[linux-seccomp.git] / libseccomp / src / db.h

/**
 * Enhanced Seccomp Filter DB
 *
 * Copyright (c) 2012,2016 Red Hat <pmoore@redhat.com>
 * Author: Paul Moore <paul@paul-moore.com>
 */

/*
 * This library is free software; you can redistribute it and/or modify it
 * under the terms of version 2.1 of the GNU Lesser General Public License as
 * published by the Free Software Foundation.
 *
 * This library is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
 * for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this library; if not, see <http://www.gnu.org/licenses>.
 */

#ifndef _FILTER_DB_H
#define _FILTER_DB_H

#include <inttypes.h>
#include <stdbool.h>

#include <seccomp.h>

#include "arch.h"

/* XXX - need to provide doxygen comments for the types here */

struct db_api_arg {
	unsigned int arg;
	enum scmp_compare op;
	scmp_datum_t mask;
	scmp_datum_t datum;

	bool valid;
};

struct db_api_rule_list {
	uint32_t action;
	int syscall;
	struct db_api_arg *args;
	unsigned int args_cnt;

	struct db_api_rule_list *prev, *next;
};

struct db_arg_chain_tree {
	/* argument number (a0 = 0, a1 = 1, etc.) */
	unsigned int arg;
	/* argument bpf offset */
	unsigned int arg_offset;

	/* comparison operator */
	enum scmp_compare op;
	/* syscall argument value */
	uint32_t mask;
	uint32_t datum;

	/* actions */
	bool act_t_flg;
	bool act_f_flg;
	uint32_t act_t;
	uint32_t act_f;

	/* list of nodes on this level */
	struct db_arg_chain_tree *lvl_prv, *lvl_nxt;

	/* next node in the chain */
	struct db_arg_chain_tree *nxt_t;
	struct db_arg_chain_tree *nxt_f;

	unsigned int refcnt;
};
#define ARG_MASK_MAX		((uint32_t)-1)
#define db_chain_lt(x,y) \
	(((x)->arg < (y)->arg) || \
	 (((x)->arg == (y)->arg) && \
	  (((x)->op < (y)->op) || (((x)->mask & (y)->mask) == (y)->mask))))
#define db_chain_eq(x,y) \
	(((x)->arg == (y)->arg) && \
	 ((x)->op == (y)->op) && ((x)->datum == (y)->datum) && \
	 ((x)->mask == (y)->mask))
#define db_chain_gt(x,y) \
	(((x)->arg > (y)->arg) || \
	 (((x)->arg == (y)->arg) && \
	  (((x)->op > (y)->op) || (((x)->mask & (y)->mask) != (y)->mask))))
#define db_chain_action(x) \
	(((x)->act_t_flg) || ((x)->act_f_flg))
#define db_chain_zombie(x) \
	((x)->nxt_t == NULL && !((x)->act_t_flg) && \
	 (x)->nxt_f == NULL && !((x)->act_f_flg))
#define db_chain_leaf(x) \
	((x)->nxt_t == NULL && (x)->nxt_f == NULL)
#define db_chain_eq_result(x,y) \
	((((x)->nxt_t != NULL && (y)->nxt_t != NULL) || \
	  ((x)->nxt_t == NULL && (y)->nxt_t == NULL)) && \
	 (((x)->nxt_f != NULL && (y)->nxt_f != NULL) || \
	  ((x)->nxt_f == NULL && (y)->nxt_f == NULL)) && \
	 ((x)->act_t_flg == (y)->act_t_flg) && \
	 ((x)->act_f_flg == (y)->act_f_flg) && \
	 (((x)->act_t_flg && (x)->act_t == (y)->act_t) || \
	  (!((x)->act_t_flg))) && \
	 (((x)->act_f_flg && (x)->act_f == (y)->act_f) || \
	  (!((x)->act_f_flg))))

struct db_sys_list {
	/* native syscall number */
	unsigned int num;

	/* priority - higher is better */
	unsigned int priority;

	/* the argument chain heads */
	struct db_arg_chain_tree *chains;
	unsigned int node_cnt;

	/* action in the case of no argument chains */
	uint32_t action;

	struct db_sys_list *next;
	/* temporary use only by the BPF generator */
	struct db_sys_list *pri_prv, *pri_nxt;

	bool valid;
};

struct db_filter_attr {
	/* action to take if we don't match an explicit allow/deny */
	uint32_t act_default;
	/* action to take if we don't match the architecture */
	uint32_t act_badarch;
	/* NO_NEW_PRIVS related attributes */
	uint32_t nnp_enable;
	/* SECCOMP_FILTER_FLAG_TSYNC related attributes */
	uint32_t tsync_enable;
};

struct db_filter {
	/* target architecture */
	const struct arch_def *arch;

	/* syscall filters, kept as a sorted single-linked list */
	struct db_sys_list *syscalls;

	/* list of rules used to build the filters, kept in order */
	struct db_api_rule_list *rules;
};

struct db_filter_snap {
	/* individual filters */
	struct db_filter **filters;
	unsigned int filter_cnt;

	struct db_filter_snap *next;
};

struct db_filter_col {
	/* verification / state */
	int state;

	/* attributes */
	struct db_filter_attr attr;

	/* individual filters */
	int endian;
	struct db_filter **filters;
	unsigned int filter_cnt;

	/* transaction snapshots */
	struct db_filter_snap *snapshots;
};

/**
 * Iterate over each item in the DB list
 * @param iter the iterator
 * @param list the list
 *
 * This macro acts as for()/while() conditional and iterates the following
 * statement for each item in the given list.
 *
 */
#define db_list_foreach(iter,list) \
	for (iter = (list); iter != NULL; iter = iter->next)

int db_action_valid(uint32_t action);

struct db_filter_col *db_col_init(uint32_t def_action);
int db_col_reset(struct db_filter_col *col, uint32_t def_action);
void db_col_release(struct db_filter_col *col);

int db_col_valid(struct db_filter_col *col);

int db_col_merge(struct db_filter_col *col_dst, struct db_filter_col *col_src);

int db_col_arch_exist(struct db_filter_col *col, uint32_t arch_token);

int db_col_attr_get(const struct db_filter_col *col,
		    enum scmp_filter_attr attr, uint32_t *value);
int db_col_attr_set(struct db_filter_col *col,
		    enum scmp_filter_attr attr, uint32_t value);

int db_col_db_new(struct db_filter_col *col, const struct arch_def *arch);
int db_col_db_add(struct db_filter_col *col, struct db_filter *db);
int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token);

int db_col_rule_add(struct db_filter_col *col,
		    bool strict, uint32_t action, int syscall,
		    unsigned int arg_cnt, const struct scmp_arg_cmp *arg_array);

int db_col_syscall_priority(struct db_filter_col *col,
			    int syscall, uint8_t priority);

int db_col_transaction_start(struct db_filter_col *col);
void db_col_transaction_abort(struct db_filter_col *col);
void db_col_transaction_commit(struct db_filter_col *col);

int db_rule_add(struct db_filter *db, const struct db_api_rule_list *rule);

#endif
Commit	Line	Data
8befd5cc MG	1	/**
	2	* Enhanced Seccomp Filter DB
	3	*
	4	* Copyright (c) 2012,2016 Red Hat <pmoore@redhat.com>
	5	* Author: Paul Moore <paul@paul-moore.com>
	6	*/
	7
	8	/*
	9	* This library is free software; you can redistribute it and/or modify it
	10	* under the terms of version 2.1 of the GNU Lesser General Public License as
	11	* published by the Free Software Foundation.
	12	*
	13	* This library is distributed in the hope that it will be useful, but WITHOUT
	14	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	15	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
	16	* for more details.
	17	*
	18	* You should have received a copy of the GNU Lesser General Public License
	19	* along with this library; if not, see <http://www.gnu.org/licenses>.
	20	*/
	21
	22	#ifndef _FILTER_DB_H
	23	#define _FILTER_DB_H
	24
	25	#include <inttypes.h>
	26	#include <stdbool.h>
	27
	28	#include <seccomp.h>
	29
	30	#include "arch.h"
	31
	32	/* XXX - need to provide doxygen comments for the types here */
	33
	34	struct db_api_arg {
	35	unsigned int arg;
	36	enum scmp_compare op;
	37	scmp_datum_t mask;
	38	scmp_datum_t datum;
	39
	40	bool valid;
	41	};
	42
	43	struct db_api_rule_list {
	44	uint32_t action;
	45	int syscall;
	46	struct db_api_arg *args;
	47	unsigned int args_cnt;
	48
	49	struct db_api_rule_list prev, next;
	50	};
	51
	52	struct db_arg_chain_tree {
	53	/* argument number (a0 = 0, a1 = 1, etc.) */
	54	unsigned int arg;
	55	/* argument bpf offset */
	56	unsigned int arg_offset;
	57
	58	/* comparison operator */
	59	enum scmp_compare op;
	60	/* syscall argument value */
	61	uint32_t mask;
	62	uint32_t datum;
	63
	64	/* actions */
65	bool act_t_flg;
66	bool act_f_flg;
67	uint32_t act_t;
68	uint32_t act_f;
69
70	/* list of nodes on this level */
71	struct db_arg_chain_tree lvl_prv, lvl_nxt;
72
73	/* next node in the chain */
74	struct db_arg_chain_tree *nxt_t;
75	struct db_arg_chain_tree *nxt_f;
76
77	unsigned int refcnt;
78	};
79	#define ARG_MASK_MAX ((uint32_t)-1)
80	#define db_chain_lt(x,y) \
81	(((x)->arg < (y)->arg) \|\| \
82	(((x)->arg == (y)->arg) && \
83	(((x)->op < (y)->op) \|\| (((x)->mask & (y)->mask) == (y)->mask))))
84	#define db_chain_eq(x,y) \
85	(((x)->arg == (y)->arg) && \
86	((x)->op == (y)->op) && ((x)->datum == (y)->datum) && \
87	((x)->mask == (y)->mask))
88	#define db_chain_gt(x,y) \
89	(((x)->arg > (y)->arg) \|\| \
90	(((x)->arg == (y)->arg) && \
91	(((x)->op > (y)->op) \|\| (((x)->mask & (y)->mask) != (y)->mask))))
92	#define db_chain_action(x) \
93	(((x)->act_t_flg) \|\| ((x)->act_f_flg))
94	#define db_chain_zombie(x) \
95	((x)->nxt_t == NULL && !((x)->act_t_flg) && \
96	(x)->nxt_f == NULL && !((x)->act_f_flg))
97	#define db_chain_leaf(x) \
98	((x)->nxt_t == NULL && (x)->nxt_f == NULL)
99	#define db_chain_eq_result(x,y) \
100	((((x)->nxt_t != NULL && (y)->nxt_t != NULL) \|\| \
101	((x)->nxt_t == NULL && (y)->nxt_t == NULL)) && \
102	(((x)->nxt_f != NULL && (y)->nxt_f != NULL) \|\| \
103	((x)->nxt_f == NULL && (y)->nxt_f == NULL)) && \
104	((x)->act_t_flg == (y)->act_t_flg) && \
105	((x)->act_f_flg == (y)->act_f_flg) && \
106	(((x)->act_t_flg && (x)->act_t == (y)->act_t) \|\| \
107	(!((x)->act_t_flg))) && \
108	(((x)->act_f_flg && (x)->act_f == (y)->act_f) \|\| \
109	(!((x)->act_f_flg))))
110
111	struct db_sys_list {
112	/* native syscall number */
113	unsigned int num;
114
115	/* priority - higher is better */
116	unsigned int priority;
117
118	/* the argument chain heads */
119	struct db_arg_chain_tree *chains;
120	unsigned int node_cnt;
121
122	/* action in the case of no argument chains */
123	uint32_t action;
124
125	struct db_sys_list *next;
126	/* temporary use only by the BPF generator */
127	struct db_sys_list pri_prv, pri_nxt;
128
129	bool valid;
130	};
131
132	struct db_filter_attr {
133	/* action to take if we don't match an explicit allow/deny */
134	uint32_t act_default;
135	/* action to take if we don't match the architecture */
136	uint32_t act_badarch;
137	/* NO_NEW_PRIVS related attributes */
138	uint32_t nnp_enable;
139	/* SECCOMP_FILTER_FLAG_TSYNC related attributes */
140	uint32_t tsync_enable;
141	};
142
143	struct db_filter {
144	/* target architecture */
145	const struct arch_def *arch;
146
147	/* syscall filters, kept as a sorted single-linked list */
148	struct db_sys_list *syscalls;
149
150	/* list of rules used to build the filters, kept in order */
151	struct db_api_rule_list *rules;
152	};
153
154	struct db_filter_snap {
155	/* individual filters */
156	struct db_filter **filters;
157	unsigned int filter_cnt;
158
159	struct db_filter_snap *next;
160	};
161
162	struct db_filter_col {
163	/* verification / state */
164	int state;
165
166	/* attributes */
167	struct db_filter_attr attr;
168
169	/* individual filters */
170	int endian;
171	struct db_filter **filters;
172	unsigned int filter_cnt;
173
174	/* transaction snapshots */
175	struct db_filter_snap *snapshots;
176	};
177
178	/**
179	* Iterate over each item in the DB list
180	* @param iter the iterator
181	* @param list the list
182	*
183	* This macro acts as for()/while() conditional and iterates the following
184	* statement for each item in the given list.
185	*
186	*/
187	#define db_list_foreach(iter,list) \
188	for (iter = (list); iter != NULL; iter = iter->next)
189
190	int db_action_valid(uint32_t action);
191
192	struct db_filter_col *db_col_init(uint32_t def_action);
193	int db_col_reset(struct db_filter_col *col, uint32_t def_action);
194	void db_col_release(struct db_filter_col *col);
195
196	int db_col_valid(struct db_filter_col *col);
197
198	int db_col_merge(struct db_filter_col col_dst, struct db_filter_col col_src);
199
200	int db_col_arch_exist(struct db_filter_col *col, uint32_t arch_token);
201
202	int db_col_attr_get(const struct db_filter_col *col,
203	enum scmp_filter_attr attr, uint32_t *value);
204	int db_col_attr_set(struct db_filter_col *col,
205	enum scmp_filter_attr attr, uint32_t value);
206
207	int db_col_db_new(struct db_filter_col col, const struct arch_def arch);
208	int db_col_db_add(struct db_filter_col col, struct db_filter db);
209	int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token);
210
211	int db_col_rule_add(struct db_filter_col *col,
212	bool strict, uint32_t action, int syscall,
213	unsigned int arg_cnt, const struct scmp_arg_cmp *arg_array);
214
215	int db_col_syscall_priority(struct db_filter_col *col,
216	int syscall, uint8_t priority);
217
218	int db_col_transaction_start(struct db_filter_col *col);
219	void db_col_transaction_abort(struct db_filter_col *col);
220	void db_col_transaction_commit(struct db_filter_col *col);
221
222	int db_rule_add(struct db_filter db, const struct db_api_rule_list rule);
223
224	#endif