Google Git
Sign in
android / platform / external / minijail / ceb800091b03171c3998a57e37c25ac523c23b4d^! / .
commitceb800091b03171c3998a57e37c25ac523c23b4d[log] [tgz]
authorNicole Anderson-Au <[email protected]>Thu May 27 21:43:46 2021 +0000
committerNicole Anderson-Au <[email protected]>Tue Jun 01 16:58:19 2021 +0000
tree2705bbcf7bc0450aa618886ddacfbd70bd0c4b0f
parent2453b1fc097f3a995be8bcc0a2ada1fba616f287 [diff]
minijail: Modify compile_seccomp_policy to compile denylist policies

Add an option to compile_seccomp_policy.py to be able to compile
denylist policies.

BUG=chromium:1162104
TEST=$ ../tools/compile_seccomp_policy.py --denylist
        \ generated_policy.policy simple_filter
$ libseccomp/tools/scmp_bpf_disasm < simple_filter
Check that bpf is for a denylist policy

Change-Id: I98b945bb8f77a15afb5e5805ecbcc5a135dd8d12

diff --git a/tools/compile_seccomp_policy.py b/tools/compile_seccomp_policy.py
index f2b714b..b8f9f83 100755
--- a/tools/compile_seccomp_policy.py
+++ b/tools/compile_seccomp_policy.py

@@ -51,6 +51,10 @@
     arg_parser.add_argument('--include-depth-limit', default=10)
     arg_parser.add_argument('--arch-json', default='constants.json')
     arg_parser.add_argument(
+        '--denylist',
+        action='store_true',
+        help='Compile as a denylist policy rather than the deafult allowlist.')
+    arg_parser.add_argument(
         '--default-action',
         type=str,
         help=('Use the specified default action, overriding any @default '
@@ -101,7 +105,8 @@
                 optimization_strategy=opts.optimization_strategy,
                 kill_action=kill_action,
                 include_depth_limit=opts.include_depth_limit,
-                override_default_action=override_default_action).opcodes)
+                override_default_action=override_default_action,
+                denylist=opts.denylist).opcodes)
     return 0
 
 

diff --git a/tools/compiler.py b/tools/compiler.py
index 161eadf..dd7c4d6 100644
--- a/tools/compiler.py
+++ b/tools/compiler.py

@@ -270,7 +270,8 @@
                      optimization_strategy,
                      kill_action,
                      include_depth_limit=10,
-                     override_default_action=None):
+                     override_default_action=None,
+                     denylist=False):
         """Return a compiled BPF program from the provided policy file."""
         policy_parser = parser.PolicyParser(
             self._arch,
@@ -286,8 +287,12 @@
 
         visitor = bpf.FlatteningVisitor(
             arch=self._arch, kill_action=kill_action)
-        accept_action = bpf.Allow()
-        reject_action = parsed_policy.default_action
+        if denylist:
+            accept_action = parsed_policy.default_action
+            reject_action = bpf.Allow()
+        else:
+            accept_action = bpf.Allow()
+            reject_action = parsed_policy.default_action
         if entries:
             if optimization_strategy == OptimizationStrategy.BST:
                 next_action = _compile_entries_bst(entries, accept_action,