Home Explore Help
Register Sign In
OWEALs
/
procd
mirror of https://git.openwrt.org/project/procd.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

jail: seccomp: improve code readability

Break overly long line, add some comments.
No functional changes.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle 3 years ago
parent
f67a66f196
commit
4625350465
1 changed files with 31 additions and 10 deletions
Split View Show Diff Stats
  1. 31 10
      jail/seccomp-oci.c

+ 31 - 10
jail/seccomp-oci.c
View File 

@@ -211,7 +211,8 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 	bool arch_matched;
 
 	char *op_str;
 
 
-	blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
 
+	blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX,
 
+		      tb, blobmsg_data(msg), blobmsg_len(msg));
 
 
 	if (!tb[OCI_LINUX_SECCOMP_DEFAULTACTION]) {
 
 		ERROR("seccomp: no default action set\n");
 
@@ -239,7 +240,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 	blobmsg_for_each_attr(cur, tb[OCI_LINUX_SECCOMP_SYSCALLS], rem) {
 
 		sz += 2; /* load and return */
 
 
-		blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
 
+		blobmsg_parse(oci_linux_seccomp_syscalls_policy,
 
+			      __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
 
+			      tbn, blobmsg_data(cur), blobmsg_len(cur));
 
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_NAMES], remn) {
 
 			sc = find_syscall(blobmsg_get_string(curn));
 
 			if (sc == -1) {
 
@@ -254,7 +257,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 			blobmsg_for_each_attr(curarg, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remargs) {
 
 				sz += 2; /* load and compare */
 
 
-				blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curarg), blobmsg_len(curarg));
 
+				blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
 
+					      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
 
+					      tba, blobmsg_data(curarg), blobmsg_len(curarg));
 
 				if (!tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_INDEX] ||
 
 				    !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_VALUE] ||
 
 				    !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP])
 
@@ -300,13 +305,17 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 		int start_rule_idx;
 
 		int next_rule_idx;
 
 
-		blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
 
-		action = resolve_action(blobmsg_get_string(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
 
+		blobmsg_parse(oci_linux_seccomp_syscalls_policy,
 
+			      __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
 
+			      tbn, blobmsg_data(cur), blobmsg_len(cur));
 
+		action = resolve_action(blobmsg_get_string(
 
+				tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
 
 		if (tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]) {
 
 			if (action != SECCOMP_RET_ERRNO)
 
 				goto errout1;
 
 
-			action = SECCOMP_RET_ERROR(blobmsg_get_u32(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
 
+			action = SECCOMP_RET_ERROR(blobmsg_get_u32(
 
+					tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
 
 		} else if (action == SECCOMP_RET_ERRNO)
 
 			action = SECCOMP_RET_ERROR(EPERM);
 
 
@@ -325,7 +334,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 
 		/* calculate length of argument filter rules */
 
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
 
-			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
 
+			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
 
+				      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
 
+				      tba, blobmsg_data(curn), blobmsg_len(curn));
 
 			next_rule_idx += 2;
 
 			op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
 
 			if (resolve_op_is_masked(op_str))
 
@@ -338,15 +349,24 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 			sc = find_syscall(blobmsg_get_string(curn));
 
 			if (sc == -1)
 
 				continue;
 
-			/* check syscall, skip other syscall checks if hit; if no match chain to next section */
 
-			set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K, start_rule_idx - (idx + 1), ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0, sc);
 
+			/*
 
+			 * check syscall, skip other syscall checks if match is found.
 
+			 * if no match is found, jump to next section
 
+			 */
 
+			set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K,
 
+				   start_rule_idx - (idx + 1),
 
+				   ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0,
 
+				   sc);
 
 			++idx;
 
 		}
 
 
 		assert(idx = start_rule_idx);
 
 
+		/* generate argument filter rules */
 
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
 
-			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
 
+			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
 
+				      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
 
+				      tba, blobmsg_data(curn), blobmsg_len(curn));
 
 
 			op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
 
 			op_ins = resolve_op_ins(op_str);
 
@@ -373,6 +393,7 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 			++idx;
 
 		}
 
 
+		/* if we have reached until here, all conditions were met and we can return */
 
 		set_filter(&filter[idx++], BPF_RET + BPF_K, 0, 0, action);
 
 
 		assert(idx == next_rule_idx);