Google Git
Sign in
android / platform / external / minijail / f68fc8df0458a1c713d9b93f831a78871becb091^! / .
commitf68fc8df0458a1c713d9b93f831a78871becb091[log] [tgz]
authorMatt Delco <delco@chromium.org>Thu Nov 14 16:47:52 2019 -0800
committerTreehugger Robot <treehugger-gerrit@google.com>Sat Nov 16 01:01:56 2019 +0000
treee9a3214ae8e33925d8503893b10d2ed2859cbd5f
parent25604913a0c224dd12255cb40fb4f422ee1e94ee [diff]
tools/compile_seccomp_policy: support kill syscall

The parsing fails on statements like:

kill: 1

since 'kill' is matched as an action.

I added these to tests/seccomp.policy and verified the script
now runs to completion.

Bug: chromium:1024021
Test: ./tools/compiler_unittest.py
Test: ./tools/parser_unittest.py
Test: ./tools/compile_seccomp_policy.py \
      test/seccomp.policy test/seccomp.bpf

Change-Id: Idd9476f2d3bc4d69dd1f4bbaac4505bff2ce9801
Signed-off-by: Matt Delco <delco@chromium.org>

diff --git a/tools/parser.py b/tools/parser.py
index f3c5331..3f933a8 100644
--- a/tools/parser.py
+++ b/tools/parser.py

@@ -518,7 +518,10 @@
         if not tokens:
             self._parser_state.error('missing syscall descriptor')
         syscall_descriptor = tokens.pop(0)
-        if syscall_descriptor.type != 'IDENTIFIER':
+        # `kill` as a syscall name is a special case since kill is also a valid
+        # action and actions have precendence over identifiers.
+        if (syscall_descriptor.type != 'IDENTIFIER' and
+            syscall_descriptor.value != 'kill'):
             self._parser_state.error(
                 'invalid syscall descriptor', token=syscall_descriptor)
         if tokens and tokens[0].type == 'LBRACKET':

diff --git a/tools/parser_unittest.py b/tools/parser_unittest.py
index e9f0ce2..36bb3bf 100755
--- a/tools/parser_unittest.py
+++ b/tools/parser_unittest.py

@@ -426,6 +426,14 @@
             ), [
                 parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()),
             ]))
+        self.assertEqual(
+            self.parser.parse_filter_statement(
+                self._tokenize('kill: arg0 == 0')),
+            parser.ParsedFilterStatement((
+                parser.Syscall('kill', 62),
+            ), [
+                parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()),
+            ]))
 
     def test_parse_metadata(self):
         """Accept valid filter statements with metadata."""

diff --git a/tools/testdata/arch_64.json b/tools/testdata/arch_64.json
index 1286ee4..4c90ed6 100644
--- a/tools/testdata/arch_64.json
+++ b/tools/testdata/arch_64.json

@@ -7,6 +7,7 @@
     "write": 1,
     "open": 2,
     "close": 3,
+    "kill": 62,
     "syscall_4": 4,
     "syscall_5": 5,
     "syscall_6": 6,
@@ -65,7 +66,6 @@
     "syscall_59": 59,
     "syscall_60": 60,
     "syscall_61": 61,
-    "syscall_62": 62,
     "syscall_63": 63,
     "syscall_64": 64,
     "syscall_65": 65,