diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2021-10-21 01:21:26 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2021-10-21 01:21:26 +0200 |
| commit | 819d13bb92b8e0430e57039f82b75e982f2a728e (patch) | |
| tree | 9302cd756cec853a59c6bfe40484183ce7294c7c /seccomp.sh | |
| parent | 849308d20716f40452e70a230f3a403ee88b207d (diff) | |
| download | passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar.gz passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar.bz2 passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar.lz passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar.xz passt-819d13bb92b8e0430e57039f82b75e982f2a728e.tar.zst passt-819d13bb92b8e0430e57039f82b75e982f2a728e.zip | |
seccomp.sh: Handle missing ausyscall(8) or unknown syscall number
...try sourcing it with the compiler from <sys/syscalls.h> before
giving up.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'seccomp.sh')
| -rwxr-xr-x | seccomp.sh | 29 |
1 files changed, 26 insertions, 3 deletions
@@ -8,7 +8,7 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # -# seccomp.sh - Build seccomp profiles from "#syscalls[:PROFILE]" comments in code +# seccomp.sh - Build seccomp profiles from "#syscalls[:PROFILE]" code comments # # Copyright (c) 2021 Red Hat GmbH # Author: Stefano Brivio <sbrivio@redhat.com> @@ -41,8 +41,15 @@ CALL=' BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, @NR@, @ALLOW@, 0), /* @NAME@ */' # Binary search tree node or leaf, @NR@: value, @R@: right jump, @L@: left jump BST=' BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, @NR@, @R@, @L@),' +# cleanup() - Remove temporary file if it exists +cleanup() { + rm -f "${TMP}" +} +trap "cleanup" EXIT + # sub() - Substitute in-place file line with processed template line # $1: Line number +# $2: Template name (variable name) # $@: Replacement for @KEY@ in the form KEY:value sub() { IFS= @@ -90,6 +97,15 @@ log2() { echo ${__x} } +# cc_syscall_nr - Try to get syscall number from compiler +# $1: Name of syscall +cc_syscall_nr() { + __in="$(printf "#include <sys/syscall.h>\n__NR_%s" ${1})" + __out="$(echo "${__in}" | cc -E -xc - -o - | tail -1)" + [ "${__out}" = "__NR_$1" ] && return 1 + echo "${__out}" +} + # gen_profile() - Build struct sock_filter for a single profile # $1: Profile name # $@: Names of allowed system calls, amount padded to next power of two @@ -106,7 +122,14 @@ gen_profile() { echo -1 >> "${TMP}" done for __i in $(seq 1 ${__statements_calls} ); do - ausyscall $(eval echo \${${__i}}) --exact >> "${TMP}" + __syscall_name="$(eval echo \${${__i}})" + if { ! command -V ausyscall >/dev/null 2>&1 || \ + ! ausyscall "${__syscall_name}" --exact >> "${TMP}"; } && \ + ! cc_syscall_nr "${__syscall_name}" >> "${TMP}"; then + echo "Cannot get syscall number for ${__syscall_name}" + exit 1 + fi + eval __syscall_nr_$(tail -1 "${TMP}")="${__syscall_name}" done sort -go "${TMP}" "${TMP}" @@ -153,7 +176,7 @@ gen_profile() { # Calls for __i in $(seq $(( __statements_bst + 1 )) ${__statements}); do __nr="$(sed -n ${__i}p "${TMP}")" - __name=$(ausyscall ${__nr}) + eval __name="\${__syscall_nr_${__nr}}" __allow=$(( __statements - __i + 1 )) sub ${__i} CALL "NR:${__nr}" "NAME:${__name}" "ALLOW:${__allow}" done |