fix code error

Signed-off-by: GengYinzong <gengyinzong@huawei.com>
Change-Id: I7396f54c37f8abd27c9b9b5d9144f54870f626ae
This commit is contained in:
GengYinzong 2023-07-26 01:24:48 -07:00
parent d2b059b8b9
commit afc51f5f3f
2 changed files with 27 additions and 2 deletions

View File

@ -155,7 +155,7 @@ def gen_syscall_nr_table(file_name, func_name_nr_table):
class SeccompPolicyParam:
def __init__(self, arch, function_name_nr_table):
def __init__(self, arch, function_name_nr_table, is_debug):
self.arch = arch
self.priority = set()
self.allow_list = set()
@ -170,6 +170,7 @@ class SeccompPolicyParam:
self.final_allow_list_with_args = set()
self.return_value = ''
self.mode = 'DEFAULT'
self.is_debug = is_debug
self.function_name_nr_table = function_name_nr_table
self.value_function = {
'priority': self.update_priority,
@ -242,6 +243,8 @@ class SeccompPolicyParam:
def update_return_value(self, return_str):
if return_str in ret_str_to_bpf:
if self.is_debug == 'false' and return_str == 'LOG':
raise ValidateError("LOG return value is not allowed in user mode")
self.return_value = return_str
return True
@ -803,6 +806,13 @@ class SeccompPolicyParser:
self.seccomp_policy_param = dict()
self.reduced_block_list_parm = dict()
self.key_process_flag = False
self.is_debug = False
def update_is_debug(self, is_debug):
if is_debug == 'false':
self.is_debug = False
else:
self.is_debug = True
def update_arch(self, target_cpu):
if target_cpu == "arm":
@ -898,6 +908,9 @@ class SeccompPolicyParser:
cur_policy_param.mode, cur_policy_param.return_value)
self.bpf_generator.add_return_value(cur_policy_param.return_value)
for line in self.bpf_generator.bpf_policy:
if 'SECCOMP_RET_LOG' in line and self.is_debug == False:
raise ValidateError("LOG return value is not allowed in user mode")
def gen_seccomp_policy(self):
arches = sorted(list(self.arches))
@ -960,13 +973,14 @@ class SeccompPolicyParser:
for arch in supported_architecture:
self.seccomp_policy_param.update(
{arch: SeccompPolicyParam(arch, function_name_nr_table_dict.get(arch))})
{arch: SeccompPolicyParam(arch, function_name_nr_table_dict.get(arch), args.is_debug)})
self.reduced_block_list_parm.update(
{arch: AllowBlockList(args.filter_name, arch, function_name_nr_table_dict.get(arch))})
self.bpf_generator.update_function_name_nr_table(function_name_nr_table_dict)
self.update_arch(args.target_cpu)
self.update_is_debug(args.is_debug)
for file_name in args.blocklist_file:
if file_name.lower().endswith('blocklist.seccomp.policy'):
@ -1012,6 +1026,9 @@ def main():
parser.add_argument('--target-cpu', type=str,
help=('please input target cpu arm or arm64\n'))
parser.add_argument('--is-debug', type=str,
help=('please input is_debug true or false\n'))
args = parser.parse_args()
generator = SeccompPolicyParser()

View File

@ -91,6 +91,12 @@ template("ohos_prebuilt_seccomp") {
":${_syscall_to_nr_arm_name}",
]
if (build_variant == "root") {
seccomp_is_debug = "true"
} else {
seccomp_is_debug = "false"
}
args = []
foreach(source, sources) {
args += [
@ -109,6 +115,8 @@ template("ohos_prebuilt_seccomp") {
invoker.target_cpu,
"--keyprocess-file",
rebase_path(_key_process_file_name),
"--is-debug",
seccomp_is_debug,
]
outputs = [ _seccomp_filter_file ]