Skip to content

Commit c4802a2

Browse files
vimpostorvimpostor
committed
Use more descriptive BPF macros
BPF_STMT and BPF_JUMP are much more descriptive than just always using the raw struct.
1 parent 9767554 commit c4802a2

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

src/bin/seccomp/seccomp_trap.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -103,19 +103,19 @@ int user_trap_syscalls(const int *nrs, size_t length, unsigned int flags) {
103103
struct sock_filter filter[MAX_FILTER_SIZE];
104104

105105
// load arch
106-
filter[0] = (struct sock_filter) {(unsigned short) BPF_LD+BPF_W+BPF_ABS, 0, 0, offsetof(struct seccomp_data, arch)};
106+
filter[0] = (struct sock_filter) BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch));
107107

108108
// check arch
109-
filter[1] = (struct sock_filter) {(unsigned short) BPF_JMP+BPF_JEQ+BPF_K, 0, 2, AUDIT_ARCH_X86_64};
109+
filter[1] = (struct sock_filter) BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 0, 2);
110110

111111
// load the number of the current syscall
112-
filter[2] = (struct sock_filter) {(unsigned short) BPF_LD+BPF_W+BPF_ABS, 0, 0, offsetof(struct seccomp_data, nr)};
112+
filter[2] = (struct sock_filter) BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr));
113113

114114
// for the x32 ABI, all system call numbers have bit 30 set
115-
filter[3] = (struct sock_filter) {(unsigned short) BPF_JMP+BPF_JGE+BPF_K, 0, 1, X32_SYSCALL_BIT};
115+
filter[3] = (struct sock_filter) BPF_JUMP((unsigned short) BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 0, 1);
116116

117117
// terminate the process if one of the earlier checks jumped here
118-
filter[4] = (struct sock_filter) {(unsigned short) BPF_RET+BPF_K, 0, 0, SECCOMP_RET_KILL_PROCESS};
118+
filter[4] = (struct sock_filter) BPF_STMT((unsigned short) BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS);
119119

120120
// now with the syscall nr still loaded, dynamically add checks for all syscall nrs we want to intercept
121121
// Warning: If there are more nrs than MAX_FILTER_SIZE - 3, we may omit some system calls
@@ -134,10 +134,10 @@ int user_trap_syscalls(const int *nrs, size_t length, unsigned int flags) {
134134
}
135135

136136
// didn't find a matching syscall, so return allow
137-
filter[bpf_length - 2] = (struct sock_filter) {(unsigned short) BPF_RET+BPF_K, 0, 0, SECCOMP_RET_ALLOW};
137+
filter[bpf_length - 2] = (struct sock_filter) BPF_STMT((unsigned short) BPF_RET+BPF_K, SECCOMP_RET_ALLOW);
138138

139139
// this is the jump target. If we found a matching syscall, we return SECCOMP_RET_USER_NOTIF
140-
filter[bpf_length - 1] = (struct sock_filter) {(unsigned short) BPF_RET+BPF_K, 0, 0, SECCOMP_RET_USER_NOTIF};
140+
filter[bpf_length - 1] = (struct sock_filter) BPF_STMT((unsigned short) BPF_RET+BPF_K, SECCOMP_RET_USER_NOTIF);
141141

142142
struct sock_fprog prog = {
143143
.len = (unsigned short) bpf_length,

0 commit comments

Comments
 (0)