Remove macro trickery; no binary change

This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros prepending __NR_ to the syscall number parameter and just makes them explicit in the macro invocations. No binary change in stripped object file before/after.
author: Damien Miller <djm@mindrot.org> 2017-03-14 17:48:43 +1100
committer: Damien Miller <djm@mindrot.org> 2017-03-14 17:53:17 +1100
commit: e3ea335abeab731c68f2b2141bee85a4b0bf680f (patch)
tree: d32b1aa11b8580d482b266f12326fd93a24429da /sandbox-seccomp-filter.c
parent: 5f1596e11d55539678c41f68aed358628d33d86f (diff)
1 files changed, 40 insertions, 40 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6ceee33fe..14006b99a 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -85,13 +85,13 @@
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
 #define SC_DENY(_nr, _errno) \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 #define SC_ALLOW(_nr) \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
        /* load and test first syscall argument, low word */ \
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
            offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
@@ -120,114 +120,114 @@ static const struct sock_filter preauth_insns[] = {
        /* Syscalls to non-fatally deny */
 #ifdef __NR_lstat
-        SC_DENY(lstat, EACCES),
+        SC_DENY(__NR_lstat, EACCES),
 #endif
 #ifdef __NR_lstat64
-        SC_DENY(lstat64, EACCES),
+        SC_DENY(__NR_lstat64, EACCES),
 #endif
 #ifdef __NR_fstat
-        SC_DENY(fstat, EACCES),
+        SC_DENY(__NR_fstat, EACCES),
 #endif
 #ifdef __NR_fstat64
-        SC_DENY(fstat64, EACCES),
+        SC_DENY(__NR_fstat64, EACCES),
 #endif
 #ifdef __NR_open
-        SC_DENY(open, EACCES),
+        SC_DENY(__NR_open, EACCES),
 #endif
 #ifdef __NR_openat
-        SC_DENY(openat, EACCES),
+        SC_DENY(__NR_openat, EACCES),
 #endif
 #ifdef __NR_newfstatat
-        SC_DENY(newfstatat, EACCES),
+        SC_DENY(__NR_newfstatat, EACCES),
 #endif
 #ifdef __NR_stat
-        SC_DENY(stat, EACCES),
+        SC_DENY(__NR_stat, EACCES),
 #endif
 #ifdef __NR_stat64
-        SC_DENY(stat64, EACCES),
+        SC_DENY(__NR_stat64, EACCES),
 #endif
        /* Syscalls to permit */
 #ifdef __NR_brk
-        SC_ALLOW(brk),
+        SC_ALLOW(__NR_brk),
 #endif
 #ifdef __NR_clock_gettime
-        SC_ALLOW(clock_gettime),
+        SC_ALLOW(__NR_clock_gettime),
 #endif
 #ifdef __NR_close
-        SC_ALLOW(close),
+        SC_ALLOW(__NR_close),
 #endif
 #ifdef __NR_exit
-        SC_ALLOW(exit),
+        SC_ALLOW(__NR_exit),
 #endif
 #ifdef __NR_exit_group
-        SC_ALLOW(exit_group),
+        SC_ALLOW(__NR_exit_group),
 #endif
 #ifdef __NR_getpgid
-        SC_ALLOW(getpgid),
+        SC_ALLOW(__NR_getpgid),
 #endif
 #ifdef __NR_getpid
-        SC_ALLOW(getpid),
+        SC_ALLOW(__NR_getpid),
 #endif
 #ifdef __NR_getrandom
-        SC_ALLOW(getrandom),
+        SC_ALLOW(__NR_getrandom),
 #endif
 #ifdef __NR_gettimeofday
-        SC_ALLOW(gettimeofday),
+        SC_ALLOW(__NR_gettimeofday),
 #endif
 #ifdef __NR_madvise
-        SC_ALLOW(madvise),
+        SC_ALLOW(__NR_madvise),
 #endif
 #ifdef __NR_mmap
-        SC_ALLOW(mmap),
+        SC_ALLOW(__NR_mmap),
 #endif
 #ifdef __NR_mmap2
-        SC_ALLOW(mmap2),
+        SC_ALLOW(__NR_mmap2),
 #endif
 #ifdef __NR_mremap
-        SC_ALLOW(mremap),
+        SC_ALLOW(__NR_mremap),
 #endif
 #ifdef __NR_munmap
-        SC_ALLOW(munmap),
+        SC_ALLOW(__NR_munmap),
 #endif
 #ifdef __NR__newselect
-        SC_ALLOW(_newselect),
+        SC_ALLOW(__NR__newselect),
 #endif
 #ifdef __NR_poll
-        SC_ALLOW(poll),
+        SC_ALLOW(__NR_poll),
 #endif
 #ifdef __NR_pselect6
-        SC_ALLOW(pselect6),
+        SC_ALLOW(__NR_pselect6),
 #endif
 #ifdef __NR_read
-        SC_ALLOW(read),
+        SC_ALLOW(__NR_read),
 #endif
 #ifdef __NR_rt_sigprocmask
-        SC_ALLOW(rt_sigprocmask),
+        SC_ALLOW(__NR_rt_sigprocmask),
 #endif
 #ifdef __NR_select
-        SC_ALLOW(select),
+        SC_ALLOW(__NR_select),
 #endif
 #ifdef __NR_shutdown
-        SC_ALLOW(shutdown),
+        SC_ALLOW(__NR_shutdown),
 #endif
 #ifdef __NR_sigprocmask
-        SC_ALLOW(sigprocmask),
+        SC_ALLOW(__NR_sigprocmask),
 #endif
 #ifdef __NR_time
-        SC_ALLOW(time),
+        SC_ALLOW(__NR_time),
 #endif
 #ifdef __NR_write
-        SC_ALLOW(write),
+        SC_ALLOW(__NR_write),
 #endif
 #ifdef __NR_socketcall
-        SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+        SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
 #endif
 #if defined(__NR_ioctl) && defined(__s390__)
        /* Allow ioctls for ICA crypto card on s390 */
-        SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+        SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
-        SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
-        SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
 #endif /* defined(__NR_ioctl) && defined(__s390__) */
        /* Default deny */
author	Damien Miller <djm@mindrot.org>	2017-03-14 17:48:43 +1100
committer	Damien Miller <djm@mindrot.org>	2017-03-14 17:53:17 +1100
commit	e3ea335abeab731c68f2b2141bee85a4b0bf680f (patch)
tree	d32b1aa11b8580d482b266f12326fd93a24429da /sandbox-seccomp-filter.c
parent	5f1596e11d55539678c41f68aed358628d33d86f (diff)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 6ceee33fe..14006b99a 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c
@@ -85,13 +85,13 @@
85		85
86	/* Simple helpers to avoid manual errors (but larger BPF programs). */	86	/* Simple helpers to avoid manual errors (but larger BPF programs). */
87	#define SC_DENY(_nr, _errno) \	87	#define SC_DENY(_nr, _errno) \
88	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \	88	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
89	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO\|(_errno))	89	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO\|(_errno))
90	#define SC_ALLOW(_nr) \	90	#define SC_ALLOW(_nr) \
91	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \	91	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
92	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	92	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
93	#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \	93	#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
94	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \	94	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
95	/* load and test first syscall argument, low word */ \	95	/* load and test first syscall argument, low word */ \
96	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \	96	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
97	offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \	97	offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
@@ -120,114 +120,114 @@ static const struct sock_filter preauth_insns[] = {
120		120
121	/* Syscalls to non-fatally deny */	121	/* Syscalls to non-fatally deny */
122	#ifdef __NR_lstat	122	#ifdef __NR_lstat
123	SC_DENY(lstat, EACCES),	123	SC_DENY(__NR_lstat, EACCES),
124	#endif	124	#endif
125	#ifdef __NR_lstat64	125	#ifdef __NR_lstat64
126	SC_DENY(lstat64, EACCES),	126	SC_DENY(__NR_lstat64, EACCES),
127	#endif	127	#endif
128	#ifdef __NR_fstat	128	#ifdef __NR_fstat
129	SC_DENY(fstat, EACCES),	129	SC_DENY(__NR_fstat, EACCES),
130	#endif	130	#endif
131	#ifdef __NR_fstat64	131	#ifdef __NR_fstat64
132	SC_DENY(fstat64, EACCES),	132	SC_DENY(__NR_fstat64, EACCES),
133	#endif	133	#endif
134	#ifdef __NR_open	134	#ifdef __NR_open
135	SC_DENY(open, EACCES),	135	SC_DENY(__NR_open, EACCES),
136	#endif	136	#endif
137	#ifdef __NR_openat	137	#ifdef __NR_openat
138	SC_DENY(openat, EACCES),	138	SC_DENY(__NR_openat, EACCES),
139	#endif	139	#endif
140	#ifdef __NR_newfstatat	140	#ifdef __NR_newfstatat
141	SC_DENY(newfstatat, EACCES),	141	SC_DENY(__NR_newfstatat, EACCES),
142	#endif	142	#endif
143	#ifdef __NR_stat	143	#ifdef __NR_stat
144	SC_DENY(stat, EACCES),	144	SC_DENY(__NR_stat, EACCES),
145	#endif	145	#endif
146	#ifdef __NR_stat64	146	#ifdef __NR_stat64
147	SC_DENY(stat64, EACCES),	147	SC_DENY(__NR_stat64, EACCES),
148	#endif	148	#endif
149		149
150	/* Syscalls to permit */	150	/* Syscalls to permit */
151	#ifdef __NR_brk	151	#ifdef __NR_brk
152	SC_ALLOW(brk),	152	SC_ALLOW(__NR_brk),
153	#endif	153	#endif
154	#ifdef __NR_clock_gettime	154	#ifdef __NR_clock_gettime
155	SC_ALLOW(clock_gettime),	155	SC_ALLOW(__NR_clock_gettime),
156	#endif	156	#endif
157	#ifdef __NR_close	157	#ifdef __NR_close
158	SC_ALLOW(close),	158	SC_ALLOW(__NR_close),
159	#endif	159	#endif
160	#ifdef __NR_exit	160	#ifdef __NR_exit
161	SC_ALLOW(exit),	161	SC_ALLOW(__NR_exit),
162	#endif	162	#endif
163	#ifdef __NR_exit_group	163	#ifdef __NR_exit_group
164	SC_ALLOW(exit_group),	164	SC_ALLOW(__NR_exit_group),
165	#endif	165	#endif
166	#ifdef __NR_getpgid	166	#ifdef __NR_getpgid
167	SC_ALLOW(getpgid),	167	SC_ALLOW(__NR_getpgid),
168	#endif	168	#endif
169	#ifdef __NR_getpid	169	#ifdef __NR_getpid
170	SC_ALLOW(getpid),	170	SC_ALLOW(__NR_getpid),
171	#endif	171	#endif
172	#ifdef __NR_getrandom	172	#ifdef __NR_getrandom
173	SC_ALLOW(getrandom),	173	SC_ALLOW(__NR_getrandom),
174	#endif	174	#endif
175	#ifdef __NR_gettimeofday	175	#ifdef __NR_gettimeofday
176	SC_ALLOW(gettimeofday),	176	SC_ALLOW(__NR_gettimeofday),
177	#endif	177	#endif
178	#ifdef __NR_madvise	178	#ifdef __NR_madvise
179	SC_ALLOW(madvise),	179	SC_ALLOW(__NR_madvise),
180	#endif	180	#endif
181	#ifdef __NR_mmap	181	#ifdef __NR_mmap
182	SC_ALLOW(mmap),	182	SC_ALLOW(__NR_mmap),
183	#endif	183	#endif
184	#ifdef __NR_mmap2	184	#ifdef __NR_mmap2
185	SC_ALLOW(mmap2),	185	SC_ALLOW(__NR_mmap2),
186	#endif	186	#endif
187	#ifdef __NR_mremap	187	#ifdef __NR_mremap
188	SC_ALLOW(mremap),	188	SC_ALLOW(__NR_mremap),
189	#endif	189	#endif
190	#ifdef __NR_munmap	190	#ifdef __NR_munmap
191	SC_ALLOW(munmap),	191	SC_ALLOW(__NR_munmap),
192	#endif	192	#endif
193	#ifdef __NR__newselect	193	#ifdef __NR__newselect
194	SC_ALLOW(_newselect),	194	SC_ALLOW(__NR__newselect),
195	#endif	195	#endif
196	#ifdef __NR_poll	196	#ifdef __NR_poll
197	SC_ALLOW(poll),	197	SC_ALLOW(__NR_poll),
198	#endif	198	#endif
199	#ifdef __NR_pselect6	199	#ifdef __NR_pselect6
200	SC_ALLOW(pselect6),	200	SC_ALLOW(__NR_pselect6),
201	#endif	201	#endif
202	#ifdef __NR_read	202	#ifdef __NR_read
203	SC_ALLOW(read),	203	SC_ALLOW(__NR_read),
204	#endif	204	#endif
205	#ifdef __NR_rt_sigprocmask	205	#ifdef __NR_rt_sigprocmask
206	SC_ALLOW(rt_sigprocmask),	206	SC_ALLOW(__NR_rt_sigprocmask),
207	#endif	207	#endif
208	#ifdef __NR_select	208	#ifdef __NR_select
209	SC_ALLOW(select),	209	SC_ALLOW(__NR_select),
210	#endif	210	#endif
211	#ifdef __NR_shutdown	211	#ifdef __NR_shutdown
212	SC_ALLOW(shutdown),	212	SC_ALLOW(__NR_shutdown),
213	#endif	213	#endif
214	#ifdef __NR_sigprocmask	214	#ifdef __NR_sigprocmask
215	SC_ALLOW(sigprocmask),	215	SC_ALLOW(__NR_sigprocmask),
216	#endif	216	#endif
217	#ifdef __NR_time	217	#ifdef __NR_time
218	SC_ALLOW(time),	218	SC_ALLOW(__NR_time),
219	#endif	219	#endif
220	#ifdef __NR_write	220	#ifdef __NR_write
221	SC_ALLOW(write),	221	SC_ALLOW(__NR_write),
222	#endif	222	#endif
223	#ifdef __NR_socketcall	223	#ifdef __NR_socketcall
224	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),	224	SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
225	#endif	225	#endif
226	#if defined(__NR_ioctl) && defined(__s390__)	226	#if defined(__NR_ioctl) && defined(__s390__)
227	/* Allow ioctls for ICA crypto card on s390 */	227	/* Allow ioctls for ICA crypto card on s390 */
228	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),	228	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
229	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),	229	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
230	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),	230	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
231	#endif /* defined(__NR_ioctl) && defined(__s390__) */	231	#endif /* defined(__NR_ioctl) && defined(__s390__) */
232		232
233	/* Default deny */	233	/* Default deny */