Skip to content

improve code #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mvo5 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

improve code #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ int main(int argc, char **argv) {
const char *profile_path = argv[1];
FILE *file = sc_must_read_and_validate_header_from_file(profile_path, &hdr);
sc_must_read_filter_from_file(file, hdr.len_filter, &prog_allow);


sc_apply_seccomp_filter(&prog_allow);
fclose(file);
fprintf(stderr, "filter loaded okay");
}
9 changes: 8 additions & 1 deletion seccomp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,20 @@ FILE* sc_must_read_and_validate_header_from_file(const char *profile_path, struc
if (num_read < sizeof(struct sc_seccomp_file_header)) {
die("short read on seccomp header: %zu", num_read);
}
// check everything
if (hdr->header[0] != 'S' || hdr->header[1] != 'C') {
die("unexpected seccomp header: %x%x", hdr->header[0], hdr->header[1]);
}
if (hdr->len_filter > MAX_BPF_SIZE) {
die("allow filter size too big %u", hdr->len_filter);
}
return file;
}

void sc_must_read_filter_from_file(FILE *file, uint32_t len_bytes, struct sock_fprog *prog)
{
prog->len = len_bytes / sizeof(struct sock_filter);
prog->filter = (struct sock_filter *)malloc(MAX_BPF_SIZE);
prog->filter = (struct sock_filter *)malloc(len_bytes);
if (prog->filter == NULL) {
die("cannot allocate %u bytes of memory for seccomp filter ", len_bytes);
}
Expand Down
5 changes: 5 additions & 0 deletions seccomp.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,13 @@

#include <linux/filter.h>


struct sc_seccomp_file_header {
// must be 'S', 'C'
char header[2];
// must be 0x1
uint8_t version;
// only 0x0 or 0x1 support right now
uint8_t unrestricted;

uint32_t len_filter;
Expand All @@ -23,3 +27,4 @@ void sc_apply_seccomp_filter(struct sock_fprog *prog);
void die(const char *fmt, ...);

#endif

22 changes: 22 additions & 0 deletions unit-tests/unit-tests.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,32 @@ static void test_must_read_and_validate_header_from_file__happy(void)
g_assert_true(file != NULL);
}

static void test_must_read_and_validate_header_from_file__missing_header(void)
{
struct sc_seccomp_file_header hdr = {};

if (g_test_subprocess()) {
char *profile = NULL;
int fd = 0;
make_seccomp_profile(&hdr, &fd, &profile);
FILE *file = sc_must_read_and_validate_header_from_file(profile, &hdr);
g_assert_not_reached();
// check null
g_assert_null(file);
}

g_test_trap_subprocess(NULL, 0, 0);
g_test_trap_assert_failed();
g_test_trap_assert_stderr("unexpected seccomp header: 00\n");
}

static void __attribute__((constructor)) init(void)
{
g_test_add_func("/seccomp/must_read_and_validate_header_from_file/happy",
test_must_read_and_validate_header_from_file__happy);
g_test_add_func("/seccomp/must_read_and_validate_header_from_file/missing_header",
test_must_read_and_validate_header_from_file__missing_header);

}

int main(int argc, char **argv)
Expand Down