Use libc seccomp constants

Use libc constants now that rust-lang/libc/pull/3343 is merged and released. SECCOMP_RET_MASK does not exist anymore and appears to have not existed for a while. SECCOMP_RET_DATA is exactly the same mask value, and the usage here is in line with the man page. Completes rust-vmm#60 Signed-off-by: Harry Stern <[email protected]>
boustrophedon · Mar 4, 2024 · c4122ae · c4122ae
1 parent 1ab58a2
commit c4122ae
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 17 deletions.
diff --git a/src/backend/bpf.rs b/src/backend/bpf.rs
@@ -114,14 +114,14 @@ pub const BPF_K: u16 = 0x00;
 
 // Return codes for BPF programs.
 // See /usr/include/linux/seccomp.h .
-pub const SECCOMP_RET_ALLOW: u32 = 0x7fff_0000;
-pub const SECCOMP_RET_ERRNO: u32 = 0x0005_0000;
-pub const SECCOMP_RET_KILL_THREAD: u32 = 0x0000_0000;
-pub const SECCOMP_RET_KILL_PROCESS: u32 = 0x8000_0000;
-pub const SECCOMP_RET_LOG: u32 = 0x7ffc_0000;
-pub const SECCOMP_RET_TRACE: u32 = 0x7ff0_0000;
-pub const SECCOMP_RET_TRAP: u32 = 0x0003_0000;
-pub const SECCOMP_RET_MASK: u32 = 0x0000_ffff;
+pub use libc::SECCOMP_RET_ALLOW;
+pub use libc::SECCOMP_RET_DATA;
+pub use libc::SECCOMP_RET_ERRNO;
+pub use libc::SECCOMP_RET_KILL_PROCESS;
+pub use libc::SECCOMP_RET_KILL_THREAD;
+pub use libc::SECCOMP_RET_LOG;
+pub use libc::SECCOMP_RET_TRACE;
+pub use libc::SECCOMP_RET_TRAP;
 
 // Architecture identifier for x86_64 LE.
 // See /usr/include/linux/audit.h .

diff --git a/src/backend/mod.rs b/src/backend/mod.rs
@@ -21,8 +21,8 @@ use std::fmt::Display;
 
 use bpf::{
     ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN, SECCOMP_RET_ALLOW,
-    SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG,
-    SECCOMP_RET_MASK, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
+    SECCOMP_RET_DATA, SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD,
+    SECCOMP_RET_LOG, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
 };
 
 pub use bpf::{sock_filter, BpfProgram, BpfProgramRef};
@@ -173,11 +173,11 @@ impl From<SeccompAction> for u32 {
     fn from(action: SeccompAction) -> Self {
         match action {
             SeccompAction::Allow => SECCOMP_RET_ALLOW,
-            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_MASK),
+            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_DATA),
             SeccompAction::KillThread => SECCOMP_RET_KILL_THREAD,
             SeccompAction::KillProcess => SECCOMP_RET_KILL_PROCESS,
             SeccompAction::Log => SECCOMP_RET_LOG,
-            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_MASK),
+            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_DATA),
             SeccompAction::Trap => SECCOMP_RET_TRAP,
         }
     }

diff --git a/src/lib.rs b/src/lib.rs
@@ -208,10 +208,6 @@ pub use backend::{
     SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule, TargetArch,
 };
 
-// Until https://github.com/rust-lang/libc/issues/3342 is fixed, define locally
-// From <linux/seccomp.h>
-const SECCOMP_SET_MODE_FILTER: libc::c_int = 1;
-
 // BPF structure definition for filter array.
 // See /usr/include/linux/filter.h .
 #[repr(C)]
@@ -361,7 +357,7 @@ fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> R
     let rc = unsafe {
         libc::syscall(
             libc::SYS_seccomp,
-            SECCOMP_SET_MODE_FILTER,
+            libc::SECCOMP_SET_MODE_FILTER,
             flags,
             bpf_prog_ptr,
         )