mirror of
https://github.com/containers/youki
synced 2026-05-03 21:50:49 +02:00
sat0ken
11e26109a0
* update seccomp program of update method and add function - add default error return code to InstructionData - add action to Rule - add action to fn new of Rule and fix test code - add seccomp compare op code to const - ported function from libcontainer of seccomp - update Cargo.toml and lock - add const of seccomp flags - add flags to InstructionData - add derive - improve implementation to generate filter from LinuxSeccomp - update main.rs to use oci_spec - fix format Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * implementation From trait Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * implement seccomp flags if config.json define Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add BPF Instruction to validate Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add fn to get nr offset from seccomp_data Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * modify generate BPF program order Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * implement check args of seccomp program and add test code - modify systemcall of args check logic - add for test code and add serde to use json - update gen_validate - update seccomp_data_args_offset to get args index - add file for test - update check argument code - update check argument code - fix test code - remove unusual args from fn to_instruction_with_args - add test code - add test case with args - add test for arm64 Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * move test json file to tests Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change to return Result Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change fn seccomp_data_args_offset to return Result Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * to change return Result, add unwrap Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * run cargo fmt Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix offset size Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add design pattern to rule Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change method to return Result Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change method name Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * improve multipul variable set to use is_none method Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix test code Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * insert BPF_JMP to new to omit code Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * omit BPM_JMP from code Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add check argument count Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix if value is 0, set the value Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix for cargo clippy Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change argument string to Path Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change to return Result and remove unwrap Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change struct name InstructionData to SeccompProgramPlan Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * implement TryFrom to SeccompProgramPlan Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * update oci-spec-rs Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * errno correctly set to the value of action Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * refactoring testutils.rs to use oci-spec-rs to parse json Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * refactor fn try_from to separate logic Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix test code and refactor Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * change type of syscall Vec<String> to Vec<u64> to sort Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add const to jump_num Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * cargo fmt Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * minor update for test Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * create example dir and move main.rs Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix typo Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * update package and toolchain Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * cargo fmt Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * remove unused package Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * organize tests dir Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * update Cargo.toml Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * add readjson file by libseccomp Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * update README Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * cargo fmt fix warning Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> * fix typo Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> --------- Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
80 lines
3.0 KiB
Rust
80 lines
3.0 KiB
Rust
use std::fs::File;
|
|
use std::io::{Read, Seek, SeekFrom};
|
|
|
|
use libseccomp::*;
|
|
use oci_spec::runtime::LinuxSeccompOperator;
|
|
|
|
#[path = "./helpers/mod.rs"]
|
|
mod utils;
|
|
|
|
#[test]
|
|
fn read_json() -> anyhow::Result<()> {
|
|
let mut cnt = 0;
|
|
let seccomp = utils::read_seccomp_testdata("tests/fixtures/default_x86_64.json".as_ref())?;
|
|
|
|
if let Some(seccomp_syscalls) = seccomp.syscalls() {
|
|
for linux_syscall in seccomp_syscalls {
|
|
let mut filter = ScmpFilterContext::new(
|
|
utils::convert_action(seccomp.default_action(), seccomp.default_errno_ret())
|
|
.unwrap(),
|
|
)?;
|
|
filter.add_arch(ScmpArch::Native)?;
|
|
|
|
let action = utils::convert_action(linux_syscall.action(), linux_syscall.errno_ret())?;
|
|
let mut has_args: bool = false;
|
|
for syscall in linux_syscall.names().iter() {
|
|
let scmp_syscall = ScmpSyscall::from_name(syscall)?;
|
|
if let Some(args) = linux_syscall.args() {
|
|
has_args = true;
|
|
if args[0].op() == LinuxSeccompOperator::ScmpCmpMaskedEq {
|
|
let cmp = ScmpArgCompare::new(
|
|
args[0].index() as u32,
|
|
utils::convert_operation(args[0].op(), Option::from(args[0].value()))?,
|
|
args[0].value(),
|
|
);
|
|
filter.add_rule_conditional(action, scmp_syscall, &[cmp])?;
|
|
} else {
|
|
let cmp = ScmpArgCompare::new(
|
|
args[0].index() as u32,
|
|
utils::convert_operation(args[0].op(), Some(0))?,
|
|
args[0].value(),
|
|
);
|
|
filter.add_rule_conditional(action, scmp_syscall, &[cmp])?;
|
|
}
|
|
} else {
|
|
filter.add_rule(action, scmp_syscall)?;
|
|
}
|
|
}
|
|
let tmpfile: File = tempfile::tempfile()?;
|
|
let mut read_handle = tmpfile.try_clone()?;
|
|
filter.export_bpf(tmpfile)?;
|
|
read_handle.seek(SeekFrom::Start(0))?;
|
|
|
|
let mut buffer = Vec::new();
|
|
read_handle.read_to_end(&mut buffer)?;
|
|
if has_args {
|
|
println!("--- test case {} with args---", cnt);
|
|
} else {
|
|
println!("--- test case {}---", cnt);
|
|
}
|
|
for chunk in buffer.chunks(8) {
|
|
if chunk.len() == 8 {
|
|
let code = u16::from_le_bytes([chunk[0], chunk[1]]);
|
|
let jt = chunk[2];
|
|
let jf = chunk[3];
|
|
let k = u32::from_le_bytes([chunk[4], chunk[5], chunk[6], chunk[7]]);
|
|
|
|
println!(
|
|
"code: {:02x}, jt: {:02x}, jf: {:02x}, k: {:08x}",
|
|
code, jt, jf, k
|
|
);
|
|
}
|
|
}
|
|
println!("--- test case {} end", cnt);
|
|
cnt += 1;
|
|
}
|
|
}
|
|
|
|
Ok(())
|
|
}
|