diff options
| -rw-r--r-- | Makefile | 17 | ||||
| -rw-r--r-- | libminijail.c | 3 | ||||
| -rw-r--r-- | libminijail.h | 7 | ||||
| -rw-r--r-- | logging.h | 26 | ||||
| -rw-r--r-- | syscall_filter.c | 35 | ||||
| -rw-r--r-- | util.c | 41 | ||||
| -rw-r--r-- | util.h | 33 |
7 files changed, 89 insertions, 73 deletions
@@ -11,10 +11,11 @@ all : minijail0 libminijail.so libminijailpreload.so tests : libminijail_unittest.wrapper syscall_filter_unittest -minijail0 : libsyscalls.gen.o libminijail.o syscall_filter.o bpf.o minijail0.c +minijail0 : libsyscalls.gen.o libminijail.o syscall_filter.o bpf.o util.o \ + minijail0.c $(CC) $(CFLAGS) -o $@ $^ -lcap -libminijail.so : libminijail.o syscall_filter.o bpf.o libsyscalls.gen.o +libminijail.so : libminijail.o syscall_filter.o bpf.o util.o libsyscalls.gen.o $(CC) $(CFLAGS) -shared -o $@ $^ -lcap # Allow unittests to access what are normally internal symbols. @@ -25,11 +26,11 @@ libminijail_unittest.wrapper : libminijail_unittest : CFLAGS := $(filter-out -fvisibility=%,$(CFLAGS)) libminijail_unittest : libminijail_unittest.o libminijail.o \ - syscall_filter.o bpf.o libsyscalls.gen.o + syscall_filter.o bpf.o util.o libsyscalls.gen.o $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(filter-out $(CFLAGS_FILE),$^) -lcap libminijailpreload.so : libminijailpreload.c libminijail.o libsyscalls.gen.o \ - syscall_filter.o bpf.o + syscall_filter.o bpf.o util.o $(CC) $(CFLAGS) -shared -o $@ $^ -ldl -lcap libminijail.o : libminijail.c libminijail.h @@ -39,8 +40,8 @@ libminijail_unittest.o : libminijail_unittest.c test_harness.h libsyscalls.gen.o : libsyscalls.gen.c libsyscalls.h -syscall_filter_unittest : syscall_filter_unittest.o syscall_filter.o bpf.o \ - libsyscalls.gen.o test_harness.h +syscall_filter_unittest : syscall_filter_unittest.o syscall_filter.o \ + bpf.o util.o libsyscalls.gen.o test_harness.h $(CC) $(CFLAGS) -o $@ $^ syscall_filter_unittest.o : syscall_filter_unittest.c test_harness.h @@ -50,6 +51,8 @@ syscall_filter.o : syscall_filter.c syscall_filter.h bpf.o : bpf.c bpf.h +util.o : util.c util.h + # sed expression which extracts system calls that are # defined via asm/unistd.h. It converts them from: # #define __NR_read @@ -98,5 +101,5 @@ clean : test-clean @rm -f libminijail.so @rm -f libminijail_unittest @rm -f libsyscalls.gen.c - @rm -f syscall_filter.o bpf.o + @rm -f syscall_filter.o bpf.o util.o @rm -f syscall_filter_unittest syscall_filter_unittest.o diff --git a/libminijail.c b/libminijail.c index 13434f6..2c3d5b3 100644 --- a/libminijail.c +++ b/libminijail.c @@ -33,11 +33,10 @@ #include <unistd.h> #include "libminijail.h" -#include "libsyscalls.h" #include "libminijail-private.h" -#include "logging.h" #include "syscall_filter.h" +#include "util.h" /* Until these are reliably available in linux/prctl.h */ #ifndef PR_SET_SECCOMP diff --git a/libminijail.h b/libminijail.h index c756141..13f9ab4 100644 --- a/libminijail.h +++ b/libminijail.h @@ -80,13 +80,6 @@ int minijail_enter_chroot(struct minijail *j, const char *dir); int minijail_bind(struct minijail *j, const char *src, const char *dest, int writeable); -/* Exposes minijail's name-to-int mapping for system calls for the - * architecture it was built on. This is primarily exposed for - * minijail_add_seccomp_filter() and testing. - * Returns the system call number on success or -1 on failure. - */ -int minijail_lookup_syscall(const char *name); - /* Lock this process into the given minijail. Note that this procedure cannot fail, * since there is no way to undo privilege-dropping; therefore, if any part of * the privilege-drop fails, minijail_enter() will abort the entire process. diff --git a/logging.h b/logging.h deleted file mode 100644 index a8aa284..0000000 --- a/logging.h +++ /dev/null @@ -1,26 +0,0 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -#ifndef _LOGGING_H_ -#define _LOGGING_H_ - -#include <stdlib.h> -#include <syslog.h> - -#define die(_msg, ...) do { \ - syslog(LOG_ERR, "libminijail: " _msg, ## __VA_ARGS__); \ - abort(); \ -} while (0) - -#define pdie(_msg, ...) \ - die(_msg ": %s", ## __VA_ARGS__, strerror(errno)) - -#define warn(_msg, ...) \ - syslog(LOG_WARNING, "libminijail: " _msg, ## __VA_ARGS__) - -#define info(_msg, ...) \ - syslog(LOG_INFO, "libminijail: " _msg, ## __VA_ARGS__) - -#endif /* _LOGGING_H_ */ diff --git a/syscall_filter.c b/syscall_filter.c index c075d66..e96ad60 100644 --- a/syscall_filter.c +++ b/syscall_filter.c @@ -1,22 +1,19 @@ -/* parser.c - * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. - * - * Syscall filter syntax parser. */ -#include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include "syscall_filter.h" -#include "libsyscalls.h" -#include "logging.h" +#include "util.h" #define MAX_LINE_LENGTH 1024 +#define ONE_INSTR 1 +#define TWO_INSTRS 2 int str_to_op(const char *op_str) { @@ -29,9 +26,6 @@ int str_to_op(const char *op_str) } } -#define ONE_INSTR 1 -#define TWO_INSTRS 2 - struct sock_filter *new_instr_buf(size_t count) { struct sock_filter *buf = calloc(count, sizeof(struct sock_filter)); @@ -317,27 +311,6 @@ struct filter_block *compile_section(int nr, const char *policy_line, return head; } -int lookup_syscall(const char *name) -{ - const struct syscall_entry *entry = syscall_table; - for (; entry->name && entry->nr >= 0; ++entry) - if (!strcmp(entry->name, name)) - return entry->nr; - return -1; -} - -char *strip(char *s) -{ - char *end; - while (*s && isblank(*s)) - s++; - end = s + strlen(s) - 1; - while (end >= s && *end && (isblank(*end) || *end == '\n')) - end--; - *(end + 1) = '\0'; - return s; -} - int compile_filter(FILE *policy, struct sock_fprog *prog) { char line[MAX_LINE_LENGTH]; @@ -0,0 +1,41 @@ +/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include <ctype.h> +#include <string.h> + +#include "util.h" + +#include "libsyscalls.h" + +int lookup_syscall(const char *name) +{ + const struct syscall_entry *entry = syscall_table; + for (; entry->name && entry->nr >= 0; ++entry) + if (!strcmp(entry->name, name)) + return entry->nr; + return -1; +} + +const char *lookup_syscall_name(int nr) +{ + const struct syscall_entry *entry = syscall_table; + for (; entry->name && entry->nr >= 0; ++entry) + if (entry->nr == nr) + return entry->name; + return NULL; +} + +char *strip(char *s) +{ + char *end; + while (*s && isblank(*s)) + s++; + end = s + strlen(s) - 1; + while (end >= s && *end && (isblank(*end) || *end == '\n')) + end--; + *(end + 1) = '\0'; + return s; +} @@ -0,0 +1,33 @@ +/* util.h + * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + * + * Logging and other utility functions. + */ + +#ifndef _UTIL_H_ +#define _UTIL_H_ + +#include <stdlib.h> +#include <syslog.h> + +#define die(_msg, ...) do { \ + syslog(LOG_ERR, "libminijail: " _msg, ## __VA_ARGS__); \ + abort(); \ +} while (0) + +#define pdie(_msg, ...) \ + die(_msg ": %s", ## __VA_ARGS__, strerror(errno)) + +#define warn(_msg, ...) \ + syslog(LOG_WARNING, "libminijail: " _msg, ## __VA_ARGS__) + +#define info(_msg, ...) \ + syslog(LOG_INFO, "libminijail: " _msg, ## __VA_ARGS__) + +int lookup_syscall(const char *name); +const char *lookup_syscall_name(int nr); +char *strip(char *s); + +#endif /* _UTIL_H_ */ |