[PATCH RFC 2/4] Introduce seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Tue Jul 23 11:15:18 UTC 2019 

On Mon, Jul 22, 2019 at 06:32:37PM +0200, Paul Chaignon wrote:
[...]
> > > +static unsigned short
> > > +init_sock_filter(struct sock_filter *filter)
> > > +{
> > > +   unsigned short pos = 0;
> > > +#if SUPPORTED_PERSONALITIES > 1
> > > +   unsigned int audit_arch_vec[] = {
> > > +# if defined X86_64
> > > +           AUDIT_ARCH_X86_64,
> > > +           AUDIT_ARCH_I386,
> > > +           AUDIT_ARCH_X86_64
> > > +# elif SUPPORTED_PERSONALITIES == 2
> > > +           AUDIT_ARCH_X86_64,
> > > +           AUDIT_ARCH_I386
> > > +# endif
> > > +   };
> > > +#endif
> > > +   unsigned int syscall_bit_vec[] = {
> > > +#if defined X86_64
> > > +           0, 0, __X32_SYSCALL_BIT
> > > +#elif defined X32
> > > +           __X32_SYSCALL_BIT, 0
> > > +#elif SUPPORTED_PERSONALITIES == 2
> > > +           0, 0
> > > +#else
> > > +           0
> > > +#endif
> > > +   };
> >
> > Please don't use any arch-specific ifdefs in the common code like this.
> > Use of arch-specific constants like AUDIT_ARCH_X86_64 in the common code
> > like this is also not acceptable.
> 
> I had a look at the other arch-specific codes in strace, but couldn't find
> the proper place for that code.  Should these simply be moved to the top
> of the file as in syscall.c?

If the syscallent.h approach is too heavy, I suggest to define
PERSONALITY{0,1,2}_AUDIT_ARCH and PERSONALITY{0,1,2}_SYSCALL_BIT
in linux/*/arch_defs_.h for relevant architectures (maybe with fallback
definition of PERSONALITY0_SYSCALL_BIT in defs.h) and use these
constants here, e.g.

#if SUPPORTED_PERSONALITIES > 1
	unsigned int audit_arch_vec[SUPPORTED_PERSONALITIES] = {
		PERSONALITY0_AUDIT_ARCH,
		PERSONALITY1_AUDIT_ARCH,
# if SUPPORTED_PERSONALITIES > 2
		PERSONALITY2_AUDIT_ARCH,
# endif
	};
#endif

	unsigned int syscall_bit_vec[SUPPORTED_PERSONALITIES] = {
		PERSONALITY0_SYSCALL_BIT,
#if SUPPORTED_PERSONALITIES > 1
		PERSONALITY1_SYSCALL_BIT,
# if SUPPORTED_PERSONALITIES > 2
		PERSONALITY2_SYSCALL_BIT,
# endif
#endif
	};


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190723/985b67af/attachment.bin>

More information about the Strace-devel mailing list