letmein-seccomp/src/lib.rs

@@ -12,7 +12,9 @@
 std::compile_error!("letmeind server and letmein-seccomp do not support non-Linux platforms.");
 
 use anyhow::{self as ah, Context as _};
-use seccompiler::{apply_filter_all_threads, BpfProgram, SeccompAction, SeccompFilter};
+use seccompiler::{
+    apply_filter_all_threads, BpfProgram, SeccompAction, SeccompFilter, SeccompRule,
+};
 use std::{collections::BTreeMap, env::consts::ARCH};
 
 #[derive(Clone, Debug)]
@@ -40,90 +42,96 @@ pub fn seccomp_compile(allow: &[Allow], deny_action: Action) -> ah::Result<Filte
     seccomp_compile_for_arch(allow, deny_action, ARCH)
 }
 
+macro_rules! sys {
+    ($ident:ident) => {
+        libc::$ident as i64
+    };
+}
+
 pub fn seccomp_compile_for_arch(
     allow: &[Allow],
     deny_action: Action,
     arch: &str,
 ) -> ah::Result<Filter> {
-    let mut rules: BTreeMap<_, _> = [
-        (libc::SYS_brk, vec![]),
-        (libc::SYS_close, vec![]),
-        (libc::SYS_close_range, vec![]),
-        (libc::SYS_exit, vec![]),
-        (libc::SYS_exit_group, vec![]),
-        (libc::SYS_getpid, vec![]),
-        (libc::SYS_getrandom, vec![]),
-        (libc::SYS_gettid, vec![]),
-        (libc::SYS_madvise, vec![]),
-        (libc::SYS_munmap, vec![]),
-        (libc::SYS_sched_getaffinity, vec![]),
-        (libc::SYS_sigaltstack, vec![]),
-        (libc::SYS_nanosleep, vec![]),
-        (libc::SYS_clock_nanosleep, vec![]),
+    let mut rules: BTreeMap<i64, Vec<SeccompRule>> = [
+        (sys!(SYS_brk), vec![]),
+        (sys!(SYS_close), vec![]),
+        (sys!(SYS_close_range), vec![]),
+        (sys!(SYS_exit), vec![]),
+        (sys!(SYS_exit_group), vec![]),
+        (sys!(SYS_getpid), vec![]),
+        (sys!(SYS_getrandom), vec![]),
+        (sys!(SYS_gettid), vec![]),
+        (sys!(SYS_madvise), vec![]),
+        (sys!(SYS_munmap), vec![]),
+        (sys!(SYS_sched_getaffinity), vec![]),
+        (sys!(SYS_sigaltstack), vec![]),
+        (sys!(SYS_nanosleep), vec![]),
+        (sys!(SYS_clock_nanosleep), vec![]),
     ]
     .into();
 
     let add_read_write_rules = |rules: &mut BTreeMap<_, _>| {
-        rules.insert(libc::SYS_epoll_create1, vec![]);
-        rules.insert(libc::SYS_epoll_ctl, vec![]);
-        rules.insert(libc::SYS_epoll_pwait2, vec![]);
-        rules.insert(libc::SYS_epoll_wait, vec![]);
-        rules.insert(libc::SYS_lseek, vec![]);
-        rules.insert(libc::SYS_ppoll, vec![]);
-        rules.insert(libc::SYS_pselect6, vec![]);
+        rules.insert(sys!(SYS_epoll_create1), vec![]);
+        rules.insert(sys!(SYS_epoll_ctl), vec![]);
+        rules.insert(sys!(SYS_epoll_pwait2), vec![]);
+        rules.insert(sys!(SYS_epoll_wait), vec![]);
+        rules.insert(sys!(SYS_lseek), vec![]);
+        rules.insert(sys!(SYS_ppoll), vec![]);
+        rules.insert(sys!(SYS_pselect6), vec![]);
     };
 
     for allow in allow {
         match *allow {
             Allow::Mmap => {
                 #[cfg(has_SYS_mmap)]
-                rules.insert(libc::SYS_mmap, vec![]);
+                rules.insert(sys!(SYS_mmap), vec![]);
                 #[cfg(has_SYS_mmap2)]
-                rules.insert(libc::SYS_mmap2, vec![]);
-                rules.insert(libc::SYS_mremap, vec![]);
-                rules.insert(libc::SYS_munmap, vec![]);
+                rules.insert(sys!(SYS_mmap2), vec![]);
+                rules.insert(sys!(SYS_mremap), vec![]);
+                rules.insert(sys!(SYS_munmap), vec![]);
             }
             Allow::Mprotect => {
-                rules.insert(libc::SYS_mprotect, vec![]);
+                rules.insert(sys!(SYS_mprotect), vec![]);
             }
             Allow::UnixConnect => {
-                rules.insert(libc::SYS_connect, vec![]);
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
-                rules.insert(libc::SYS_getsockopt, vec![]);
+                rules.insert(sys!(SYS_connect), vec![]);
+                rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
+                rules.insert(sys!(SYS_getsockopt), vec![]);
             }
             Allow::TcpAccept => {
-                rules.insert(libc::SYS_accept4, vec![]);
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
-                rules.insert(libc::SYS_getsockopt, vec![]);
+                rules.insert(sys!(SYS_accept4), vec![]);
+                rules.insert(sys!(SYS_socket), vec![]); //TODO: Restrict to AF_UNIX
+                rules.insert(sys!(SYS_getsockopt), vec![]);
             }
             Allow::Read => {
-                rules.insert(libc::SYS_pread64, vec![]);
-                rules.insert(libc::SYS_preadv2, vec![]);
-                rules.insert(libc::SYS_read, vec![]);
-                rules.insert(libc::SYS_readv, vec![]);
+                rules.insert(sys!(SYS_pread64), vec![]);
+                rules.insert(sys!(SYS_preadv2), vec![]);
+                rules.insert(sys!(SYS_read), vec![]);
+                rules.insert(sys!(SYS_readv), vec![]);
                 add_read_write_rules(&mut rules);
             }
             Allow::Write => {
-                rules.insert(libc::SYS_fdatasync, vec![]);
-                rules.insert(libc::SYS_fsync, vec![]);
-                rules.insert(libc::SYS_pwrite64, vec![]);
-                rules.insert(libc::SYS_pwritev2, vec![]);
-                rules.insert(libc::SYS_write, vec![]);
-                rules.insert(libc::SYS_writev, vec![]);
+                rules.insert(sys!(SYS_fdatasync), vec![]);
+                rules.insert(sys!(SYS_fsync), vec![]);
+                rules.insert(sys!(SYS_pwrite64), vec![]);
+                rules.insert(sys!(SYS_pwritev2), vec![]);
+                rules.insert(sys!(SYS_write), vec![]);
+                rules.insert(sys!(SYS_writev), vec![]);
                 add_read_write_rules(&mut rules);
             }
             Allow::Recv => {
-                rules.insert(libc::SYS_recvfrom, vec![]);
-                rules.insert(libc::SYS_recvmsg, vec![]);
-                rules.insert(libc::SYS_recvmmsg, vec![]);
+                rules.insert(sys!(SYS_recvfrom), vec![]);
+                rules.insert(sys!(SYS_recvmsg), vec![]);
+                rules.insert(sys!(SYS_recvmmsg), vec![]);
             }
             Allow::Send => {
-                rules.insert(libc::SYS_sendto, vec![]);
-                rules.insert(libc::SYS_sendmsg, vec![]);
-                rules.insert(libc::SYS_sendmmsg, vec![]);
+                rules.insert(sys!(SYS_sendto), vec![]);
+                rules.insert(sys!(SYS_sendmsg), vec![]);
+                rules.insert(sys!(SYS_sendmmsg), vec![]);
             }
             Allow::SignalReturn => {
-                rules.insert(libc::SYS_rt_sigreturn, vec![]);
+                rules.insert(sys!(SYS_rt_sigreturn), vec![]);
             }
         }
     }