api: extend BPF export API to write to a memory buffer

The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>

Author: vapier

doc/Makefile.am

@@ -28,6 +28,7 @@ dist_man3_MANS = \
 	man/man3/seccomp_attr_get.3 \
 	man/man3/seccomp_attr_set.3 \
 	man/man3/seccomp_export_bpf.3 \
+	man/man3/seccomp_export_bpf_mem.3 \
 	man/man3/seccomp_export_pfc.3 \
 	man/man3/seccomp_init.3 \
 	man/man3/seccomp_load.3 \

doc/man/man3/seccomp_export_bpf.3

@@ -13,6 +13,7 @@ seccomp_export_bpf, seccomp_export_pfc \- Export the seccomp filter
 .sp
 .BI "int seccomp_export_bpf(const scmp_filter_ctx " ctx ", int " fd ");"
 .BI "int seccomp_export_pfc(const scmp_filter_ctx " ctx ", int " fd ");"
+.BI "int seccomp_export_bpf_mem(const scmp_filter_ctx " ctx ", void *" buf ", size_t *" len ");"
 .sp
 Link with \fI\-lseccomp\fP.
 .fi
@@ -42,6 +43,26 @@ is the value returned by the call to
 While the two output formats are guaranteed to be functionally equivalent for
 the given seccomp filter configuration, the filter instructions, and their
 ordering, are not guaranteed to be the same in both the BPF and PFC formats.
+.P
+The
+.BR seccomp_export_bpf_mem ()
+function is largely the same as
+.BR seccomp_export_bpf (),
+but instead of writing to a file descriptor, the program will be written to the
+.I buf
+pointer provided by the caller.  The
+.I len
+argument must be initialized with the size of the
+.I buf
+buffer.  If the program was valid,
+.I len
+will be updated with its size in bytes.  If
+.I buf
+was too small to hold the program,
+.I len
+can be consulted to determine the required size.  Passing a NULL
+.I buf
+may also be used to query the required size ahead of time.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
@@ -59,6 +80,9 @@ Invalid input, either the context or architecture token is invalid.
 .TP
 .B -ENOMEM
 The library was unable to allocate enough memory.
+.TP
+.B -ERANGE
+The provided buffer was too small.
 .P
 If the \fISCMP_FLTATR_API_SYSRAWRC\fP filter attribute is non-zero then
 additional error codes may be returned to the caller; these additional error

doc/man/man3/seccomp_export_bpf_mem.3

@@ -0,0 +1 @@
+.so man3/seccomp_export_bpf.3

include/seccomp.h.in

@@ -25,6 +25,7 @@
 
 #include <elf.h>
 #include <inttypes.h>
+#include <stdlib.h>
 #include <asm/unistd.h>
 #include <linux/audit.h>
 #include <linux/types.h>
@@ -816,6 +817,19 @@ int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
  */
 int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
 
+/**
+ * Generate seccomp Berkeley Packet Filter (BPF) code and export it to a buffer
+ * @param ctx the filter context
+ * @param buf the destination buffer
+ * @param len on input the length of the buffer, on output the number of bytes
+ * in the program
+ *
+ * This function generates seccomp Berkeley Packer Filter (BPF) code and writes
+ * it to the given buffer.  Returns zero on success, negative values on failure.
+ *
+ */
+int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, size_t *len);
+
 /*
  * pseudo syscall definitions
  */

src/api.c

@@ -83,6 +83,8 @@ static int _rc_filter(int err)
 	 *       requested operation */
 	case -EOPNOTSUPP:
 	/* NOTE: operation is not supported */
+	case -ERANGE:
+	/* NOTE: provided buffer is too small */
 	case -ESRCH:
 		/* NOTE: operation failed due to multi-threading */
 		return err;
@@ -731,3 +733,35 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd)
 
 	return 0;
 }
+
+/* NOTE - function header comment in include/seccomp.h */
+API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+			       size_t *len)
+{
+	int rc;
+	size_t buf_len;
+	struct db_filter_col *col;
+	struct bpf_program *program;
+
+	if (_ctx_valid(ctx) || !len)
+		return _rc_filter(-EINVAL);
+	col = (struct db_filter_col *)ctx;
+
+	rc = gen_bpf_generate(col, &program);
+	if (rc < 0)
+		return _rc_filter(rc);
+	buf_len = *len;
+	*len = BPF_PGM_SIZE(program);
+
+	rc = 0;
+	if (buf) {
+		/* If we have a big enough buffer, write the program. */
+		if (*len > buf_len)
+			rc = _rc_filter(-ERANGE);
+		else
+			memcpy(buf, program->blks, *len);
+	}
+	gen_bpf_release(program);
+
+	return rc;
+}

src/python/libseccomp.pxd

@@ -167,6 +167,8 @@ cdef extern from "seccomp.h":
 
     int seccomp_export_pfc(scmp_filter_ctx ctx, int fd)
     int seccomp_export_bpf(scmp_filter_ctx ctx, int fd)
+    int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+                               size_t *len)
 
 # kate: syntax python;
 # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

src/python/seccomp.pyx

@@ -80,10 +80,12 @@ Example:
 __author__ =  'Paul Moore <paul@paul-moore.com>'
 __date__ = "3 February 2017"
 
+from cpython cimport array
 from cpython.version cimport PY_MAJOR_VERSION
 from libc.stdint cimport int8_t, int16_t, int32_t, int64_t
 from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t
 from libc.stdlib cimport free
+import array
 import errno
 
 cimport libseccomp
@@ -1044,5 +1046,28 @@ cdef class SyscallFilter:
         if rc != 0:
             raise RuntimeError(str.format("Library error (errno = {0})", rc))
 
+    def export_bpf_mem(self):
+        """ Export the filter in BPF format.
+
+        Description:
+        Return the filter in Berkeley Packet Filter (BPF) as bytes.
+        The output is identical to what is loaded into the Linux Kernel.
+        """
+        cdef size_t len = 0
+
+        # Figure out how big the program is.
+        rc = libseccomp.seccomp_export_bpf_mem(self._ctx, NULL, <size_t *>&len)
+        if rc != 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+
+        # Get the program.
+        cdef array.array data = array.array('b', bytes(len))
+        cdef char[:] program = data
+        rc = libseccomp.seccomp_export_bpf_mem(self._ctx, <void *>&program[0],
+                                               <size_t *>&len)
+        if rc != 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+        return program
+
 # kate: syntax python;
 # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

tests/11-basic-basic_errors.c

@@ -175,6 +175,39 @@ int main(int argc, char *argv[])
 	seccomp_release(ctx);
 	ctx = NULL;
 
+	/* seccomp_export_bpf_mem errors */
+	char buf[1024];
+	size_t buf_len = sizeof(buf);
+	rc = seccomp_export_bpf_mem(ctx, buf, &buf_len);
+	if (rc != -EINVAL)
+		return -1;
+
+	ctx = seccomp_init(SCMP_ACT_KILL);
+	if (ctx == NULL)
+		return -1;
+	rc = seccomp_export_bpf_mem(ctx, buf, NULL);
+	if (rc != -EINVAL)
+		return -1;
+	rc = seccomp_export_bpf_mem(ctx, NULL, NULL);
+	if (rc != -EINVAL)
+		return -1;
+
+	rc = seccomp_export_bpf_mem(ctx, NULL, &buf_len);
+	if (rc != 0)
+		return -1;
+	rc = seccomp_export_bpf_mem(ctx, buf, &buf_len);
+	if (rc != 0)
+		return -1;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
+	if (rc != 0)
+		return -1;
+	buf_len = 0;
+	rc = seccomp_export_bpf_mem(ctx, buf, &buf_len);
+	if (rc != -ERANGE)
+		return -1;
+	seccomp_release(ctx);
+	ctx = NULL;
+
 	/* seccomp_attr_* errors */
 	ctx = seccomp_init(SCMP_ACT_ALLOW);
 	if (ctx == NULL)

tests/11-basic-basic_errors.py

@@ -87,6 +87,11 @@ def test():
     except RuntimeError:
         pass
 
+    # This shouldn't throw any errors.
+    f = SyscallFilter(ALLOW)
+    f.add_rule(KILL, "read")
+    ret = f.export_bpf_mem()
+
 test()
 
 # kate: syntax python;