jail: seccomp: improve code readability

author Daniel Golle <daniel@makrotopia.org>

Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)

committer Daniel Golle <daniel@makrotopia.org>

Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)
author Daniel Golle <daniel@makrotopia.org>
Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)
committer Daniel Golle <daniel@makrotopia.org>
Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)
diff --git a/jail/seccomp-oci.c b/jail/seccomp-oci.c

index 2ba66cd68c906dc97451b6684cdecbe7889500af..c82aebfa1eedaef81789a186d9483180bf882d2d 100644 (file)
--- a/jail/seccomp-oci.c
+++ b/jail/seccomp-oci.c
@@ -211,7 +211,8 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
         bool arch_matched;
         char *op_str;
  
-       blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
+       blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX,
+                     tb, blobmsg_data(msg), blobmsg_len(msg));
  
         if (!tb[OCI_LINUX_SECCOMP_DEFAULTACTION]) {
                 ERROR("seccomp: no default action set\n");
@@ -239,7 +240,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
         blobmsg_for_each_attr(cur, tb[OCI_LINUX_SECCOMP_SYSCALLS], rem) {
                 sz += 2; /* load and return */
  
-               blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
+               blobmsg_parse(oci_linux_seccomp_syscalls_policy,
+                             __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
+                             tbn, blobmsg_data(cur), blobmsg_len(cur));
                 blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_NAMES], remn) {
                         sc = find_syscall(blobmsg_get_string(curn));
                         if (sc == -1) {
@@ -254,7 +257,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
                         blobmsg_for_each_attr(curarg, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remargs) {
                                 sz += 2; /* load and compare */
  
-                               blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curarg), blobmsg_len(curarg));
+                               blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+                                             __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+                                             tba, blobmsg_data(curarg), blobmsg_len(curarg));
                                 if (!tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_INDEX] ||
                                     !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_VALUE] ||
                                     !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP])
@@ -300,13 +305,17 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
                 int start_rule_idx;
                 int next_rule_idx;
  
-               blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
-               action = resolve_action(blobmsg_get_string(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
+               blobmsg_parse(oci_linux_seccomp_syscalls_policy,
+                             __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
+                             tbn, blobmsg_data(cur), blobmsg_len(cur));
+               action = resolve_action(blobmsg_get_string(
+                               tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
                 if (tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]) {
                         if (action != SECCOMP_RET_ERRNO)
                                 goto errout1;
  
-                       action = SECCOMP_RET_ERROR(blobmsg_get_u32(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
+                       action = SECCOMP_RET_ERROR(blobmsg_get_u32(
+                                       tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
                 } else if (action == SECCOMP_RET_ERRNO)
                         action = SECCOMP_RET_ERROR(EPERM);
  
@@ -325,7 +334,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
  
                 /* calculate length of argument filter rules */
                 blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
-                       blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
+                       blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+                                     __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+                                     tba, blobmsg_data(curn), blobmsg_len(curn));
                         next_rule_idx += 2;
                         op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
                         if (resolve_op_is_masked(op_str))
@@ -338,15 +349,24 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
                         sc = find_syscall(blobmsg_get_string(curn));
                         if (sc == -1)
                                 continue;
-                       /* check syscall, skip other syscall checks if hit; if no match chain to next section */
-                       set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K, start_rule_idx - (idx + 1), ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0, sc);
+                       /*
+                        * check syscall, skip other syscall checks if match is found.
+                        * if no match is found, jump to next section
+                        */
+                       set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K,
+                                  start_rule_idx - (idx + 1),
+                                  ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0,
+                                  sc);
                         ++idx;
                 }
  
                 assert(idx = start_rule_idx);
  
+               /* generate argument filter rules */
                 blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
-                       blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
+                       blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+                                     __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+                                     tba, blobmsg_data(curn), blobmsg_len(curn));
  
                         op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
                         op_ins = resolve_op_ins(op_str);
@@ -373,6 +393,7 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
                         ++idx;
                 }
  
+               /* if we have reached until here, all conditions were met and we can return */
                 set_filter(&filter[idx++], BPF_RET + BPF_K, 0, 0, action);
  
                 assert(idx == next_rule_idx);
author	Daniel Golle <daniel@makrotopia.org>
	Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)
committer	Daniel Golle <daniel@makrotopia.org>
	Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)