youki-dev
diff --git a/‎experiment/seccomp/Cargo.lock‎
Lines changed: 611 additions & 19 deletions b/‎experiment/seccomp/Cargo.lock‎
Lines changed: 611 additions & 19 deletions
diff --git a/‎experiment/seccomp/Cargo.toml‎
Lines changed: 9 additions & 2 deletions b/‎experiment/seccomp/Cargo.toml‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎experiment/seccomp/README.md‎
Lines changed: 5 additions & 1 deletion b/‎experiment/seccomp/README.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎experiment/seccomp/rust-toolchain.toml‎
Lines changed: 1 addition & 1 deletion b/‎experiment/seccomp/rust-toolchain.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎experiment/seccomp/src/instruction/arch.rs‎
Lines changed: 87 additions & 20 deletions b/‎experiment/seccomp/src/instruction/arch.rs‎
Lines changed: 87 additions & 20 deletions
diff --git a/‎experiment/seccomp/src/instruction/consts.rs‎
Lines changed: 40 additions & 4 deletions b/‎experiment/seccomp/src/instruction/consts.rs‎
Lines changed: 40 additions & 4 deletions
diff --git a/‎experiment/seccomp/src/instruction/inst.rs‎
Lines changed: 7 additions & 5 deletions b/‎experiment/seccomp/src/instruction/inst.rs‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎experiment/seccomp/src/instruction/mod.rs‎
Lines changed: 1 addition & 1 deletion b/‎experiment/seccomp/src/instruction/mod.rs‎
Lines changed: 1 addition & 1 deletion
@@ -22,6 +22,13 @@ nix = { version = "0.29.0", features = [
 thiserror = "1.0.57"
 prctl = "1.0.0"
 anyhow = "1.0"
-tokio = { version = "1", features = ["full"] }
 syscall-numbers = "3.1.1"
-syscalls = { version = "0.6.18", features = ["std", "serde", "aarch64", "x86_64"]}
+syscalls = { version = "0.6.18", features = ["std", "serde", "aarch64", "x86_64"]}
+oci-spec = { version = "0.9.0", features = ["runtime"] }
+serde_json = "1.0.138"
+derive_builder = "0.20.2"
+
+[dev-dependencies]
+tokio = { version = "1", features = ["full"] }
+libseccomp = "0.4.0"
+tempfile = "3.27.0"
@@ -2,5 +2,9 @@ This is an experimental project in order to get away from libseccomp.
 Ref: https://github.com/youki-dev/youki/issues/2724
 
 ```console
-$ cargo run
+# apply sample seccomp filter
+$ cargo test --test filter -- --show-output
+
+# output bpf instruction
+$ cargo test --test readjson -- --show-output
 ```
@@ -1,3 +1,3 @@
 [toolchain]
 profile="default"
-channel="1.77.1"
+channel="1.92.0"
@@ -1,22 +1,55 @@
-use crate::instruction::Instruction;
-use crate::instruction::*;
+use std::os::raw::c_uchar;
 
-#[derive(PartialEq, Debug)]
+use nix::errno::Errno::ENOSYS;
+
+use crate::instruction::{Instruction, *};
+
+#[derive(PartialEq, Debug, Default)]
 pub enum Arch {
-    X86,AArch64
+    #[default]
+    X86,
+    AArch64,
 }
 
-pub fn gen_validate(arc: &Arch) -> Vec<Instruction> {
+pub fn gen_validate(arc: &Arch, def_action: u32, jump_num: usize) -> Vec<Instruction> {
     let arch = match arc {
         Arch::X86 => AUDIT_ARCH_X86_64,
-        Arch::AArch64 => AUDIT_ARCH_AARCH64
+        Arch::AArch64 => AUDIT_ARCH_AARCH64,
     };
 
-    vec![
-        Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32),
-        Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, arch),
-        Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS),
-    ]
+    if jump_num <= BPF_JMP_MAX {
+        vec![
+            // load offset architecture
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32),
+            // if not match architecture, jump to default action
+            Instruction::jump(
+                BPF_JMP | BPF_JEQ | BPF_K,
+                0,
+                (jump_num + 3) as c_uchar,
+                arch,
+            ),
+            // load offset system call number
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_nr_offset() as u32),
+            // check system call is not using 32bit ABI
+            // see https://github.com/elastic/go-seccomp-bpf/blob/main/filter.go#L231
+            Instruction::jump(BPF_JMP | BPF_JGE | BPF_K, 0, 1, X32_SYSCALL_BIT),
+            Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ENOSYS as u32),
+        ]
+    } else {
+        vec![
+            //  load offset architecture
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32),
+            // if not match architecture, jump to default action
+            Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0 as c_uchar, arch),
+            Instruction::stmt(BPF_RET | BPF_K, def_action),
+            // load offset system call number
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_nr_offset() as u32),
+            // check system call is not using 32bit ABI
+            // see https://github.com/elastic/go-seccomp-bpf/blob/main/filter.go#L231
+            Instruction::jump(BPF_JMP | BPF_JGE | BPF_K, 0, 1, X32_SYSCALL_BIT),
+            Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ENOSYS as u32),
+        ]
+    }
 }
 
 #[cfg(test)]
@@ -25,17 +58,51 @@ mod tests {
 
     #[test]
     fn test_gen_validate_x86() {
-        let bpf_prog = gen_validate(&Arch::X86);
-        assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32));
-        assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_X86_64));
-        assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS));
+        let bpf_prog = gen_validate(&Arch::X86, SECCOMP_RET_KILL_PROCESS, 3);
+        assert_eq!(
+            bpf_prog[0],
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)
+        );
+        assert_eq!(
+            bpf_prog[1],
+            Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 6, AUDIT_ARCH_X86_64)
+        );
+        assert_eq!(
+            bpf_prog[2],
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_nr_offset() as u32)
+        );
+        assert_eq!(
+            bpf_prog[3],
+            Instruction::jump(BPF_JMP | BPF_JGE | BPF_K, 0, 1, X32_SYSCALL_BIT)
+        );
+        assert_eq!(
+            bpf_prog[4],
+            Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ENOSYS as u32)
+        );
     }
 
     #[test]
     fn test_gen_validate_aarch64() {
-        let bpf_prog = gen_validate(&Arch::AArch64);
-        assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32));
-        assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_AARCH64));
-        assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS));
+        let bpf_prog = gen_validate(&Arch::AArch64, SECCOMP_RET_KILL_PROCESS, 3);
+        assert_eq!(
+            bpf_prog[0],
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)
+        );
+        assert_eq!(
+            bpf_prog[1],
+            Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 6, AUDIT_ARCH_AARCH64)
+        );
+        assert_eq!(
+            bpf_prog[2],
+            Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_nr_offset() as u32)
+        );
+        assert_eq!(
+            bpf_prog[3],
+            Instruction::jump(BPF_JMP | BPF_JGE | BPF_K, 0, 1, X32_SYSCALL_BIT)
+        );
+        assert_eq!(
+            bpf_prog[4],
+            Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ENOSYS as u32)
+        );
     }
-}
+}
@@ -1,4 +1,7 @@
-use std::{mem::offset_of, os::raw::c_int};
+use std::mem::offset_of;
+use std::os::raw::c_int;
+
+use crate::seccomp::SeccompError;
 
 // BPF Instruction classes.
 // See /usr/include/linux/bpf_common.h .
@@ -30,9 +33,14 @@ pub const BPF_JA: u16 = 0x00;
 pub const BPF_JEQ: u16 = 0x10;
 pub const BPF_JGT: u16 = 0x20;
 pub const BPF_JGE: u16 = 0x30;
+pub const BPF_JSET: u16 = 0x40;
 // Test against the value in the K register.
 pub const BPF_K: u16 = 0x00;
 
+// Limitation on the number of jumps for the bpf instruction
+// https://github.com/seccomp/libseccomp/blob/main/src/gen_bpf.c#L104
+pub const BPF_JMP_MAX: usize = 255;
+
 // Return codes for BPF programs.
 // See /usr/include/linux/seccomp.h .
 pub const SECCOMP_RET_ALLOW: u32 = 0x7fff_0000;
@@ -50,6 +58,22 @@ pub const SECCOMP_RET_USER_NOTIF: u32 = 0x7fc00000;
 pub const AUDIT_ARCH_X86_64: u32 = 62 | 0x8000_0000 | 0x4000_0000;
 pub const AUDIT_ARCH_AARCH64: u32 = 183 | 0x8000_0000 | 0x4000_0000;
 
+// See /arch/x86/include/uapi/asm/unistd.h
+pub const X32_SYSCALL_BIT: u32 = 0x4000_0000;
+
+// Comparison operators
+// See libseccomp/include/seccomp.h.in
+#[derive(Debug, PartialEq, Clone)]
+pub enum SeccompCompareOp {
+    NotEqual = 1,
+    LessThan,
+    LessOrEqual,
+    Equal,
+    GreaterOrEqual,
+    GreaterThan,
+    MaskedEqual,
+}
+
 // ```c
 // struct seccomp_data {
 //     int nr;
@@ -67,6 +91,10 @@ struct SeccompData {
     args: [u64; 6],
 }
 
+pub const fn seccomp_data_nr_offset() -> u8 {
+    offset_of!(SeccompData, nr) as u8
+}
+
 pub const fn seccomp_data_arch_offset() -> u8 {
     offset_of!(SeccompData, arch) as u8
 }
@@ -75,8 +103,11 @@ pub const fn seccomp_data_arg_size() -> u8 {
     8
 }
 
-pub const fn seccomp_data_args_offset() -> u8 {
-    offset_of!(SeccompData, args) as u8
+pub const fn seccomp_data_args_offset(index: u8) -> Result<u8, SeccompError> {
+    match index {
+        0..=5 => Ok((offset_of!(SeccompData, args) as u8) + (index * 8)),
+        _ => Err(SeccompError::InvalidArgumentSize),
+    }
 }
 
 pub const SECCOMP_IOC_MAGIC: u8 = b'!';
@@ -102,7 +133,12 @@ mod tests {
     #[test]
     fn test_seccomp_data_args_offset() {
         if cfg!(target_arch = "x86_64") {
-            assert_eq!(seccomp_data_args_offset(), 16);
+            assert_eq!(seccomp_data_args_offset(0).unwrap(), 16);
+            assert_eq!(seccomp_data_args_offset(1).unwrap(), 16 + 8);
+            assert_eq!(seccomp_data_args_offset(2).unwrap(), 16 + 16);
+            assert_eq!(seccomp_data_args_offset(3).unwrap(), 16 + 24);
+            assert_eq!(seccomp_data_args_offset(4).unwrap(), 16 + 32);
+            assert_eq!(seccomp_data_args_offset(5).unwrap(), 16 + 40);
         }
     }
 }
@@ -1,5 +1,7 @@
 use std::os::raw::{c_uchar, c_uint, c_ushort};
 
+use crate::instruction::BPF_JMP;
+
 // https://docs.kernel.org/networking/filter.html#structure
 // <linux/filter.h>: sock_filter
 #[repr(C)]
@@ -32,7 +34,7 @@ impl Instruction {
         jump_false: c_uchar,
         multiuse_field: c_uint,
     ) -> Self {
-        Self::new(code, jump_true, jump_false, multiuse_field)
+        Self::new(BPF_JMP | code, jump_true, jump_false, multiuse_field)
     }
 
     pub fn stmt(code: c_ushort, k: c_uint) -> Self {
@@ -57,12 +59,12 @@ mod tests {
             }
         );
         assert_eq!(
-            Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 10, 2, 5),
+            Instruction::jump(BPF_JEQ | BPF_K, 10, 2, 5),
             Instruction {
                 code: 0x15,
-                offset_jump_true: 2,
-                offset_jump_false: 5,
-                multiuse_field: 10,
+                offset_jump_true: 10,
+                offset_jump_false: 2,
+                multiuse_field: 5,
             }
         );
     }
 
@@ -2,6 +2,6 @@ mod arch;
 mod consts;
 mod inst;
 
-pub use arch::{gen_validate, Arch};
+pub use arch::{Arch, gen_validate};
 pub use consts::*;
 pub use inst::Instruction;