sandbox/seccomp: implement syscall lookup
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 1m51s
Test / Hakurei (push) Successful in 2m52s
Test / Sandbox (race detector) (push) Successful in 3m20s
Test / Planterette (push) Successful in 3m40s
Test / Hakurei (race detector) (push) Successful in 4m18s
Test / Flake checks (push) Successful in 1m10s
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 1m51s
Test / Hakurei (push) Successful in 2m52s
Test / Sandbox (race detector) (push) Successful in 3m20s
Test / Planterette (push) Successful in 3m40s
Test / Hakurei (race detector) (push) Successful in 4m18s
Test / Flake checks (push) Successful in 1m10s
This uses the Go map and is verified against libseccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
241dc964a6
commit
e03d702d08
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10
flake.nix
10
flake.nix
@ -187,12 +187,14 @@
|
|||||||
|
|
||||||
generateSyscallTable = pkgs.mkShell {
|
generateSyscallTable = pkgs.mkShell {
|
||||||
# this should be made cross-platform via nix
|
# this should be made cross-platform via nix
|
||||||
shellHook = ''
|
shellHook = "exec ${pkgs.writeShellScript "generate-syscall-table" ''
|
||||||
exec ${pkgs.perl}/bin/perl \
|
set -e
|
||||||
|
${pkgs.perl}/bin/perl \
|
||||||
sandbox/seccomp/mksysnum_linux.pl \
|
sandbox/seccomp/mksysnum_linux.pl \
|
||||||
${pkgs.linuxHeaders}/include/asm/unistd_64.h > \
|
${pkgs.linuxHeaders}/include/asm/unistd_64.h | \
|
||||||
|
${pkgs.go}/bin/gofmt > \
|
||||||
sandbox/seccomp/syscall_linux_amd64.go
|
sandbox/seccomp/syscall_linux_amd64.go
|
||||||
'';
|
''}";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|||||||
28
sandbox/seccomp/syscall.go
Normal file
28
sandbox/seccomp/syscall.go
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
package seccomp
|
||||||
|
|
||||||
|
import "iter"
|
||||||
|
|
||||||
|
// Syscalls returns an iterator over all wired syscalls.
|
||||||
|
func Syscalls() iter.Seq2[string, int] {
|
||||||
|
return func(yield func(string, int) bool) {
|
||||||
|
for name, num := range syscallNum {
|
||||||
|
if !yield(name, num) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for name, num := range syscallNumExtra {
|
||||||
|
if !yield(name, num) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// SyscallResolveName resolves a syscall number from its string representation.
|
||||||
|
func SyscallResolveName(name string) (num int, ok bool) {
|
||||||
|
if num, ok = syscallNum[name]; ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
num, ok = syscallNumExtra[name]
|
||||||
|
return
|
||||||
|
}
|
||||||
@ -5,12 +5,16 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func TestSyscallResolveName(t *testing.T) {
|
func TestSyscallResolveName(t *testing.T) {
|
||||||
for name, want := range syscallNum {
|
for name, want := range Syscalls() {
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
if got := syscallResolveName(name); got != want {
|
if got := syscallResolveName(name); got != want {
|
||||||
t.Errorf("syscallResolveName(%q) = %d, want %d",
|
t.Errorf("syscallResolveName(%q) = %d, want %d",
|
||||||
name, got, want)
|
name, got, want)
|
||||||
}
|
}
|
||||||
|
if got, ok := SyscallResolveName(name); !ok || got != want {
|
||||||
|
t.Errorf("SyscallResolveName(%q) = %d, want %d",
|
||||||
|
name, got, want)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user