seccomp: introduce the GreaterThan rule type
PiperOrigin-RevId: 280075805
This commit is contained in:
parent
3f51bef8cd
commit
ca9cba66d2
|
@ -199,6 +199,10 @@ func ruleViolationLabel(ruleSetIdx int, sysno uintptr, idx int) string {
|
||||||
return fmt.Sprintf("ruleViolation_%v_%v_%v", ruleSetIdx, sysno, idx)
|
return fmt.Sprintf("ruleViolation_%v_%v_%v", ruleSetIdx, sysno, idx)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ruleLabel(ruleSetIdx int, sysno uintptr, idx int, name string) string {
|
||||||
|
return fmt.Sprintf("rule_%v_%v_%v_%v", ruleSetIdx, sysno, idx, name)
|
||||||
|
}
|
||||||
|
|
||||||
func checkArgsLabel(sysno uintptr) string {
|
func checkArgsLabel(sysno uintptr) string {
|
||||||
return fmt.Sprintf("checkArgs_%v", sysno)
|
return fmt.Sprintf("checkArgs_%v", sysno)
|
||||||
}
|
}
|
||||||
|
@ -223,6 +227,19 @@ func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action linux.BPFAc
|
||||||
p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArgHigh(i))
|
p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArgHigh(i))
|
||||||
p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx))
|
p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx))
|
||||||
labelled = true
|
labelled = true
|
||||||
|
case GreaterThan:
|
||||||
|
labelGood := fmt.Sprintf("gt%v", i)
|
||||||
|
high, low := uint32(a>>32), uint32(a)
|
||||||
|
// assert arg_high < high
|
||||||
|
p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArgHigh(i))
|
||||||
|
p.AddJumpFalseLabel(bpf.Jmp|bpf.Jge|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx))
|
||||||
|
// arg_high > high
|
||||||
|
p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood))
|
||||||
|
// arg_low < low
|
||||||
|
p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArgLow(i))
|
||||||
|
p.AddJumpFalseLabel(bpf.Jmp|bpf.Jgt|bpf.K, low, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx))
|
||||||
|
p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood))
|
||||||
|
labelled = true
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("unknown syscall rule type: %v", reflect.TypeOf(a))
|
return fmt.Errorf("unknown syscall rule type: %v", reflect.TypeOf(a))
|
||||||
}
|
}
|
||||||
|
|
|
@ -49,6 +49,9 @@ func (a AllowAny) String() (s string) {
|
||||||
// AllowValue specifies a value that needs to be strictly matched.
|
// AllowValue specifies a value that needs to be strictly matched.
|
||||||
type AllowValue uintptr
|
type AllowValue uintptr
|
||||||
|
|
||||||
|
// GreaterThan specifies a value that needs to be strictly smaller.
|
||||||
|
type GreaterThan uintptr
|
||||||
|
|
||||||
func (a AllowValue) String() (s string) {
|
func (a AllowValue) String() (s string) {
|
||||||
return fmt.Sprintf("%#x ", uintptr(a))
|
return fmt.Sprintf("%#x ", uintptr(a))
|
||||||
}
|
}
|
||||||
|
|
|
@ -340,6 +340,54 @@ func TestBasic(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
ruleSets: []RuleSet{
|
||||||
|
{
|
||||||
|
Rules: SyscallRules{
|
||||||
|
1: []Rule{
|
||||||
|
{
|
||||||
|
GreaterThan(0xf),
|
||||||
|
GreaterThan(0xabcd000d),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Action: linux.SECCOMP_RET_ALLOW,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
defaultAction: linux.SECCOMP_RET_TRAP,
|
||||||
|
specs: []spec{
|
||||||
|
{
|
||||||
|
desc: "GreaterThan: Syscall argument allowed",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x10, 0xffffffff}},
|
||||||
|
want: linux.SECCOMP_RET_ALLOW,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "GreaterThan: Syscall argument disallowed (equal)",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0xf, 0xffffffff}},
|
||||||
|
want: linux.SECCOMP_RET_TRAP,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Syscall argument disallowed (smaller)",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x0, 0xffffffff}},
|
||||||
|
want: linux.SECCOMP_RET_TRAP,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "GreaterThan2: Syscall argument allowed",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x10, 0xfbcd000d}},
|
||||||
|
want: linux.SECCOMP_RET_ALLOW,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "GreaterThan2: Syscall argument disallowed (equal)",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x10, 0xabcd000d}},
|
||||||
|
want: linux.SECCOMP_RET_TRAP,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "GreaterThan2: Syscall argument disallowed (smaller)",
|
||||||
|
data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x10, 0xa000ffff}},
|
||||||
|
want: linux.SECCOMP_RET_TRAP,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
} {
|
} {
|
||||||
instrs, err := BuildProgram(test.ruleSets, test.defaultAction)
|
instrs, err := BuildProgram(test.ruleSets, test.defaultAction)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in New Issue