code-intelligence.com/cifuzz@v0.40.0/third-party/minijail/parse_seccomp_policy.cc (about) 1 /* Copyright 2016 The Chromium OS Authors. All rights reserved. 2 * Use of this source code is governed by a BSD-style license that can be 3 * found in the LICENSE file. 4 */ 5 6 #include <getopt.h> 7 #include <stdio.h> 8 #include <string.h> 9 10 #include <string> 11 12 #include "bpf.h" 13 #include "syscall_filter.h" 14 #include "util.h" 15 16 namespace { 17 18 void DumpBpfProg(struct sock_fprog* fprog) { 19 struct sock_filter* filter = fprog->filter; 20 unsigned short len = fprog->len; 21 22 printf("len == %d\n", len); 23 printf("filter:\n"); 24 for (size_t i = 0; i < len; i++) { 25 printf("%zu: \t{ code=%#x, jt=%u, jf=%u, k=%#x \t}\n", i, filter[i].code, 26 filter[i].jt, filter[i].jf, filter[i].k); 27 } 28 } 29 30 void Usage(const char* progn, int status) { 31 // clang-format off 32 fprintf(status ? stderr : stdout, 33 "Usage: %s [--dump[=<output.bpf>]] [<policy file>]\n" 34 "\n" 35 "With no <policy file>, or when <policy file> is -, reads from standard input.\n" 36 "\n" 37 " --dump[=<output>]: Dump the BPF program into stdout (or <output>,\n" 38 " -d[<output>]: if provided). Useful if you want to inspect it\n" 39 " with libseccomp's scmp_bpf_disasm.\n", 40 progn); 41 // clang-format on 42 exit(status); 43 } 44 45 } // namespace 46 47 int main(int argc, char** argv) { 48 init_logging(LOG_TO_FD, STDERR_FILENO, LOG_INFO); 49 50 const char* optstring = "d:h"; 51 const struct option long_options[] = { 52 {"help", no_argument, 0, 'h'}, 53 {"dump", optional_argument, 0, 'd'}, 54 {0, 0, 0, 0}, 55 }; 56 57 bool dump = false; 58 std::string dump_path; 59 int opt; 60 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) { 61 switch (opt) { 62 case 'h': 63 Usage(argv[0], 0); 64 return 0; 65 case 'd': 66 dump = true; 67 if (optarg) 68 dump_path = optarg; 69 break; 70 } 71 } 72 73 FILE* f = stdin; 74 // If there is at least one additional unparsed argument, treat it as the 75 // policy script. 76 if (argc > optind && strcmp(argv[optind], "-") != 0) 77 f = fopen(argv[optind], "re"); 78 if (!f) 79 pdie("fopen(%s) failed", argv[1]); 80 81 struct filter_options fopts { 82 .action = ACTION_RET_KILL, 83 .allow_logging = 0, 84 .allow_syscalls_for_logging = 0, 85 .allow_duplicate_syscalls = allow_duplicate_syscalls(), 86 }; 87 88 struct sock_fprog fp; 89 int res = compile_filter(argv[1], f, &fp, &fopts); 90 fclose(f); 91 if (res != 0) 92 die("compile_filter failed"); 93 94 if (dump) { 95 FILE* out = stdout; 96 if (!dump_path.empty()) { 97 out = fopen(dump_path.c_str(), "we"); 98 if (!out) 99 pdie("fopen(%s) failed", dump_path.c_str()); 100 } 101 if (fwrite(fp.filter, sizeof(struct sock_filter), fp.len, out) != fp.len) 102 pdie("fwrite(%s) failed", dump_path.c_str()); 103 fclose(out); 104 } else { 105 DumpBpfProg(&fp); 106 } 107 108 free(fp.filter); 109 return 0; 110 }