From e6e606a9808e957b074bcd6fc76a911945596219 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Fri, 2 Feb 2024 15:00:56 +0100 Subject: [PATCH] enosys: add functionality to dump filter MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Weißschuh --- bash-completion/enosys | 3 +++ misc-utils/enosys.1.adoc | 5 +++++ misc-utils/enosys.c | 18 +++++++++++++++--- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/bash-completion/enosys b/bash-completion/enosys index 7ce7609a7..24971c349 100644 --- a/bash-completion/enosys +++ b/bash-completion/enosys @@ -16,6 +16,8 @@ _waitpid_module() ;; '-m'|'--list-ioctl') return 0 + '-d'|'--dump') + return 0 ;; '-h'|'--help'|'-V'|'--version') return 0 @@ -27,6 +29,7 @@ _waitpid_module() --ioctl --list --list-ioctl + --dump --help --version" COMPREPLY=( $(compgen -W "${OPTS[*]}" -- $cur) ) diff --git a/misc-utils/enosys.1.adoc b/misc-utils/enosys.1.adoc index a9bc693b1..71452e078 100644 --- a/misc-utils/enosys.1.adoc +++ b/misc-utils/enosys.1.adoc @@ -36,6 +36,11 @@ List syscalls known to *enosys*. *-m*, *--list-ioctl*:: List ioctls known to *enosys*. +*-d*, *--dump*:: +Dump seccomp bytecode filter to standard output. ++ +The dump can for example be used by *setpriv --seccomp-filter*. + include::man-common/help-version.adoc[] == EXIT STATUS diff --git a/misc-utils/enosys.c b/misc-utils/enosys.c index b806c7054..d6a518e21 100644 --- a/misc-utils/enosys.c +++ b/misc-utils/enosys.c @@ -35,6 +35,7 @@ #include "xalloc.h" #include "strutils.h" #include "seccomp.h" +#include "all-io.h" #define IS_LITTLE_ENDIAN (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) @@ -77,6 +78,7 @@ static void __attribute__((__noreturn__)) usage(void) fputs(_(" -s, --syscall syscall to block\n"), out); fputs(_(" -i, --ioctl ioctl to block\n"), out); fputs(_(" -l, --list list known syscalls\n"), out); + fputs(_(" -d, --dump dump seccomp bytecode\n"), out); fputs(USAGE_SEPARATOR, out); fprintf(out, USAGE_HELP_OPTIONS(25)); @@ -95,12 +97,13 @@ int main(int argc, char **argv) { int c; size_t i; - bool found; + bool found, dump = false; static const struct option longopts[] = { { "syscall", required_argument, NULL, 's' }, { "ioctl", required_argument, NULL, 'i' }, { "list", no_argument, NULL, 'l' }, { "list-ioctl", no_argument, NULL, 'm' }, + { "dump", no_argument, NULL, 'd' }, { "version", no_argument, NULL, 'V' }, { "help", no_argument, NULL, 'h' }, { 0 } @@ -119,7 +122,7 @@ int main(int argc, char **argv) bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); - while ((c = getopt_long (argc, argv, "+Vhs:i:lm", longopts, NULL)) != -1) { + while ((c = getopt_long (argc, argv, "+Vhs:i:lmd", longopts, NULL)) != -1) { switch (c) { case 's': found = 0; @@ -167,6 +170,9 @@ int main(int argc, char **argv) for (i = 0; lt(i, ARRAY_SIZE(ioctls)); i++) printf("%5ld %s\n", ioctls[i].number, ioctls[i].name); return EXIT_SUCCESS; + case 'd': + dump = true; + break; case 'V': print_version(EXIT_SUCCESS); case 'h': @@ -176,7 +182,7 @@ int main(int argc, char **argv) } } - if (optind >= argc) + if (!dump && optind >= argc) errtryhelp(EXIT_FAILURE); struct sock_filter filter[BPF_MAXINSNS]; @@ -233,6 +239,12 @@ int main(int argc, char **argv) INSTR(BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)); + if (dump) { + if (write_all(STDOUT_FILENO, filter, (f - filter) * sizeof(filter[0]))) + err(EXIT_FAILURE, _("Could not dump seccomp filter")); + return EXIT_SUCCESS; + } + struct sock_fprog prog = { .len = f - filter, .filter = filter, -- 2.47.3