RFE: add support for comparisons against 32-bit arguments

include/seccomp.h.in

@@ -94,6 +94,9 @@ enum scmp_compare {
 	SCMP_CMP_GT = 6,		/**< greater than */
 	SCMP_CMP_MASKED_EQ = 7,		/**< masked equality */
 	_SCMP_CMP_MAX,
+
+	SCMP_CMP_OPMASK = 0xFFFF,
+	SCMP_CMP_32BIT = 1 << 16,	/**< operation is 32-bit */
 };
 
 /**

src/db.h

@@ -38,6 +38,7 @@ struct db_api_arg {
 	scmp_datum_t datum;
 
 	bool valid;
+	bool is_32bit;
 };
 
 struct db_api_rule_list {

src/python/libseccomp.pxd

@@ -72,6 +72,7 @@ cdef extern from "seccomp.h":
         SCMP_CMP_GE
         SCMP_CMP_GT
         SCMP_CMP_MASKED_EQ
+        SCMP_CMP_32BIT
 
     cdef enum:
         SCMP_ACT_KILL_PROCESS

src/python/seccomp.pyx

@@ -133,6 +133,7 @@ EQ = libseccomp.SCMP_CMP_EQ
 GE = libseccomp.SCMP_CMP_GE
 GT = libseccomp.SCMP_CMP_GT
 MASKED_EQ = libseccomp.SCMP_CMP_MASKED_EQ
+CMP_32BIT = libseccomp.SCMP_CMP_32BIT
 
 def system_arch():
     """ Return the system architecture value.

tests/.gitignore

@@ -67,3 +67,4 @@ util.pyc
 57-basic-rawsysrc
 58-live-tsync_notify
 59-basic-empty_binary_tree
+60-sim-32b_args_on_64b

tests/60-sim-32b_args_on_64b.c

@@ -0,0 +1,86 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2022 Canonical Ltd.
+ * Author: James Henstridge <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+#include <inttypes.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+
+	ctx = seccomp_init(SCMP_ACT_KILL);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1,
+				    SCMP_A0(SCMP_CMP_NE | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 1,
+				    SCMP_A0(SCMP_CMP_LT | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 1,
+				    SCMP_A0(SCMP_CMP_LE | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 1,
+				    SCMP_A0(SCMP_CMP_EQ | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 1,
+				    SCMP_A0(SCMP_CMP_GE | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1,
+				    SCMP_A0(SCMP_CMP_GT | SCMP_CMP_32BIT, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1,
+				    SCMP_A0(SCMP_CMP_MASKED_EQ | SCMP_CMP_32BIT, 0xff, 0x10));
+	if (rc != 0)
+		goto out;
+
+	rc = util_filter_output(&opts, ctx);
+	if (rc)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

tests/60-sim-32b_args_on_64b.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2022 Canonical Ltd.
+# Author: James Henstridge <[email protected]>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+    f = SyscallFilter(KILL)
+    f.add_rule_exactly(ALLOW, 1001, Arg(0, NE | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1002, Arg(0, LT | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1003, Arg(0, LE | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1004, Arg(0, EQ | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1005, Arg(0, GE | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1006, Arg(0, GT | CMP_32BIT, 0x10))
+    f.add_rule_exactly(ALLOW, 1007, Arg(0, MASKED_EQ | CMP_32BIT, 0xff, 0x10))
+    return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

tests/60-sim-32b_args_on_64b.tests

@@ -0,0 +1,54 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2022 Canonical Ltd.
+# Author: James Henstridge <[email protected]>
+#
+
+test type: bpf-sim
+
+# Testname		Arch	Syscall	Arg0			Arg1	Arg2	Arg3	Arg4	Arg5	Result
+60-sim-32b_args_on_64b		all	1001	0x1			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1001	0x10			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1001	0xffffffff00000001	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1001	0xffffffff00000010	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1002	0x1			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1002	0x20			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1002	0xffffffff00000001	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1002	0xffffffff00000020	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1003	0x10			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1003	0x20			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1003	0xffffffff00000010	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1003	0xffffffff00000020	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1004	0x10			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1004	0x20			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1004	0xffffffff00000010	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1004	0xffffffff00000020	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1005	0x10			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1005	0x01			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1005	0xffffffff00000010	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1005	0xffffffff00000001	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1006	0x20			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1006	0x01			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1006	0xffffffff00000020	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1006	0xffffffff00000001	N	N	N	N	N	KILL
+
+60-sim-32b_args_on_64b		all	1007	0xff10			N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1007	0x01			N	N	N	N	N	KILL
+60-sim-32b_args_on_64b		all	1007	0xffffffff0000ff10	N	N	N	N	N	ALLOW
+60-sim-32b_args_on_64b		all	1007	0xffffffff00000001	N	N	N	N	N	KILL
+
+test type: bpf-sim-fuzz
+
+# Testname		StressCount
+60-sim-32b_args_on_64b		5
+
+test type: bpf-valgrind
+
+# Testname
+60-sim-32b_args_on_64b

tests/Makefile.am

@@ -94,7 +94,8 @@ check_PROGRAMS = \
 	56-basic-iterate_syscalls \
 	57-basic-rawsysrc \
 	58-live-tsync_notify \
-	59-basic-empty_binary_tree
+	59-basic-empty_binary_tree \
+	60-sim-32b_args_on_64b
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -154,7 +155,8 @@ EXTRA_DIST_TESTPYTHON = \
 	56-basic-iterate_syscalls.py \
 	57-basic-rawsysrc.py \
 	58-live-tsync_notify.py \
-	59-basic-empty_binary_tree.py
+	59-basic-empty_binary_tree.py \
+	60-sim-32b_args_on_64b.tests.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -215,7 +217,8 @@ EXTRA_DIST_TESTCFGS = \
 	56-basic-iterate_syscalls.tests \
 	57-basic-rawsysrc.tests \
 	58-live-tsync_notify.tests \
-	59-basic-empty_binary_tree.tests
+	59-basic-empty_binary_tree.tests \
+	60-sim-32b_args_on_64b.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \