ããïŒ
SCMP_CMP_GT / GE / LT / LEã®çŸåšã®åäœãæå³ãããšããã«æ©èœããŠãããã©ããããŸãã¯ãã®å®è£
ã«ãã°ããããã©ããã¯ããããŸããã seccomp_rule_add
ã®ããã¥ã¢ã«ããŒãžã«ã¯ãSCMP_CMP_GTã«ã€ããŠæ¬¡ã®ããã«æžãããŠããŸãã
SCMP_CMP_GT:
Matches when the argument value is greater than the datum value,
example:
SCMP_CMP( arg , SCMP_CMP_GT , datum )
ããã¥ã¢ã«ããŒãžã§ã¯ãããŒã¿ã ã®ã¿ã€ããæå®ãããããŸããŸãªïŒæé»ã®ïŒã¿ã€ãã®äŸïŒããã³scmp_datum_tãžã®ãã£ã¹ãïŒããããŸãã
ããã¥ã¢ã«ããŒãžã«åºã¥ããŠãsetpriorityã®3çªç®ã®åŒæ°ã«æå®ãããä»»æã®å€ã«å¯ŸããŠæ¬¡ã®ãããªãã®ãæ©èœããããšãæåŸ ããŸããïŒããã«ã¯SCMP_ACT_ALLOWã®ããã©ã«ãããªã·ãŒãæ³å®ããŠããŸãïŒã
rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(setpriority),
3,
SCMP_A0(SCMP_CMP_EQ, PRIO_PROCESS),
SCMP_A1(SCMP_CMP_EQ, 0),
SCMP_A2(SCMP_CMP_GT, 0));
代ããã«ã setpriority(PRIO_PROCESS, 0, -1)
ã¯ãã-1ããæããã«ã0ããããå°ããå Žåã«ã·ã¹ãã ã³ãŒã«ããããã¯ãããçµæã«ãªããŸãã setpriority(PRIO_PROCESS, 0, 0)
ãšsetpriority(PRIO_PROCESS, 0, 1)
ã¯æåŸ
ã©ããã«æ©èœããŸãã äœãèµ·ãã£ãŠããã®ããšãããšãã-1ããscmp_datum_tïŒsecomp.h.inã®uint64_tïŒã«å€æãããŠããããããã¡ããããžãã£ãã«ãªããŸãããSCMP_CMP_GTãšãã®ä»²éã¯ãã®å€æãåŠçããŠããŸããã SCMP_CMP_EQã¯ãè² ã®ããŒã¿ã ã§ãåé¡ãªãæ©èœããŸãïŒããŒã¿ã ã¯ãŸã æ£ã§ãããšæšæž¬ããŸãïŒæ€èšŒããŸããã§ããïŒããæ¯èŒã¯å€æãããscmp_datum_téã§è¡ãããŸãïŒã
ãã®åäœã¯ã2.1.0 + dfsg-1ïŒUbuntu 14.04 LTSã3.13ã«ãŒãã«ïŒã2.2.3-3ubuntu3ïŒUbuntu 16.04 LTSã4.9ã«ãŒãã«ïŒã2.3.1-2ubuntu2ïŒUbuntu 17.04éçºãªãªãŒã¹ã4.9ã«ãŒãã«ïŒããã³å°ãåã®ãã¹ã¿ãŒïŒUbuntu 17.04éçºãªãªãŒã¹ã4.9ã«ãŒãã«ïŒããã¹ãŠamd64ã
AFAICTãSCMP_CMP_GTããã³SCMP_CMP_LEã®ãã¹ãã¯ãããŸããã SCMP_CMP_LTã®ããã€ãã®ãã¹ãã¯è² ã®å€ãèæ ®ããŠããªãããã§ãSCMP_CMP_GEã®ãã¹ããèæ ®ããŠããŸããïŒééã£ãŠããå Žåã¯ä¿®æ£ããŠãã ããïŒã
åé¡ã¯ããã®åäœã¯æå³çãªãã®ã§ããïŒ ãããããªããscmp_datum_tãããŒã¿åã§ããããšãç解ãããšããããã¯å®å šã«æ£ããæ©èœããŠãããããããã¥ã¢ã«ããŒãžã¯æ£ç¢ºã§ãããšäž»åŒµã§ããããšã¯èªããŸããããã®ç¶æ³ã¯ããã«ã¯æ確ã§ã¯ãªããããã¥ã¢ã«ããŒãžã«ã¯ããããã¢ããªã±ãŒã·ã§ã³ã説æããå¿ èŠããããšæžãããŠããã¯ãã§ããããã ãã以å€ã®å Žåãããã¯SCMP_CMP_GT / GE / LT / LEã®å®è£ ã®ãã°ã®ããã§ãã
ããã¯ãSCMP_CMP_GTã§ãã®åé¡ã瀺ãå°ããªããã°ã©ã ã§ãããGEãLTãããã³LEã¯ãã¹ãŠåãåäœãããããšã確èªã§ããŸãã
/*
* gcc -o test-nice test-nice.c -lseccomp
* sudo ./test-nice 0 1 # should be denied
* sudo ./test-nice 0 0 # should be allowed
* sudo ./test-nice 0 -1 # should be allowed?
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <fcntl.h>
#include <stdarg.h>
#include <seccomp.h>
#include <sys/resource.h>
int main(int argc, char **argv)
{
if (argc < 3) {
fprintf(stderr, "test-nice N N\n");
return 1;
}
int rc = 0;
scmp_filter_ctx ctx = NULL;
int filter_n = atoi(argv[1]);
int n = atoi(argv[2]);
// Allow everything by default for this test
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL)
return ENOMEM;
printf("set EPERM for nice(>%d)\n", filter_n);
rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM),
SCMP_SYS(setpriority),
3,
SCMP_A0(SCMP_CMP_EQ, PRIO_PROCESS),
SCMP_A1(SCMP_CMP_EQ, 0),
SCMP_A2(SCMP_CMP_GT, filter_n));
if (rc != 0) {
perror("seccomp_rule_add failed");
goto out;
}
rc = seccomp_load(ctx);
if (rc != 0) {
perror("seccomp_load failed");
goto out;
}
// try to use the filtered syscall
errno = 0;
printf("Attempting nice(%d)\n", n);
nice(n);
if (errno != 0) {
perror("could not nice");
if (filter_n > n)
fprintf(stderr, "nice(%d) unsuccessful. bug?\n", n);
rc = 1;
goto out;
} else
printf("nice(%d) successful\n", n);
out:
seccomp_release(ctx);
return rc;
}
åé¡ã®å ±åãããããšãã ããã¯è¯ãããšã§ãã
äžãäžãã«ãŒãã«ã®samples / seccompãã£ã¬ã¯ããªã«ããheaders / macrosã䜿çšããŠ
ã«ãŒãã«ã®BPFã³ãŒããå³å€ã眲åä»ããšããŠæ±ã£ãŠãããšããå°è±¡ãåããŸããã ããã§ãªããããããŸããããŸãã¯ç§ã¯libseccompã³ãŒãã§äœããå°ç¡ãã«ãããããããŸããã
FWIWãBPFèªäœã¯åŒæ°ã«u32ã䜿çšããŸãã libseccompã¯compatåŒæ°ã®ç¬Šå·æ¡åŒµãè¡ããŸããïŒ ïŒãããããããã¹ãã§ã¯ãããŸããããã-1ãã«äžèŽããã«ãŒã«ã¯32ããããš64ãããã§ç°ãªãå¿ èŠããããŸã...ïŒ
ä»ç§ãå¿é ããŠããåé¡ã¯ããžã£ã³ãæŒç®åã§ã®BPF GT / GEã®æ¯èŒã§ããç¹ã«ãã»ãšãã©ã®äººãBPFããããã®æ¯èŒã®ç¬Šå·ä»ãã®å€ãšããŠå³æã«æ±ã£ãŠãããšæãããããã§ãã
@keesã«ãŒãã«ã®seccomp-bpfãã·ã³ãšsyscallåŒæ°ã®ç¬Šå·ä»ãæ¯èŒãè¡ãããã®æšå¥šãããã¢ãããŒãã¯äœã§ããïŒ ãæåã«ãã€ãããããã§ãã¯ããŠãããè² ã®æ°ãæ¯èŒããåã«å¿ èŠãª2ã®è£æ°å€æãè¡ãããšããæ¹éã«æ²¿ã£ããã®ã§ã¯ãªãããšãé¡ã£ãŠããŸãã ç ©ãããããšã§ãããå¿ èŠãªBPFãçæããããã«libseccompããã€ã§ãå€æŽã§ããŸãïŒãã ããçæããããã£ã«ã¿ãŒãã¯ããã«å€§ãããªãå ŽåããããŸãïŒããç¬èªã®BPFãã£ã«ã¿ãŒãäœæããã¢ããªã±ãŒã·ã§ã³ã«ã€ããŠå¿é ããŠããŸãã ãããæ£ããåŠçãã確çã¯ããããããŸãè¯ããããŸããã
æ®å¿µãªãããsyscallåŒæ°ã¯ãunsignedlongãã§ããããïŒsyscall_get_argumentsïŒïŒããã³struct seccomp_dataãåç §ïŒãsyscallã笊å·å€æãåŠçããæ¹æ³ã«ã€ããŠäžè¬çãªã±ãŒã¹ã¯ãããŸããã äºææ§ããªã¢ãééãããšãã®äžéšã®ã·ã¹ãã ã³ãŒã«ã¯ç¬Šå·æ¡åŒµãè¡ããŸãããä»ã®ã·ã¹ãã ã³ãŒã«ïŒprctlïŒã¯è¡ããŸããã ãã€ãã¹ã§ã¯ããããã€ãã¹1ã§ã¯ãªãsyscallåŒæ°ããããããããŸããïŒ
ä»æ¥ããã«æ»ããä»æããå°ãéãã ã®ã§ãããã¯ããã¥ã¡ã³ã/ã泚æããŠãã ããïŒãã«ãªããšæããŸãã ç¹ã«æ¢åã®ãŠãŒã¶ãŒã«ã€ããŠè©±ããŠãããšãã¯ãè¯ã解決çããªããããåé¡ãçºçããŸãã ã«ãŒãã«åŽããã®@keesã®åœ¹ç«ã€ã³ã¡ã³ãã«æ²¿ã£ãŠã
FWIWãBPFèªäœã¯åŒæ°ã«u32ã䜿çšããŸãã libseccompã¯compatåŒæ°ã®ç¬Šå·æ¡åŒµãè¡ããŸããïŒ ïŒãããããããã¹ãã§ã¯ãããŸããããã-1ãã«äžèŽããã«ãŒã«ã¯32 [ããããš64ãããã®éã§ç°ãªãå¿ èŠããããŸã...ïŒ
libseccomp APIã«ãŒã«é¢æ°ã¯ããã¹ãŠã®å³å€ã_uint64_t_ãšããŠè§£éãããããã¿ã€ã/ãã£ã¹ãã«äžæ³šæãªå Žåã¯åé¡ãçºçããå¯èœæ§ããããŸãã äŸïŒ
$ cat 00-test.c
/* ... */
seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
SCMP_A0(SCMP_CMP_GT, -1));
seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1001, 1,
SCMP_A0(SCMP_CMP_GT, (uint32_t)-1));
seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1002, 1,
SCMP_A0(SCMP_CMP_GT, 0xffffffff));
/* ... */
$ make 00-test
CC 00-test.o
CCLD 00-test
$ ./00-test -p
#
# pseudo filter code start
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
# filter for syscall "UNKNOWN" (1002) [priority: 65533]
if ($syscall == 1002)
if ($a0.hi32 >= 0)
if ($a0.lo32 > 4294967295)
action KILL;
# filter for syscall "UNKNOWN" (1001) [priority: 65533]
if ($syscall == 1001)
if ($a0.hi32 >= 0)
if ($a0.lo32 > 4294967295)
action KILL;
# filter for syscall "UNKNOWN" (1000) [priority: 65533]
if ($syscall == 1000)
if ($a0.hi32 >= 4294967295)
if ($a0.lo32 > 4294967295)
action KILL;
# default action
action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
$ ./00-test -b | ../tools/scmp_bpf_disasm
line OP JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 ld $data[4]
0001: 0x15 0x00 0x0c 0xc000003e jeq 3221225534 true:0002 false:0014
0002: 0x20 0x00 0x00 0x00000000 ld $data[0]
0003: 0x35 0x0a 0x00 0x40000000 jge 1073741824 true:0014 false:0004
0004: 0x15 0x00 0x02 0x000003e8 jeq 1000 true:0005 false:0007
0005: 0x20 0x00 0x00 0x00000014 ld $data[20]
0006: 0x35 0x04 0x06 0xffffffff jge 4294967295 true:0011 false:0013
0007: 0x15 0x01 0x00 0x000003e9 jeq 1001 true:0009 false:0008
0008: 0x15 0x00 0x04 0x000003ea jeq 1002 true:0009 false:0013
0009: 0x20 0x00 0x00 0x00000014 ld $data[20]
0010: 0x35 0x00 0x02 0x00000000 jge 0 true:0011 false:0013
0011: 0x20 0x00 0x00 0x00000010 ld $data[16]
0012: 0x25 0x01 0x00 0xffffffff jgt 4294967295 true:0014 false:0013
0013: 0x06 0x00 0x00 0x7fff0000 ret ALLOW
0014: 0x06 0x00 0x00 0x00000000 ret KILL
...ã芧ã®ãšãããé©åãªãã£ã¹ãã䜿çšãããšãå€ã¯ç¬Šå·æ¡åŒµãããŸããã ããããããã¯ã»ãšãã©ã®äººãããŠããããšã§ã¯ãªããšæããŸãã è¯ããã¥ãŒã¹ã¯ãåŠå®çãªè°è«ãããã·ã¹ãã ã³ãŒã«ã®æ°ãæ¯èŒçå°ãªããšæ³åããŠããã®ã§ã圱é¿ã¯ããçšåºŠå¶éãããã¹ãã§ãã
ä»åŸã¯ãããã«é¢ããããã¥ã¡ã³ãã«äœããå ¥ããŠãéçºè ã®ç掻ã楜ã«ããããã«äœãã§ãããã©ããã確èªããå¿ èŠããããŸããããããã_SCMP_A * _ãã¯ãã®32ãããããªã¢ã³ããå®è£ ããŸãã
@ pcmoore-詳现ãªåçã«æè¬ããããã«æ»ã£ãŠããªãããšããè©«ã³ããŸãã ãããã httpsïŒ//github.com/torvalds/linux/tree/master/samples/seccompã«åºã¥ããŠ
@jdstrandåœåã®éãç§ãã¡ã¯çæºåã
ãããŸã§ã®éãé©åã«åå€æãããå€ã§åé¡ãçºçããå Žåã¯ããã®åé¡ãæŽæ°ããŠãã ããã
è¯ããã¥ãŒã¹ã¯ãåŠå®çãªè°è«ãããã·ã¹ãã ã³ãŒã«ã®æ°ãæ¯èŒçå°ãªããšæ³åããŠããã®ã§ã圱é¿ã¯ããçšåºŠå¶éãããã¹ãã§ãã
openatïŒïŒã®fdãã©ã¡ãŒã¿ãŒã-100ã§ããç¹å¥ãªå€AT_FDCWDã«çãããã©ãããïŒãšãããïŒãã§ãã¯ãããšãã«ããã®åé¡ã«ééããŸããã ããã«ããã次ã®ããšãå¯èœã«ãªããŸãã
# filter for syscall "openat" (257) [priority: 131067]
if ($syscall == 257)
if ($a0.hi32 == 4294967295)
if ($a0.lo32 == 4294967196)
if ($a2.hi32 & 0x00000000 == 0)
if ($a2.lo32 & 0x00000003 == 0)
action ERRNO(2);
ããã¹ãå ŽæïŒ
# filter for syscall "openat" (257) [priority: 131067]
if ($syscall == 257)
if ($a0.hi32 == 0)
if ($a0.lo32 == 4294967196)
if ($a2.hi32 & 0x00000000 == 0)
if ($a2.lo32 & 0x00000003 == 0)
action ERRNO(2);
glibc 2.26+ã¯ãopenatsyscallãšAT_FDCWDãæä»çã«äœ¿çšããŠopenïŒïŒãå®è£ ããŠããããã«èŠãããããããã¯å€ãã®äººãã€ãŸããããå¯èœæ§ããããŸãã äžèšã®ããã«uint32_tã«ãã£ã¹ããé©çšãããšãåé¡ãä¿®æ£ãããŸããã
// selector, action, syscall, no of args, args
{ SEL, SCMP_ACT_ERRNO(ENOENT), "openat", 2,
- { SCMP_A0(SCMP_CMP_EQ, AT_FDCWD), /* glibc 2.26+ */
+ { SCMP_A0(SCMP_CMP_EQ, (uint32_t)AT_FDCWD), /* glibc 2.26+ */
SCMP_A2(SCMP_CMP_MASKED_EQ, O_ACCMODE, O_RDONLY) }},
æ瀺çãªSCMP_A0_U32ããããšäŸ¿å©ã§ãã
@drakenclimber @jdstrand @michaelweiseråãã¡ã¯ã©ãæããŸããhttps://github.com/pcmoore/misc-libseccomp/commit/b9ce39d776ed5a984c7e9e6db3b87463edce82a7ãã®ããã®ä¿®æ£ãšããŠïŒ
@pcmoore ïŒããã調æ»ãç¶ããŠãããŠããããšãïŒ ç§ã¯ããã«æ颚ãäžããŸããããããŠããã¯ã³ãŒãã§æ¬åœã«çŽ æŽãããèŠããŸãïŒ
static struct {
const uint64_t promises;
const uint32_t action;
const char *syscall;
const int arg_cnt;
const struct scmp_arg_cmp args[3];
} scsb_calls[] = {
[...]
{ PLEDGE_WPATH, SCMP_ACT_ALLOW, "openat", 2, /* glibc 2.26+ */
{ SCMP_A0_32(SCMP_CMP_EQ, AT_FDCWD),
SCMP_A2_64(SCMP_CMP_MASKED_EQ, O_ACCMODE, O_WRONLY) }},
æ®å¿µãªããããã«ããŒé¢æ°ã¯æ§é äœåæååãšããŠã¯é©åã§ã¯ãªãããã§ãã
In file included from pledge.c:42:
/include/seccomp.h:230:26: error: initializer element is not constant
#define SCMP_CMP32(...) (__scmp_arg_32(SCMP_CMP64(__VA_ARGS__)))
^
/include/seccomp.h:241:26: note: in expansion of macro âSCMP_CMP32â
#define SCMP_A0_32(...) SCMP_CMP32(0, __VA_ARGS__)
^~~~~~~~~~
pledge.c:188:5: note: in expansion of macro âSCMP_A0_32â
{ SCMP_A0_32(SCMP_CMP_EQ, AT_FDCWD),
^~~~~~~~~~
/include/seccomp.h:230:26: note: (near initialization for âscsb_calls[21].args[0]â)
#define SCMP_CMP32(...) (__scmp_arg_32(SCMP_CMP64(__VA_ARGS__)))
^
/include/seccomp.h:241:26: note: in expansion of macro âSCMP_CMP32â
#define SCMP_A0_32(...) SCMP_CMP32(0, __VA_ARGS__)
^~~~~~~~~~
pledge.c:188:5: note: in expansion of macro âSCMP_A0_32â
{ SCMP_A0_32(SCMP_CMP_EQ, AT_FDCWD),
^~~~~~~~~~
ã¬ãã¥ãŒ@michaelweiserã«æè¬ããŸããæ®å¿µãªããããã®ãã¯ããåæååãšããŠäœ¿çšããŠãããšã¯æããŸããã§ããããããã¯æå¹ãªäœ¿çšæ³ã§ããããã®æ¹æ³ã§äœ¿çšããŠãã人ã¯ç¢ºãã«å°æ°ã§ãã
ããã«ã€ããŠå°ãèããå¿ èŠããããŸã...ããããšã¬ã¬ã³ããªæ¹æ³ã§è§£æ±ºããæ¹æ³ã«ã€ããŠäœãã¢ã€ãã¢ã¯ãããŸãããïŒ
ããããªãããã¿ãŸãããç§ã¯ãã§ã«ãããã§ç®ãéããŠããŸããã :)
ä»ãããèŠããšãåé¡ãçºçããŠãããšæããŸããå¯å€åŒæ°ãªã¹ããåå ã§ãå¿ èŠãªãã£ã¹ããæ¿å ¥ã§ããŸããã
scmp_arg_cmpã«ã¯ãæ£ããå¹ ãé 眮ïŒããã«ã¯ãã€ãé åºïŒã§ããŒã¿ã«å¯ŸããŠããŸããŸãªãã¥ãŒãæäŸãããŠããªã³ãå«ãŸããŠããå¯èœæ§ããããŸãïŒIMOã¯ããšã¬ã¬ã³ãããšç«¶åããŸãïŒã ãããçŽç²ã«libseccompã®å éšã«ãããã«ãŒãã«ã€ã³ã¿ãŒãã§ãŒã¹ãšäºææ§ãããå¿ èŠããªãå ŽåãããŒã¿åã€ã³ãžã±ãŒã¿ãŒãå¥åã®ãã£ãŒã«ããšããŠéã³ããŠãŒã¶ãŒé¢æ°ã«ãããåé¡ãããããšãã§ããŸããïŒ ãããŠãããã¯å¯å€åŒæ°ã䜿çšããŠåæåããããšããã§ããŸããïŒ
ãã以å€ã®å Žåã¯ãæäœã32/64ãããå šäœãšããŠããŒã¯ãã代ããã«ããªãã©ã³ãã«æ³šéãä»ããŠããã£ã¹ããã©ãããããããã°ãå°é£ãªåé¡ã«ééããå Žåã®ããã«ãã£ã§åžžã«ãããã®æ³šéã䜿çšããããã«ãŠãŒã¶ãŒã«å³ããæšå¥šãäžããããšãã§ããŸãã ïŒ
{ SCMP_A0(SCMP_CMP_EQ, SCMP_OP_32(AT_FDCWD)),
SCMP_A2(SCMP_CMP_MASKED_EQ, SCMP_OP_64(O_ACCMODE), SCMP_OP_64(O_WRONLY)) }},
ãŸã
{ SCMP_A0(SCMP_CMP_EQ, SCMP_OP1_32(AT_FDCWD)),
SCMP_A2(SCMP_CMP_MASKED_EQ, SCMP_OP2_64(O_ACCMODE, O_WRONLY)) }},
ç³ãèš³ãããŸããããããªããã»ããµã®ã¯ã©ãã¯ã§ãã£ãšå€ãã®ããšãæãã€ãã®ã«ååã§ã¯ãããŸããã
@pcmoore ãå€æŽã¯ç§ã«ã¯ããèŠããŸãã ç§ã¯ããªããã»ããµã®å°é家ã§ã¯ãããŸãããã @ michaelweiserãåè¿°ããåé¡ãèŠãŠãããŸãã
ä»ãããèŠããšãåé¡ãçºçããŠãããšæããŸããå¯å€åŒæ°ãªã¹ããåå ã§ãå¿ èŠãªãã£ã¹ããæ¿å ¥ã§ããŸããã
ãããããã¯ã»ãšãã©ããã§ãã æãããæ¹æ³ã¯ãªããããããŸãããããŸã èŠã€ããŠããŸããã
scmp_arg_cmpã«ã¯ãæ£ããå¹ ãé 眮ïŒããã«ã¯ãã€ãé åºïŒã§ããŒã¿ã«å¯ŸããŠããŸããŸãªãã¥ãŒãæäŸãããŠããªã³ãå«ãŸããŠããå¯èœæ§ããããŸãïŒIMOã¯ããšã¬ã¬ã³ãããšç«¶åããŸãïŒã ãããçŽç²ã«libseccompã®å éšã«ãããã«ãŒãã«ã€ã³ã¿ãŒãã§ãŒã¹ãšäºææ§ãããå¿ èŠããªãå ŽåãããŒã¿åã€ã³ãžã±ãŒã¿ãŒãå¥åã®ãã£ãŒã«ããšããŠéã³ããŠãŒã¶ãŒé¢æ°ã«ãããåé¡ãããããšãã§ããŸããïŒ ãããŠãããã¯å¯å€åŒæ°ã䜿çšããŠåæåããããšããã§ããŸããïŒ
scmp_arg_cmpæ§é äœãlibseccompAPIã®äžéšã§ãããšããåé¡ããããããlibseccompã¡ãžã£ãŒããŒãžã§ã³ããã³ããããå Žåãé€ããŠãæ§é äœã®ãµã€ãºãã¡ã³ããŒãã£ãŒã«ãã®ãªãã»ãããå®éã«å€æŽããããšã¯ã§ããŸããã ãããè¡ããšãæ¢åã®ã¢ããªã±ãŒã·ã§ã³ãšã®æ¢åã®ãã€ããªã€ã³ã¿ãŒãã§ã€ã¹ãç ŽæããŸãã 64ãããã®ããŒã¿ã ãã£ãŒã«ãã64ããããŸãã¯32ãããã®å€ãå«ããŠããªã³ã«å€æããããšèªäœã¯åé¡ãããŸããããscmp_arg_cmpæ§é äœã«è¿œå æ å ±ãè¿œå ããŠã䜿çšãããŠããªã³ã¡ã³ããŒã瀺ãå¿ èŠããããŸãã ; åé¡ã«ãªãå¯èœæ§ãããã®ã¯ããã®äœåãªãã©ã°ã§ãã
ãargããŸãã¯ãopããã£ãŒã«ãã®ããããããäžéšã®ããããçãããšãå¯èœã§ããå¯èœæ§ããããŸããã©ã¡ãã32ãããå€ã§ããããã®ã¹ããŒã¹ã®ããäžéšãã䜿çšããŠããŸããã ããããç§ã¯ãããããªã極端ãªéžæè¢ã ãšèããŠãããå¯èœã§ããã°ãããé¿ããããšæããŸãã
ãã以å€ã®å Žåã¯ãæäœã32/64ãããå šäœãšããŠããŒã¯ãã代ããã«ããªãã©ã³ãã«æ³šéãä»ããŠããã£ã¹ããã©ãããããããã°ãå°é£ãªåé¡ã«ééããå Žåã®ããã«ãã£ã§åžžã«ãããã®æ³šéã䜿çšããããã«ãŠãŒã¶ãŒã«å³ããæšå¥šãäžããããšãã§ããŸãã ïŒ
ãªãã©ã³ãããã¯ãã§ã©ããããããšã§äœãåŸãããã®ãããããããŸããããããå°ã詳ãã説æããŠããã ããŸããïŒ ããŒã¿ã å€ãã©ãããããã¯ããæäŸããããšãã§ããŸãããããã¯ãåŒã³åºãå ã«é©åãªãã£ã¹ããæäŸããããã«èŠæ±ããããšãšå®éã«ã¯äœã®éãããããŸããã
@pcmoore ãå€æŽã¯ç§ã«ã¯ããèŠããŸãã ç§ã¯ããªããã»ããµã®å°é家ã§ã¯ãããŸãããã @ michaelweiserãåè¿°ããåé¡ãèŠãŠãããŸãã
ãŸããšã«ããããšãããããŸãã ããŸãããã°ãç§ãã¡3人ã®éã§ãããã§åœ¹ç«ã€äœããæãã€ãããšãã§ããŸãã
@pcmoore ïŒ http ïŒ //efesx.com/2010/07/17/variadic-macro-to-count-number-of-arguments/ããã³http://efesx.com/2010/08/31/overloading-ãèŠãŠ
#define VA_NUM_ARGS(...) VA_NUM_ARGS_IMPL(__VA_ARGS__, 5,4,3,2,1)
#define VA_NUM_ARGS_IMPL(_1,_2,_3,_4,_5,N,...) N
#define macro_dispatcher(func, ...) \
macro_dispatcher_(func, VA_NUM_ARGS(__VA_ARGS__))
#define macro_dispatcher_(func, nargs) \
macro_dispatcher__(func, nargs)
#define macro_dispatcher__(func, nargs) \
func ## nargs
#define SCMP_CMP64(...) ((struct scmp_arg_cmp){__VA_ARGS__})
#define SCMP_CMP32_1(x) SCMP_CMP64(x)
#define SCMP_CMP32_2(x, y) SCMP_CMP64(x, y)
#define SCMP_CMP32_3(x, y, z) SCMP_CMP64(x, y, (uint32_t)(z))
#define SCMP_CMP32_4(x, y, z, q) SCMP_CMP64(x, y, (uint32_t)(z), (uint32_t)(q))
#define SCMP_CMP32(...) macro_dispatcher(SCMP_CMP32_, __VA_ARGS__)(__VA_ARGS__)
#define SCMP_A0_64(...) SCMP_CMP64(0, __VA_ARGS__)
#define SCMP_A0_32(...) SCMP_CMP32(0, __VA_ARGS__)
ãã®ãã¹ãã±ãŒã¹ã®å ŽåïŒ
struct scmp_arg_cmp f[] = {
SCMP_A0_64(SCMP_CMP_EQ, 1, 20),
SCMP_A0_32(SCMP_CMP_EQ, 2, 3),
SCMP_A0_32(SCMP_CMP_LT, 2),
};
gcc-7.4.0 -E
ãšclang-7 -E
ããã«ãªããŸãã
struct scmp_arg_cmp f[] = {
((struct scmp_arg_cmp){0, SCMP_CMP_EQ, 1, 20}),
((struct scmp_arg_cmp){0, SCMP_CMP_EQ, (uint32_t)(2), (uint32_t)(3)}),
((struct scmp_arg_cmp){0, SCMP_CMP_LT, (uint32_t)(2)}),
};
SCMP_A[0-5]_43
ãæ©èœããã«ã¯å°ãªããšãop
SCMP_A[0-5]_43
ãå¿
èŠã§ããã SCMP_CMP32
ãarg
å¿
èŠãšãããšããä»®å®ã®äžã§ããããã®ãã©ã¡ãŒã¿ãŒãå®äœçœ®ã«ããããšã§2è¡ãç¯çŽã§ããŸãã
#define SCMP_CMP32_1(x, y, z) SCMP_CMP64(x, y, (uint32_t)(z))
#define SCMP_CMP32_2(x, y, z, q) SCMP_CMP64(x, y, (uint32_t)(z), (uint32_t)(q))
#define SCMP_CMP32(x, y,...) macro_dispatcher(SCMP_CMP32_, __VA_ARGS__)(x, y, __VA_ARGS__)
#define SCMP_A0_32(x,...) SCMP_CMP32(0, x, __VA_ARGS__)
ãããã£ã@michaelweiserïŒ å€æŽãå°ãç°¡åã«ç¢ºèª/ã³ã¡ã³ãã§ããããã«ãPRããŸãšãããã§ããïŒ ããã§ãªãå Žåãããã¯å®å šã«åé¡ãããŸãããç§ã¯1ã€ãäžç·ã«æããŠãããªããååãªä¿¡çšãåŸãããšã確èªããŸã:)
ä»å€ã®PRãäœããŸãã https://github.com/pcmoore/misc-libseccomp/commit/b9ce39d776ed5a984c7e9e6db3b87463edce82a7ã®äžã«ããŸãã¯æåããïŒ
Blogger Romanã®éè² è·ãœãªã¥ãŒã·ã§ã³ãã©ã®ããã«è©äŸ¡ããŸããïŒ https://kecher.net/overloading-macros/ã§åœŒã®ããã°ã®çŸåšã®ããŒã ãšæããããã®ãèŠã€ããŸããmacro_dispatcher
ããžãã¯ã®äžã®æçš¿ãžã®ãªã³ã¯ãä»ããŠã³ã¡ã³ãããŸããïŒ
ä»å€ã®PRãäœããŸãã pcmoore @ b9ce39dã®äžã«ããŸãã¯æåããïŒ
ããã£ããããããšãïŒ å ã«é²ãã§ãmasterãã©ã³ãã«åºã¥ããŠãã ãããç§ã¯ãmisc-libseccompããªãŒã®å 容ãããŒãžããããšã¯ãããŸããããŸããã¢ãããŒããã¯ããã«åªããŠãããããçŸæç¹ã§ã¯ããŒãžããäºå®ã¯ãããŸããã
Blogger Romanã®éè² è·ãœãªã¥ãŒã·ã§ã³ãã©ã®ããã«è©äŸ¡ããŸããïŒ https://kecher.net/overloading-macros/ã§åœŒã®ããã°ã®çŸåšã®ããŒã ãšæããããã®ãèŠã€ããŸãã
macro_dispatcher
ããžãã¯ã®äžã®æçš¿ãžã®ãªã³ã¯ãä»ããŠã³ã¡ã³ãããŸããïŒ
ã©ã€ã»ã³ã¹èŠä»¶ããªãéããéåžžããœãŒã¹ã«çŽæ¥ã¯ã¬ãžãããä»äžããããšã¯ãããŸããã ãããã®èª¬æã«ã³ã¡ã³ããè¿œå ããŠãRomanã®åºæ¬çãªèãæ¹ãè©äŸ¡ãã圌ã®ããã°æçš¿ãžã®ãªã³ã¯ãæäŸããããšããå§ãããŸãã 圌ã®äŸã«ã¯ã©ã€ã»ã³ã¹ãå¶éã課ãããŠããªãã®ã§ããã®ç¹ã§åé¡ã¯ãªããšæããŸãã圌ã®ããã°ã®ãµã³ããªã³ã°ã«åºã¥ããŠã圌ã®æå³ã¯ãããã®ã¢ã€ãã¢ãä»ã®äººïŒç§ãã¡ã®ãããªïŒãšå ±æããããšã ãšæããŸãïŒåœŒãã圌ãã®åé¡ã解決ããã®ãå©ããããã«ã Romanã®ã¡ãŒã«ã¢ãã¬ã¹ããæã¡ã®å Žåã¯ããã€ã§ã圌ã«ã¡ãŒã«ãéä¿¡ããŠã¿ãŠãã ããã ãªãããã®çç±ã§åœŒã«é£çµ¡ãåããªãå Žåã¯ãå ã«é²ãã§ã倧äžå€«ã ãšæããŸãã
80a987d6f8d0152def07fa90ace6417d56eea741ãä»ããŠè§£æ±ºãããŸããã