From c4122ae7c19c81499fcb90ea1474b287d3893e2e Mon Sep 17 00:00:00 2001 From: Harry Stern Date: Sun, 3 Mar 2024 23:15:03 -0500 Subject: [PATCH] Use libc seccomp constants Use libc constants now that rust-lang/libc/pull/3343 is merged and released. SECCOMP_RET_MASK does not exist anymore and appears to have not existed for a while. SECCOMP_RET_DATA is exactly the same mask value, and the usage here is in line with the man page. Completes #60 Signed-off-by: Harry Stern --- src/backend/bpf.rs | 16 ++++++++-------- src/backend/mod.rs | 8 ++++---- src/lib.rs | 6 +----- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/src/backend/bpf.rs b/src/backend/bpf.rs index a29422a..83ec9d8 100644 --- a/src/backend/bpf.rs +++ b/src/backend/bpf.rs @@ -114,14 +114,14 @@ pub const BPF_K: u16 = 0x00; // Return codes for BPF programs. // See /usr/include/linux/seccomp.h . -pub const SECCOMP_RET_ALLOW: u32 = 0x7fff_0000; -pub const SECCOMP_RET_ERRNO: u32 = 0x0005_0000; -pub const SECCOMP_RET_KILL_THREAD: u32 = 0x0000_0000; -pub const SECCOMP_RET_KILL_PROCESS: u32 = 0x8000_0000; -pub const SECCOMP_RET_LOG: u32 = 0x7ffc_0000; -pub const SECCOMP_RET_TRACE: u32 = 0x7ff0_0000; -pub const SECCOMP_RET_TRAP: u32 = 0x0003_0000; -pub const SECCOMP_RET_MASK: u32 = 0x0000_ffff; +pub use libc::SECCOMP_RET_ALLOW; +pub use libc::SECCOMP_RET_DATA; +pub use libc::SECCOMP_RET_ERRNO; +pub use libc::SECCOMP_RET_KILL_PROCESS; +pub use libc::SECCOMP_RET_KILL_THREAD; +pub use libc::SECCOMP_RET_LOG; +pub use libc::SECCOMP_RET_TRACE; +pub use libc::SECCOMP_RET_TRAP; // Architecture identifier for x86_64 LE. // See /usr/include/linux/audit.h . diff --git a/src/backend/mod.rs b/src/backend/mod.rs index 7ae49a8..7986303 100644 --- a/src/backend/mod.rs +++ b/src/backend/mod.rs @@ -21,8 +21,8 @@ use std::fmt::Display; use bpf::{ ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN, SECCOMP_RET_ALLOW, - SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG, - SECCOMP_RET_MASK, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP, + SECCOMP_RET_DATA, SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD, + SECCOMP_RET_LOG, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP, }; pub use bpf::{sock_filter, BpfProgram, BpfProgramRef}; @@ -173,11 +173,11 @@ impl From for u32 { fn from(action: SeccompAction) -> Self { match action { SeccompAction::Allow => SECCOMP_RET_ALLOW, - SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_MASK), + SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_DATA), SeccompAction::KillThread => SECCOMP_RET_KILL_THREAD, SeccompAction::KillProcess => SECCOMP_RET_KILL_PROCESS, SeccompAction::Log => SECCOMP_RET_LOG, - SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_MASK), + SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_DATA), SeccompAction::Trap => SECCOMP_RET_TRAP, } } diff --git a/src/lib.rs b/src/lib.rs index 2e93b78..10f3a79 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -208,10 +208,6 @@ pub use backend::{ SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule, TargetArch, }; -// Until https://github.com/rust-lang/libc/issues/3342 is fixed, define locally -// From -const SECCOMP_SET_MODE_FILTER: libc::c_int = 1; - // BPF structure definition for filter array. // See /usr/include/linux/filter.h . #[repr(C)] @@ -361,7 +357,7 @@ fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> R let rc = unsafe { libc::syscall( libc::SYS_seccomp, - SECCOMP_SET_MODE_FILTER, + libc::SECCOMP_SET_MODE_FILTER, flags, bpf_prog_ptr, )