[PATCH RFC 7/9] filter_seccomp: reverse linear generation strategy

[Paul Chaignon]

This commit introduces a new BPF program generator.  It adopts the same
strategy as the existing generator, but instead of matching traced
syscalls, it matches syscalls that are not traced (those for which the BPF
program should return RET_ALLOW).

filter_seccomp.c (reverse_linear_filter_generator): New prototype.
(filter_generators): Add reverse_linear_filter_generator.
(linear_filter_generator): Rename to __linear_filter_generator, match
traced or allowed syscalls based on match_traced argument.
(linear_filter_generator, reverse_linear_filter_generator): New functions.

Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
---
 filter_seccomp.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/filter_seccomp.c b/filter_seccomp.c
index 826d3bc3..22a011bc 100644
--- a/filter_seccomp.c
+++ b/filter_seccomp.c
@@ -56,8 +56,11 @@ typedef unsigned short (*filter_generator_t)(struct sock_filter *,
 					     bool *overflow);
 static unsigned short linear_filter_generator(struct sock_filter *,
 					      bool *overflow);
+static unsigned short reverse_linear_filter_generator(struct sock_filter *,
+						      bool *overflow);
 static filter_generator_t filter_generators[] = {
 	linear_filter_generator,
+	reverse_linear_filter_generator,
 };
 
 bool seccomp_filtering = false;
@@ -202,7 +205,8 @@ bpf_syscalls_cmp(struct sock_filter *filter,
 }
 
 static unsigned short
-linear_filter_generator(struct sock_filter *filter, bool *overflow)
+__linear_filter_generator(struct sock_filter *filter, bool *overflow,
+			  bool match_traced)
 {
 	/*
 	 * Generated program looks like:
@@ -263,7 +267,7 @@ linear_filter_generator(struct sock_filter *filter, bool *overflow)
 #endif
 
 		for (unsigned int i = 0; i < nsyscall_vec[p]; ++i) {
-			if (traced_by_seccomp(i, p)) {
+			if (traced_by_seccomp(i, p) == match_traced) {
 				if (lower == UINT_MAX)
 					lower = i;
 				continue;
@@ -312,11 +316,12 @@ linear_filter_generator(struct sock_filter *filter, bool *overflow)
 			if (BPF_CLASS(filter[i].code) != BPF_JMP)
 				continue;
 			unsigned char jmp_next = pos - i - 1;
-			unsigned char jmp_trace = pos - i - 2;
+			unsigned char jmp_match = match_traced ?
+						  pos - i - 2 : pos - i - 3;
 			replace_jmp_placeholders(&filter[i].jt, jmp_next,
-						 jmp_trace);
+						 jmp_match);
 			replace_jmp_placeholders(&filter[i].jf, jmp_next,
-						 jmp_trace);
+						 jmp_match);
 			if (BPF_OP(filter[i].code) == BPF_JA)
 				filter[i].k = (unsigned int) jmp_next;
 		}
@@ -330,6 +335,16 @@ linear_filter_generator(struct sock_filter *filter, bool *overflow)
 	return pos;
 }
 
+static unsigned short
+linear_filter_generator(struct sock_filter *filter, bool *overflow) {
+	return __linear_filter_generator(filter, overflow, true);
+}
+
+static unsigned short
+reverse_linear_filter_generator(struct sock_filter *filter, bool *overflow) {
+	return __linear_filter_generator(filter, overflow, false);
+}
+
 void
 check_seccomp_filter(void)
 {
-- 
2.17.1