SeccompFilters.cpp [plain text]
#include "config.h"
#include "SeccompFilters.h"
#if ENABLE(SECCOMP_FILTERS)
#include "SeccompBroker.h"
#include <seccomp.h>
#include <wtf/Assertions.h>
namespace WebKit {
COMPILE_ASSERT(SeccompFilters::Allow == SCMP_ACT_ALLOW, Allow);
COMPILE_ASSERT(SeccompFilters::Kill == SCMP_ACT_KILL, Kill);
COMPILE_ASSERT(SeccompFilters::Trap == SCMP_ACT_TRAP, Trap);
COMPILE_ASSERT(SeccompFilters::NotSet == static_cast<SeccompFilters::Operator>(_SCMP_CMP_MIN), NotSet);
COMPILE_ASSERT(SeccompFilters::NotEqual == static_cast<SeccompFilters::Operator>(SCMP_CMP_NE), NotEqual);
COMPILE_ASSERT(SeccompFilters::Equal == static_cast<SeccompFilters::Operator>(SCMP_CMP_EQ), Equal);
COMPILE_ASSERT(sizeof(scmp_datum_t) == sizeof(long long), scmp_datum_t);
SeccompFilters::SeccompFilters(Action defaultAction)
: m_context(seccomp_init(defaultAction))
, m_initialized(false)
{
if (!m_context)
CRASH();
}
SeccompFilters::~SeccompFilters()
{
seccomp_release(m_context);
}
void SeccompFilters::addRule(const char* syscallName, Action action,
unsigned argNum1, Operator operator1, long long data1,
unsigned argNum2, Operator operator2, long long data2)
{
int syscall = seccomp_syscall_resolve_name(syscallName);
if (syscall == __NR_SCMP_ERROR)
CRASH();
int result;
if (operator2 != NotSet)
result = seccomp_rule_add(m_context, action, syscall, 2,
SCMP_CMP(argNum1, static_cast<scmp_compare>(operator1), data1, 0),
SCMP_CMP(argNum2, static_cast<scmp_compare>(operator2), data2, 0));
else if (operator1 != NotSet)
result = seccomp_rule_add(m_context, action, syscall, 1,
SCMP_CMP(argNum1, static_cast<scmp_compare>(operator1), data1, 0));
else
result = seccomp_rule_add(m_context, action, syscall, 0);
if (result < 0)
CRASH();
}
void SeccompFilters::initialize()
{
if (m_initialized)
return;
platformInitialize();
if (seccomp_load(m_context) < 0)
CRASH();
m_initialized = true;
}
}
#endif // ENABLE(SECCOMP_FILTERS)