github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/seccomp/seccomp.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package seccomp provides generation of basic seccomp filters. Currently, 16 // only little endian systems are supported. 17 package seccomp 18 19 import ( 20 "fmt" 21 "reflect" 22 "sort" 23 24 "github.com/MerlinKodo/gvisor/pkg/abi/linux" 25 "github.com/MerlinKodo/gvisor/pkg/bpf" 26 "github.com/MerlinKodo/gvisor/pkg/log" 27 ) 28 29 const ( 30 // skipOneInst is the offset to take for skipping one instruction. 31 skipOneInst = 1 32 33 // defaultLabel is the label for the default action. 34 defaultLabel = "default_action" 35 ) 36 37 // NonNegativeFDCheck ensures an FD argument is a non-negative int. 38 func NonNegativeFDCheck() LessThanOrEqual { 39 // Negative int32 has the MSB (31st bit) set. So the raw uint FD value must 40 // be less than or equal to 0x7fffffff. 41 return LessThanOrEqual(0x7fffffff) 42 } 43 44 // Install generates BPF code based on the set of syscalls provided. It only 45 // allows syscalls that conform to the specification. Syscalls that violate the 46 // specification will trigger RET_KILL_PROCESS. If RET_KILL_PROCESS is not 47 // supported, violations will trigger RET_TRAP instead. RET_KILL_THREAD is not 48 // used because it only kills the offending thread and often keeps the sentry 49 // hanging. 50 // 51 // denyRules describes forbidden syscalls. rules describes allowed syscalls. 52 // denyRules is executed before rules. 53 // 54 // Be aware that RET_TRAP sends SIGSYS to the process and it may be ignored, 55 // making it possible for the process to continue running after a violation. 56 // However, it will leave a SECCOMP audit event trail behind. In any case, the 57 // syscall is still blocked from executing. 58 func Install(rules SyscallRules, denyRules SyscallRules) error { 59 defaultAction, err := defaultAction() 60 if err != nil { 61 return err 62 } 63 64 // *** DEBUG TIP *** 65 // If you suspect the process is getting killed due to a seccomp violation, uncomment the line 66 // below to get a panic stack trace when there is a violation. 67 // defaultAction = linux.BPFAction(linux.SECCOMP_RET_TRAP) 68 69 log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction) 70 71 instrs, err := BuildProgram([]RuleSet{ 72 { 73 Rules: denyRules, 74 Action: defaultAction, 75 }, 76 { 77 Rules: rules, 78 Action: linux.SECCOMP_RET_ALLOW, 79 }, 80 }, defaultAction, defaultAction) 81 if log.IsLogging(log.Debug) { 82 programStr, errDecode := bpf.DecodeInstructions(instrs) 83 if errDecode != nil { 84 programStr = fmt.Sprintf("Error: %v\n%s", errDecode, programStr) 85 } 86 log.Debugf("Seccomp program dump:\n%s", programStr) 87 } 88 if err != nil { 89 return err 90 } 91 92 // Perform the actual installation. 93 if err := SetFilter(instrs); err != nil { 94 return fmt.Errorf("failed to set filter: %v", err) 95 } 96 97 log.Infof("Seccomp filters installed.") 98 return nil 99 } 100 101 func defaultAction() (linux.BPFAction, error) { 102 available, err := isKillProcessAvailable() 103 if err != nil { 104 return 0, err 105 } 106 if available { 107 return linux.SECCOMP_RET_KILL_PROCESS, nil 108 } 109 return linux.SECCOMP_RET_TRAP, nil 110 } 111 112 // RuleSet is a set of rules and associated action. 113 type RuleSet struct { 114 Rules SyscallRules 115 Action linux.BPFAction 116 117 // Vsyscall indicates that a check is made for a function being called 118 // from kernel mappings. This is where the vsyscall page is located 119 // (and typically) emulated, so this RuleSet will not match any 120 // functions not dispatched from the vsyscall page. 121 Vsyscall bool 122 } 123 124 // SyscallName gives names to system calls. It is used purely for debugging purposes. 125 // 126 // An alternate namer can be provided to the package at initialization time. 127 var SyscallName = func(sysno uintptr) string { 128 return fmt.Sprintf("syscall_%d", sysno) 129 } 130 131 // BuildProgram builds a BPF program from the given map of actions to matching 132 // SyscallRules. The single generated program covers all provided RuleSets. 133 func BuildProgram(rules []RuleSet, defaultAction, badArchAction linux.BPFAction) ([]linux.BPFInstruction, error) { 134 program := bpf.NewProgramBuilder() 135 136 // Be paranoid and check that syscall is done in the expected architecture. 137 // 138 // A = seccomp_data.arch 139 // if (A != AUDIT_ARCH) goto defaultAction. 140 program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArch) 141 // defaultLabel is at the bottom of the program. The size of program 142 // may exceeds 255 lines, which is the limit of a condition jump. 143 program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, LINUX_AUDIT_ARCH, skipOneInst, 0) 144 program.AddStmt(bpf.Ret|bpf.K, uint32(badArchAction)) 145 if err := buildIndex(rules, program); err != nil { 146 return nil, err 147 } 148 149 // Exhausted: return defaultAction. 150 if err := program.AddLabel(defaultLabel); err != nil { 151 return nil, err 152 } 153 program.AddStmt(bpf.Ret|bpf.K, uint32(defaultAction)) 154 155 return program.Instructions() 156 } 157 158 // buildIndex builds a BST to quickly search through all syscalls. 159 func buildIndex(rules []RuleSet, program *bpf.ProgramBuilder) error { 160 // Do nothing if rules is empty. 161 if len(rules) == 0 { 162 return nil 163 } 164 165 // Build a list of all application system calls, across all given rule 166 // sets. We have a simple BST, but may dispatch individual matchers 167 // with different actions. The matchers are evaluated linearly. 168 requiredSyscalls := make(map[uintptr]struct{}) 169 for _, rs := range rules { 170 for sysno := range rs.Rules { 171 requiredSyscalls[sysno] = struct{}{} 172 } 173 } 174 syscalls := make([]uintptr, 0, len(requiredSyscalls)) 175 for sysno := range requiredSyscalls { 176 syscalls = append(syscalls, sysno) 177 } 178 sort.Slice(syscalls, func(i, j int) bool { return syscalls[i] < syscalls[j] }) 179 for _, sysno := range syscalls { 180 for _, rs := range rules { 181 // Print only if there is a corresponding set of rules. 182 if _, ok := rs.Rules[sysno]; ok { 183 log.Debugf("syscall filter %v: %s => 0x%x", SyscallName(sysno), rs.Rules[sysno], rs.Action) 184 } 185 } 186 } 187 188 root := createBST(syscalls) 189 root.root = true 190 191 // Load syscall number into A and run through BST. 192 // 193 // A = seccomp_data.nr 194 program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetNR) 195 return root.traverse(buildBSTProgram, rules, program) 196 } 197 198 // createBST converts sorted syscall slice into a balanced BST. 199 // Panics if syscalls is empty. 200 func createBST(syscalls []uintptr) *node { 201 i := len(syscalls) / 2 202 parent := node{value: syscalls[i]} 203 if i > 0 { 204 parent.left = createBST(syscalls[:i]) 205 } 206 if i+1 < len(syscalls) { 207 parent.right = createBST(syscalls[i+1:]) 208 } 209 return &parent 210 } 211 212 func vsyscallViolationLabel(ruleSetIdx int, sysno uintptr) string { 213 return fmt.Sprintf("vsyscallViolation_%v_%v", ruleSetIdx, sysno) 214 } 215 216 func ruleViolationLabel(ruleSetIdx int, sysno uintptr, idx int) string { 217 return fmt.Sprintf("ruleViolation_%v_%v_%v", ruleSetIdx, sysno, idx) 218 } 219 220 func ruleLabel(ruleSetIdx int, sysno uintptr, idx int, name string) string { 221 return fmt.Sprintf("rule_%v_%v_%v_%v", ruleSetIdx, sysno, idx, name) 222 } 223 224 func checkArgsLabel(sysno uintptr) string { 225 return fmt.Sprintf("checkArgs_%v", sysno) 226 } 227 228 // addSyscallArgsCheck adds argument checks for a single system call. It does 229 // not insert a jump to the default action at the end and it is the 230 // responsibility of the caller to insert an appropriate jump after calling 231 // this function. 232 func addSyscallArgsCheck(p *bpf.ProgramBuilder, rules []Rule, action linux.BPFAction, ruleSetIdx int, sysno uintptr) error { 233 for ruleidx, rule := range rules { 234 labelled := false 235 for i, arg := range rule { 236 if arg != nil { 237 // Break out early if using MatchAny since no further 238 // instructions are required. 239 if _, ok := arg.(MatchAny); ok { 240 continue 241 } 242 243 // Determine the data offset for low and high bits of input. 244 dataOffsetLow := seccompDataOffsetArgLow(i) 245 dataOffsetHigh := seccompDataOffsetArgHigh(i) 246 if i == RuleIP { 247 dataOffsetLow = seccompDataOffsetIPLow 248 dataOffsetHigh = seccompDataOffsetIPHigh 249 } 250 251 // Add the conditional operation. Input values to the BPF 252 // program are 64bit values. However, comparisons in BPF can 253 // only be done on 32bit values. This means that we need to do 254 // multiple BPF comparisons in order to do one logical 64bit 255 // comparison. 256 switch a := arg.(type) { 257 case EqualTo: 258 // EqualTo checks that both the higher and lower 32bits are equal. 259 high, low := uint32(a>>32), uint32(a) 260 261 // Assert that the lower 32bits are equal. 262 // arg_low == low ? continue : violation 263 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 264 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, low, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 265 266 // Assert that the lower 32bits are also equal. 267 // arg_high == high ? continue/success : violation 268 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 269 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 270 labelled = true 271 case NotEqual: 272 // NotEqual checks that either the higher or lower 32bits 273 // are *not* equal. 274 high, low := uint32(a>>32), uint32(a) 275 labelGood := fmt.Sprintf("ne%v", i) 276 277 // Check if the higher 32bits are (not) equal. 278 // arg_low == low ? continue : success 279 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 280 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, low, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 281 282 // Assert that the lower 32bits are not equal (assuming 283 // higher bits are equal). 284 // arg_high == high ? violation : continue/success 285 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 286 p.AddJumpTrueLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, ruleViolationLabel(ruleSetIdx, sysno, ruleidx), 0) 287 p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 288 labelled = true 289 case GreaterThan: 290 // GreaterThan checks that the higher 32bits is greater 291 // *or* that the higher 32bits are equal and the lower 292 // 32bits are greater. 293 high, low := uint32(a>>32), uint32(a) 294 labelGood := fmt.Sprintf("gt%v", i) 295 296 // Assert the higher 32bits are greater than or equal. 297 // arg_high >= high ? continue : violation (arg_high < high) 298 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 299 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jge|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 300 301 // Assert that the lower 32bits are greater. 302 // arg_high == high ? continue : success (arg_high > high) 303 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 304 // arg_low > low ? continue/success : violation (arg_high == high and arg_low <= low) 305 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 306 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jgt|bpf.K, low, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 307 p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 308 labelled = true 309 case GreaterThanOrEqual: 310 // GreaterThanOrEqual checks that the higher 32bits is 311 // greater *or* that the higher 32bits are equal and the 312 // lower 32bits are greater than or equal. 313 high, low := uint32(a>>32), uint32(a) 314 labelGood := fmt.Sprintf("ge%v", i) 315 316 // Assert the higher 32bits are greater than or equal. 317 // arg_high >= high ? continue : violation (arg_high < high) 318 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 319 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jge|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 320 // arg_high == high ? continue : success (arg_high > high) 321 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 322 323 // Assert that the lower 32bits are greater (assuming the 324 // higher bits are equal). 325 // arg_low >= low ? continue/success : violation (arg_high == high and arg_low < low) 326 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 327 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jge|bpf.K, low, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 328 p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 329 labelled = true 330 case LessThan: 331 // LessThan checks that the higher 32bits is less *or* that 332 // the higher 32bits are equal and the lower 32bits are 333 // less. 334 high, low := uint32(a>>32), uint32(a) 335 labelGood := fmt.Sprintf("lt%v", i) 336 337 // Assert the higher 32bits are less than or equal. 338 // arg_high > high ? violation : continue 339 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 340 p.AddJumpTrueLabel(bpf.Jmp|bpf.Jgt|bpf.K, high, ruleViolationLabel(ruleSetIdx, sysno, ruleidx), 0) 341 // arg_high == high ? continue : success (arg_high < high) 342 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 343 344 // Assert that the lower 32bits are less (assuming the 345 // higher bits are equal). 346 // arg_low >= low ? violation : continue 347 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 348 p.AddJumpTrueLabel(bpf.Jmp|bpf.Jge|bpf.K, low, ruleViolationLabel(ruleSetIdx, sysno, ruleidx), 0) 349 p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 350 labelled = true 351 case LessThanOrEqual: 352 // LessThan checks that the higher 32bits is less *or* that 353 // the higher 32bits are equal and the lower 32bits are 354 // less than or equal. 355 high, low := uint32(a>>32), uint32(a) 356 labelGood := fmt.Sprintf("le%v", i) 357 358 // Assert the higher 32bits are less than or equal. 359 // assert arg_high > high ? violation : continue 360 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 361 p.AddJumpTrueLabel(bpf.Jmp|bpf.Jgt|bpf.K, high, ruleViolationLabel(ruleSetIdx, sysno, ruleidx), 0) 362 // arg_high == high ? continue : success 363 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 364 365 // Assert the lower bits are less than or equal (assuming 366 // the higher bits are equal). 367 // arg_low > low ? violation : success 368 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 369 p.AddJumpTrueLabel(bpf.Jmp|bpf.Jgt|bpf.K, low, ruleViolationLabel(ruleSetIdx, sysno, ruleidx), 0) 370 p.AddLabel(ruleLabel(ruleSetIdx, sysno, ruleidx, labelGood)) 371 labelled = true 372 case maskedEqual: 373 // MaskedEqual checks that the bitwise AND of the value and 374 // mask are equal for both the higher and lower 32bits. 375 high, low := uint32(a.value>>32), uint32(a.value) 376 maskHigh, maskLow := uint32(a.mask>>32), uint32(a.mask) 377 378 // Assert that the lower 32bits are equal when masked. 379 // A <- arg_low. 380 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetLow) 381 // A <- arg_low & maskLow 382 p.AddStmt(bpf.Alu|bpf.And|bpf.K, maskLow) 383 // Assert that arg_low & maskLow == low. 384 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, low, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 385 386 // Assert that the higher 32bits are equal when masked. 387 // A <- arg_high 388 p.AddStmt(bpf.Ld|bpf.Abs|bpf.W, dataOffsetHigh) 389 // A <- arg_high & maskHigh 390 p.AddStmt(bpf.Alu|bpf.And|bpf.K, maskHigh) 391 // Assert that arg_high & maskHigh == high. 392 p.AddJumpFalseLabel(bpf.Jmp|bpf.Jeq|bpf.K, high, 0, ruleViolationLabel(ruleSetIdx, sysno, ruleidx)) 393 labelled = true 394 default: 395 return fmt.Errorf("unknown syscall rule type: %v", reflect.TypeOf(a)) 396 } 397 } 398 } 399 400 // Matched, emit the given action. 401 p.AddStmt(bpf.Ret|bpf.K, uint32(action)) 402 403 // Label the end of the rule if necessary. This is added for 404 // the jumps above when the argument check fails. 405 if labelled { 406 if err := p.AddLabel(ruleViolationLabel(ruleSetIdx, sysno, ruleidx)); err != nil { 407 return err 408 } 409 } 410 } 411 412 return nil 413 } 414 415 // buildBSTProgram converts a binary tree started in 'root' into BPF code. The outline of the code 416 // is as follows: 417 // 418 // // SYS_PIPE(22), root 419 // 420 // (A == 22) ? goto argument check : continue 421 // (A > 22) ? goto index_35 : goto index_9 422 // 423 // index_9: // SYS_MMAP(9), leaf 424 // 425 // A == 9) ? goto argument check : defaultLabel 426 // 427 // index_35: // SYS_NANOSLEEP(35), single child 428 // 429 // (A == 35) ? goto argument check : continue 430 // (A > 35) ? goto index_50 : goto defaultLabel 431 // 432 // index_50: // SYS_LISTEN(50), leaf 433 // 434 // (A == 50) ? goto argument check : goto defaultLabel 435 func buildBSTProgram(n *node, rules []RuleSet, program *bpf.ProgramBuilder) error { 436 // Root node is never referenced by label, skip it. 437 if !n.root { 438 if err := program.AddLabel(n.label()); err != nil { 439 return err 440 } 441 } 442 443 sysno := n.value 444 program.AddJumpTrueLabel(bpf.Jmp|bpf.Jeq|bpf.K, uint32(sysno), checkArgsLabel(sysno), 0) 445 if n.left == nil && n.right == nil { 446 // Leaf nodes don't require extra check. 447 program.AddDirectJumpLabel(defaultLabel) 448 } else { 449 // Non-leaf node. Check which turn to take otherwise. Using direct jumps 450 // in case that the offset may exceed the limit of a conditional jump (255) 451 program.AddJump(bpf.Jmp|bpf.Jgt|bpf.K, uint32(sysno), 0, skipOneInst) 452 program.AddDirectJumpLabel(n.right.label()) 453 program.AddDirectJumpLabel(n.left.label()) 454 } 455 456 if err := program.AddLabel(checkArgsLabel(sysno)); err != nil { 457 return err 458 } 459 460 emitted := false 461 for ruleSetIdx, rs := range rules { 462 if _, ok := rs.Rules[sysno]; ok { 463 // If there are no rules, then this will always match. 464 // Remember we've done this so that we can emit a 465 // sensible error. We can't catch all overlaps, but we 466 // can catch this one at least. 467 if emitted { 468 return fmt.Errorf("unreachable action for %v: 0x%x (rule set %d)", SyscallName(sysno), rs.Action, ruleSetIdx) 469 } 470 471 // Emit a vsyscall check if this rule requires a 472 // Vsyscall match. This rule ensures that the top bit 473 // is set in the instruction pointer, which is where 474 // the vsyscall page will be mapped. 475 if rs.Vsyscall { 476 program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetIPHigh) 477 program.AddJumpFalseLabel(bpf.Jmp|bpf.Jset|bpf.K, 0x80000000, 0, vsyscallViolationLabel(ruleSetIdx, sysno)) 478 } 479 480 // Emit matchers. 481 if len(rs.Rules[sysno]) == 0 { 482 // This is a blanket action. 483 program.AddStmt(bpf.Ret|bpf.K, uint32(rs.Action)) 484 emitted = true 485 } else { 486 // Add an argument check for these particular 487 // arguments. This will continue execution and 488 // check the next rule set. We need to ensure 489 // that at the very end, we insert a direct 490 // jump label for the unmatched case. 491 if err := addSyscallArgsCheck(program, rs.Rules[sysno], rs.Action, ruleSetIdx, sysno); err != nil { 492 return err 493 } 494 } 495 496 // If there was a Vsyscall check for this rule, then we 497 // need to add an appropriate label for the jump above. 498 if rs.Vsyscall { 499 if err := program.AddLabel(vsyscallViolationLabel(ruleSetIdx, sysno)); err != nil { 500 return err 501 } 502 } 503 } 504 } 505 506 // Not matched? We only need to insert a jump to the default label if 507 // not default action has been emitted for this call. 508 if !emitted { 509 program.AddDirectJumpLabel(defaultLabel) 510 } 511 512 return nil 513 } 514 515 // node represents a tree node. 516 type node struct { 517 value uintptr 518 left *node 519 right *node 520 root bool 521 } 522 523 // label returns the label corresponding to this node. 524 // 525 // If n is nil, then the defaultLabel is returned. 526 func (n *node) label() string { 527 if n == nil { 528 return defaultLabel 529 } 530 return fmt.Sprintf("index_%v", n.value) 531 } 532 533 type traverseFunc func(*node, []RuleSet, *bpf.ProgramBuilder) error 534 535 func (n *node) traverse(fn traverseFunc, rules []RuleSet, p *bpf.ProgramBuilder) error { 536 if n == nil { 537 return nil 538 } 539 if err := fn(n, rules, p); err != nil { 540 return err 541 } 542 if err := n.left.traverse(fn, rules, p); err != nil { 543 return err 544 } 545 return n.right.traverse(fn, rules, p) 546 }