s\n", expected, actual)
} }
} }
func TestSeccompPermitWriteMultipleConditions(t *testing.T) {
if testing.Short() {
return
}
rootfs, err := newRootfs()
if err != nil {
t.Fatal(err)
}
defer remove(rootfs)
config := newTemplateConfig(rootfs)
config.Seccomp = &configs.Seccomp{
DefaultAction: configs.Allow,
Syscalls: []*configs.Syscall{
{
Name: "write",
Action: configs.Errno,
Args: []*configs.Arg{
{
Index: 0,
Value: 2,
Op: configs.EqualTo,
},
{
Index: 2,
Value: 0,
Op: configs.NotEqualTo,
},
},
},
},
}
buffers, exitCode, err := runContainer(config, "", "ls", "/")
if err != nil {
t.Fatalf("%s: %s", buffers, err)
}
if exitCode != 0 {
t.Fatalf("exit code not 0. code %d buffers %s", exitCode, buffers)
}
// We don't need to verify the actual thing printed
// Just that something was written to stdout
if len(buffers.Stdout.String()) == 0 {
t.Fatalf("Nothing was written to stdout, write call failed!\n")
}
}
func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
if testing.Short() {
return
}
// Only test if library version is v2.2.1 or higher
// Conditional filtering will always error in v2.2.0 and lower
major, minor, micro := libseccomp.GetLibraryVersion()
if (major == 2 && minor < 2) || (major == 2 && minor == 2 && micro < 1) {
return
}
rootfs, err := newRootfs()
if err != nil {
t.Fatal(err)
}
defer remove(rootfs)
config := newTemplateConfig(rootfs)
config.Seccomp = &configs.Seccomp{
DefaultAction: configs.Allow,
Syscalls: []*configs.Syscall{
{
Name: "write",
Action: configs.Errno,
Args: []*configs.Arg{
{
Index: 0,
Value: 2,
Op: configs.EqualTo,
},
{
Index: 2,
Value: 0,
Op: configs.NotEqualTo,
},
},
},
},
}
buffers, exitCode, err := runContainer(config, "", "ls", "/does_not_exist")
if err == nil {
t.Fatalf("Expecting error return, instead got 0")
}
if exitCode == 0 {
t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode)
}
expected := ""
actual := strings.Trim(buffers.Stderr.String(), "\n")
if actual != expected {
t.Fatalf("Expected output %s but got %s\n", expected, actual)
}
}

View File

@ -5,7 +5,7 @@ github.com/opencontainers/runtime-spec v1.0.0
# Core libcontainer functionality. # Core libcontainer functionality.
github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
github.com/opencontainers/selinux v1.0.0-rc1 github.com/opencontainers/selinux v1.0.0-rc1
github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270 github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270

View File

@ -24,3 +24,28 @@ please note that a Google account is not required to subscribe to the mailing
list. list.
-> https://groups.google.com/d/forum/libseccomp -> https://groups.google.com/d/forum/libseccomp
Documentation is also available at:
-> https://godoc.org/github.com/seccomp/libseccomp-golang
* Installing the package
The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4;
earlier versions may yield unpredictable results. If you meet these
requirements you can install this package using the command below:
$ go get github.com/seccomp/libseccomp-golang
* Testing the Library
A number of tests and lint related recipes are provided in the Makefile, if
you want to run the standard regression tests, you can excute the following:
$ make check
In order to execute the 'make lint' recipe the 'golint' tool is needed, it
can be found at:
-> https://github.com/golang/lint

View File

@ -27,6 +27,28 @@ import "C"
// Exported types // Exported types
// VersionError denotes that the system libseccomp version is incompatible
// with this package.
type VersionError struct {
message string
minimum string
}
func (e VersionError) Error() string {
format := "Libseccomp version too low: "
if e.message != "" {
format += e.message + ": "
}
format += "minimum supported is "
if e.minimum != "" {
format += e.minimum + ": "
} else {
format += "2.2.0: "
}
format += "detected %d.%d.%d"
return fmt.Sprintf(format, verMajor, verMinor, verMicro)
}
// ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
// per-architecture basis. // per-architecture basis.
type ScmpArch uint type ScmpArch uint
@ -54,8 +76,8 @@ type ScmpSyscall int32
const ( const (
// Valid architectures recognized by libseccomp // Valid architectures recognized by libseccomp
// ARM64 and all MIPS architectures are unsupported by versions of the // PowerPC and S390(x) architectures are unavailable below library version
// library before v2.2 and will return errors if used // v2.3.0 and will returns errors if used with incompatible libraries
// ArchInvalid is a placeholder to ensure uninitialized ScmpArch // ArchInvalid is a placeholder to ensure uninitialized ScmpArch
// variables are invalid // variables are invalid
@ -151,6 +173,10 @@ const (
// GetArchFromString returns an ScmpArch constant from a string representing an // GetArchFromString returns an ScmpArch constant from a string representing an
// architecture // architecture
func GetArchFromString(arch string) (ScmpArch, error) { func GetArchFromString(arch string) (ScmpArch, error) {
if err := ensureSupportedVersion(); err != nil {
return ArchInvalid, err
}
switch strings.ToLower(arch) { switch strings.ToLower(arch) {
case "x86": case "x86":
return ArchX86, nil return ArchX86, nil
@ -298,7 +324,7 @@ func (a ScmpAction) GetReturnCode() int16 {
// GetLibraryVersion returns the version of the library the bindings are built // GetLibraryVersion returns the version of the library the bindings are built
// against. // against.
// The version is formatted as follows: Major.Minor.Micro // The version is formatted as follows: Major.Minor.Micro
func GetLibraryVersion() (major, minor, micro int) { func GetLibraryVersion() (major, minor, micro uint) {
return verMajor, verMinor, verMicro return verMajor, verMinor, verMicro
} }
@ -338,6 +364,10 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {
// Returns the number of the syscall, or an error if no syscall with that name // Returns the number of the syscall, or an error if no syscall with that name
// was found. // was found.
func GetSyscallFromName(name string) (ScmpSyscall, error) { func GetSyscallFromName(name string) (ScmpSyscall, error) {
if err := ensureSupportedVersion(); err != nil {
return 0, err
}
cString := C.CString(name) cString := C.CString(name)
defer C.free(unsafe.Pointer(cString)) defer C.free(unsafe.Pointer(cString))
@ -355,6 +385,9 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {
// Returns the number of the syscall, or an error if an invalid architecture is // Returns the number of the syscall, or an error if an invalid architecture is
// passed or a syscall with that name was not found. // passed or a syscall with that name was not found.
func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) { func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
if err := ensureSupportedVersion(); err != nil {
return 0, err
}
if err := sanitizeArch(arch); err != nil { if err := sanitizeArch(arch); err != nil {
return 0, err return 0, err
} }
@ -386,6 +419,10 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) { func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) {
var condStruct ScmpCondition var condStruct ScmpCondition
if err := ensureSupportedVersion(); err != nil {
return condStruct, err
}
if comparison == CompareInvalid { if comparison == CompareInvalid {
return condStruct, fmt.Errorf("invalid comparison operator") return condStruct, fmt.Errorf("invalid comparison operator")
} else if arg > 5 { } else if arg > 5 {
@ -413,6 +450,10 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo
// GetNativeArch returns architecture token representing the native kernel // GetNativeArch returns architecture token representing the native kernel
// architecture // architecture
func GetNativeArch() (ScmpArch, error) { func GetNativeArch() (ScmpArch, error) {
if err := ensureSupportedVersion(); err != nil {
return ArchInvalid, err
}
arch := C.seccomp_arch_native() arch := C.seccomp_arch_native()
return archFromNative(arch) return archFromNative(arch)
@ -435,6 +476,10 @@ type ScmpFilter struct {
// Returns a reference to a valid filter context, or nil and an error if the // Returns a reference to a valid filter context, or nil and an error if the
// filter context could not be created or an invalid default action was given. // filter context could not be created or an invalid default action was given.
func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) { func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
if err := ensureSupportedVersion(); err != nil {
return nil, err
}
if err := sanitizeAction(defaultAction); err != nil { if err := sanitizeAction(defaultAction); err != nil {
return nil, err return nil, err
} }
@ -449,6 +494,13 @@ func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
filter.valid = true filter.valid = true
runtime.SetFinalizer(filter, filterFinalizer) runtime.SetFinalizer(filter, filterFinalizer)
// Enable TSync so all goroutines will receive the same rules
// If the kernel does not support TSYNC, allow us to continue without error
if err := filter.setFilterAttr(filterAttrTsync, 0x1); err != nil && err != syscall.ENOTSUP {
filter.Release()
return nil, fmt.Errorf("could not create filter - error setting tsync bit: %v", err)
}
return filter, nil return filter, nil
} }
@ -505,7 +557,7 @@ func (f *ScmpFilter) Release() {
// The source filter src will be released as part of the process, and will no // The source filter src will be released as part of the process, and will no
// longer be usable or valid after this call. // longer be usable or valid after this call.
// To be merged, filters must NOT share any architectures, and all their // To be merged, filters must NOT share any architectures, and all their
// attributes (Default Action, Bad Arch Action, No New Privs and TSync bools) // attributes (Default Action, Bad Arch Action, and No New Privs bools)
// must match. // must match.
// The filter src will be merged into the filter this is called on. // The filter src will be merged into the filter this is called on.
// The architectures of the src filter not present in the destination, and all // The architectures of the src filter not present in the destination, and all
@ -678,30 +730,6 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
return true, nil return true, nil
} }
// GetTsyncBit returns whether Thread Synchronization will be enabled on the
// filter being loaded, or an error if an issue was encountered retrieving the
// value.
// Thread Sync ensures that all members of the thread group of the calling
// process will share the same Seccomp filter set.
// Tsync is a fairly recent addition to the Linux kernel and older kernels
// lack support. If the running kernel does not support Tsync and it is
// requested in a filter, Libseccomp will not enable TSync support and will
// proceed as normal.
// This function is unavailable before v2.2 of libseccomp and will return an
// error.
func (f *ScmpFilter) GetTsyncBit() (bool, error) {
tSync, err := f.getFilterAttr(filterAttrTsync)
if err != nil {
return false, err
}
if tSync == 0 {
return false, nil
}
return true, nil
}
// SetBadArchAction sets the default action taken on a syscall for an // SetBadArchAction sets the default action taken on a syscall for an
// architecture not in the filter, or an error if an issue was encountered // architecture not in the filter, or an error if an issue was encountered
// setting the value. // setting the value.
@ -728,27 +756,6 @@ func (f *ScmpFilter) SetNoNewPrivsBit(state bool) error {
return f.setFilterAttr(filterAttrNNP, toSet) return f.setFilterAttr(filterAttrNNP, toSet)
} }
// SetTsync sets whether Thread Synchronization will be enabled on the filter
// being loaded. Returns an error if setting Tsync failed, or the filter is
// invalid.
// Thread Sync ensures that all members of the thread group of the calling
// process will share the same Seccomp filter set.
// Tsync is a fairly recent addition to the Linux kernel and older kernels
// lack support. If the running kernel does not support Tsync and it is
// requested in a filter, Libseccomp will not enable TSync support and will
// proceed as normal.
// This function is unavailable before v2.2 of libseccomp and will return an
// error.
func (f *ScmpFilter) SetTsync(enable bool) error {
var toSet C.uint32_t = 0x0
if enable {
toSet = 0x1
}
return f.setFilterAttr(filterAttrTsync, toSet)
}
// SetSyscallPriority sets a syscall's priority. // SetSyscallPriority sets a syscall's priority.
// This provides a hint to the filter generator in libseccomp about the // This provides a hint to the filter generator in libseccomp about the
// importance of this syscall. High-priority syscalls are placed // importance of this syscall. High-priority syscalls are placed

View File

@ -7,7 +7,6 @@ package seccomp
import ( import (
"fmt" "fmt"
"os"
"syscall" "syscall"
) )
@ -21,43 +20,15 @@ import (
#include <seccomp.h> #include <seccomp.h>
#if SCMP_VER_MAJOR < 2 #if SCMP_VER_MAJOR < 2
#error Minimum supported version of Libseccomp is v2.1.0 #error Minimum supported version of Libseccomp is v2.2.0
#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 1 #elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2
#error Minimum supported version of Libseccomp is v2.1.0 #error Minimum supported version of Libseccomp is v2.2.0
#endif #endif
#define ARCH_BAD ~0 #define ARCH_BAD ~0
const uint32_t C_ARCH_BAD = ARCH_BAD; const uint32_t C_ARCH_BAD = ARCH_BAD;
#ifndef SCMP_ARCH_AARCH64
#define SCMP_ARCH_AARCH64 ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPS
#define SCMP_ARCH_MIPS ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPS64
#define SCMP_ARCH_MIPS64 ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPS64N32
#define SCMP_ARCH_MIPS64N32 ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPSEL
#define SCMP_ARCH_MIPSEL ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPSEL64
#define SCMP_ARCH_MIPSEL64 ARCH_BAD
#endif
#ifndef SCMP_ARCH_MIPSEL64N32
#define SCMP_ARCH_MIPSEL64N32 ARCH_BAD
#endif
#ifndef SCMP_ARCH_PPC #ifndef SCMP_ARCH_PPC
#define SCMP_ARCH_PPC ARCH_BAD #define SCMP_ARCH_PPC ARCH_BAD
#endif #endif
@ -102,12 +73,6 @@ const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0); const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW; const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW;
// If TSync is not supported, make sure it doesn't map to a supported filter attribute
// Don't worry about major version < 2, the minimum version checks should catch that case
#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2
#define SCMP_FLTATR_CTL_TSYNC _SCMP_CMP_MIN
#endif
const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT; const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT;
const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH; const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH;
const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP; const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP;
@ -125,25 +90,61 @@ const int C_VERSION_MAJOR = SCMP_VER_MAJOR;
const int C_VERSION_MINOR = SCMP_VER_MINOR; const int C_VERSION_MINOR = SCMP_VER_MINOR;
const int C_VERSION_MICRO = SCMP_VER_MICRO; const int C_VERSION_MICRO = SCMP_VER_MICRO;
#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3
unsigned int get_major_version()
{
return seccomp_version()->major;
}
unsigned int get_minor_version()
{
return seccomp_version()->minor;
}
unsigned int get_micro_version()
{
return seccomp_version()->micro;
}
#else
unsigned int get_major_version()
{
return (unsigned int)C_VERSION_MAJOR;
}
unsigned int get_minor_version()
{
return (unsigned int)C_VERSION_MINOR;
}
unsigned int get_micro_version()
{
return (unsigned int)C_VERSION_MICRO;
}
#endif
typedef struct scmp_arg_cmp* scmp_cast_t; typedef struct scmp_arg_cmp* scmp_cast_t;
// Wrapper to create an scmp_arg_cmp struct void* make_arg_cmp_array(unsigned int length)
void* {
make_struct_arg_cmp( return calloc(length, sizeof(struct scmp_arg_cmp));
}
// Wrapper to add an scmp_arg_cmp struct to an existing arg_cmp array
void add_struct_arg_cmp(
struct scmp_arg_cmp* arr,
unsigned int pos,
unsigned int arg, unsigned int arg,
int compare, int compare,
uint64_t a, uint64_t a,
uint64_t b uint64_t b
) )
{ {
struct scmp_arg_cmp *s = malloc(sizeof(struct scmp_arg_cmp)); arr[pos].arg = arg;
arr[pos].op = compare;
arr[pos].datum_a = a;
arr[pos].datum_b = b;
s->arg = arg; return;
s->op = compare;
s->datum_a = a;
s->datum_b = b;
return s;
} }
*/ */
import "C" import "C"
@ -178,26 +179,26 @@ var (
// Error thrown on bad filter context // Error thrown on bad filter context
errBadFilter = fmt.Errorf("filter is invalid or uninitialized") errBadFilter = fmt.Errorf("filter is invalid or uninitialized")
// Constants representing library major, minor, and micro versions // Constants representing library major, minor, and micro versions
verMajor = int(C.C_VERSION_MAJOR) verMajor = uint(C.get_major_version())
verMinor = int(C.C_VERSION_MINOR) verMinor = uint(C.get_minor_version())
verMicro = int(C.C_VERSION_MICRO) verMicro = uint(C.get_micro_version())
) )
// Nonexported functions // Nonexported functions
// Check if library version is greater than or equal to the given one // Check if library version is greater than or equal to the given one
func checkVersionAbove(major, minor, micro int) bool { func checkVersionAbove(major, minor, micro uint) bool {
return (verMajor > major) || return (verMajor > major) ||
(verMajor == major && verMinor > minor) || (verMajor == major && verMinor > minor) ||
(verMajor == major && verMinor == minor && verMicro >= micro) (verMajor == major && verMinor == minor && verMicro >= micro)
} }
// Init function: Verify library version is appropriate // Ensure that the library is supported, i.e. >= 2.2.0.
func init() { func ensureSupportedVersion() error {
if !checkVersionAbove(2, 1, 0) { if !checkVersionAbove(2, 2, 0) {
fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO) return VersionError{}
os.Exit(-1)
} }
return nil
} }
// Filter helpers // Filter helpers
@ -216,10 +217,6 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
return 0x0, errBadFilter return 0x0, errBadFilter
} }
if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
}
var attribute C.uint32_t var attribute C.uint32_t
retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute) retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute)
@ -239,10 +236,6 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
return errBadFilter return errBadFilter
} }
if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
}
retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value) retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
if retCode != 0 { if retCode != 0 {
return syscall.Errno(-1 * retCode) return syscall.Errno(-1 * retCode)
@ -254,12 +247,9 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
// DOES NOT LOCK OR CHECK VALIDITY // DOES NOT LOCK OR CHECK VALIDITY
// Assumes caller has already done this // Assumes caller has already done this
// Wrapper for seccomp_rule_add_... functions // Wrapper for seccomp_rule_add_... functions
func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, cond C.scmp_cast_t) error { func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, length C.uint, cond C.scmp_cast_t) error {
var length C.uint if length != 0 && cond == nil {
if cond != nil { return fmt.Errorf("null conditions list, but length is nonzero")
length = 1
} else {
length = 0
} }
var retCode C.int var retCode C.int
@ -273,6 +263,8 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
return fmt.Errorf("unrecognized syscall") return fmt.Errorf("unrecognized syscall")
} else if syscall.Errno(-1*retCode) == syscall.EPERM { } else if syscall.Errno(-1*retCode) == syscall.EPERM {
return fmt.Errorf("requested action matches default action of filter") return fmt.Errorf("requested action matches default action of filter")
} else if syscall.Errno(-1*retCode) == syscall.EINVAL {
return fmt.Errorf("two checks on same syscall argument")
} else if retCode != 0 { } else if retCode != 0 {
return syscall.Errno(-1 * retCode) return syscall.Errno(-1 * retCode)
} }
@ -290,24 +282,34 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
} }
if len(conds) == 0 { if len(conds) == 0 {
if err := f.addRuleWrapper(call, action, exact, nil); err != nil { if err := f.addRuleWrapper(call, action, exact, 0, nil); err != nil {
return err return err
} }
} else { } else {
// We don't support conditional filtering in library version v2.1 // We don't support conditional filtering in library version v2.1
if !checkVersionAbove(2, 2, 1) { if !checkVersionAbove(2, 2, 1) {
return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1") return VersionError{
message: "conditional filtering is not supported",
minimum: "2.2.1",
}
} }
for _, cond := range conds { argsArr := C.make_arg_cmp_array(C.uint(len(conds)))
cmpStruct := C.make_struct_arg_cmp(C.uint(cond.Argument), cond.Op.toNative(), C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2)) if argsArr == nil {
defer C.free(cmpStruct) return fmt.Errorf("error allocating memory for conditions")
}
defer C.free(argsArr)
if err := f.addRuleWrapper(call, action, exact, C.scmp_cast_t(cmpStruct)); err != nil { for i, cond := range conds {
C.add_struct_arg_cmp(C.scmp_cast_t(argsArr), C.uint(i),
C.uint(cond.Argument), cond.Op.toNative(),
C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2))
}
if err := f.addRuleWrapper(call, action, exact, C.uint(len(conds)), C.scmp_cast_t(argsArr)); err != nil {
return err return err
} }
} }
}
return nil return nil
} }