seccomp/
attribute.rs

1//! A wrapper on SCMP_FLTATR.
2use super::raw::scmp_filter_attr::{self, *};
3use crate::action::Action;
4use std::fmt;
5
6/// How to organize the filter rules.
7pub enum OptimizeStrategy {
8    /// Uses priority and rule complexity for ordering.
9    PriorityAndComplexity,
10
11    /// Uses a simple Binary Search Tree for ordering.
12    BinaryTree,
13}
14
15/// Attributes.
16pub enum Attribute {
17    /// The action for when an invalid architecture is detected.
18    BadArchAction(Action),
19
20    /// Deny new privileges on load
21    NoNewPrivileges(bool),
22
23    /// Sync all threads in the process to make sure the filter applies.
24    ThreadSync(bool),
25
26    /// Allow negative Syscalls.
27    NegativeSyscalls(bool),
28
29    /// Log syscalls to Audit.
30    Log(bool),
31
32    /// Disable SSB Mitigation.
33    DisableSSB(bool),
34
35    /// How the rules are ordered.
36    Optimize(OptimizeStrategy),
37
38    /// Return system return codes.
39    ReturnSystemReturnCodes(bool),
40}
41impl Attribute {
42    /// Get the raw name of the attribute.
43    pub fn name(&self) -> scmp_filter_attr {
44        match self {
45            Attribute::BadArchAction(_) => SCMP_FLTATR_ACT_BADARCH,
46            Attribute::NoNewPrivileges(_) => SCMP_FLTATR_CTL_NNP,
47            Attribute::ThreadSync(_) => SCMP_FLTATR_CTL_TSYNC,
48            Attribute::NegativeSyscalls(_) => SCMP_FLTATR_API_TSKIP,
49            Attribute::Log(_) => SCMP_FLTATR_CTL_LOG,
50            Attribute::DisableSSB(_) => SCMP_FLTATR_CTL_SSB,
51            Attribute::Optimize(_) => SCMP_FLTATR_CTL_OPTIMIZE,
52            Attribute::ReturnSystemReturnCodes(_) => SCMP_FLTATR_API_SYSRAWRC,
53        }
54    }
55
56    /// Get the current value of the attribute.
57    pub fn value(&self) -> u32 {
58        match self {
59            Attribute::BadArchAction(action) => (*action).into(),
60            Attribute::NoNewPrivileges(set) => *set as u32,
61            Attribute::ThreadSync(set) => *set as u32,
62            Attribute::NegativeSyscalls(set) => *set as u32,
63            Attribute::Log(set) => *set as u32,
64            Attribute::DisableSSB(set) => *set as u32,
65            Attribute::Optimize(strategy) => match strategy {
66                OptimizeStrategy::PriorityAndComplexity => 1,
67                OptimizeStrategy::BinaryTree => 2,
68            },
69            Attribute::ReturnSystemReturnCodes(set) => *set as u32,
70        }
71    }
72
73    /// Get a string value for the attribute
74    pub fn str(&self) -> &'static str {
75        match self {
76            Attribute::BadArchAction(_) => "Bad Arch Action",
77            Attribute::NoNewPrivileges(_) => "No New Privileges",
78            Attribute::ThreadSync(_) => "Thread Sync",
79            Attribute::NegativeSyscalls(_) => "Negative Syscalls",
80            Attribute::Log(_) => "Log",
81            Attribute::DisableSSB(_) => "Disable SSB",
82            Attribute::Optimize(_) => "Optimize",
83            Attribute::ReturnSystemReturnCodes(_) => "Return System Return Codes",
84        }
85    }
86}
87impl fmt::Display for Attribute {
88    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
89        write!(f, "{}", self.str())
90    }
91}
92impl fmt::Debug for Attribute {
93    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
94        write!(f, "{}", self.str())
95    }
96}
seccomp/attribute.rs

seccomp/
attribute.rs
