fix(build): add syscall validation before creating profile (alegrey91#35

) * fix(build): add syscall validation before creating profile Signed-off-by: Alessio Greggi <[email protected]> --------- Signed-off-by: Alessio Greggi <[email protected]> Co-authored-by: ccoVeille <[email protected]>
ccoveille-forks · Aug 14, 2024 · 4e5c47e · 4e5c47e
1 parent ea08fde
commit 4e5c47e
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 6 deletions.
diff --git a/cmd/build.go b/cmd/build.go
@@ -58,7 +58,9 @@ var buildCmd = &cobra.Command{
 			scanner := bufio.NewScanner(file)
 			for scanner.Scan() {
 				syscall := scanner.Text()
-				syscallList[string(syscall)]++
+				if seccomp.IsValidSyscall(syscall) {
+					syscallList[string(syscall)]++
+				}
 			}
 		}
 

diff --git a/internal/syscallswriter/syscalls.go → internal/seccomputils/syscalls.go b/internal/syscallswriter/syscalls.go → internal/seccomputils/syscalls.go
@@ -1,4 +1,4 @@
-package syscalls
+package seccomputils
 
 import (
 	"fmt"
@@ -21,3 +21,10 @@ func Print(writer io.Writer, syscalls []uint32) error {
 	}
 	return nil
 }
+
+// IsValidSyscall returns true if a valid system call was passed to the function.
+// Returns false otherwise.
+func IsValidSyscall(syscall string) bool {
+	_, err := seccomp.GetSyscallFromName(syscall)
+	return err == nil
+}
diff --git a/internal/syscallswriter/syscalls_test.go → internal/seccomputils/syscalls_test.go b/internal/syscallswriter/syscalls_test.go → internal/seccomputils/syscalls_test.go
@@ -1,4 +1,4 @@
-package syscalls
+package seccomputils
 
 import (
 	"bytes"
@@ -46,3 +46,36 @@ func TestPrint(t *testing.T) {
 		})
 	}
 }
+
+func TestIsValidSyscall(t *testing.T) {
+	type args struct {
+		syscall string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "syscall is valid",
+			args: args{
+				syscall: "openat",
+			},
+			want: true,
+		},
+		{
+			name: "syscall is not valid",
+			args: args{
+				syscall: "openatx",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := IsValidSyscall(tt.args.syscall); got != tt.want {
+				t.Errorf("IsValidSyscall() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/internal/writer/write.go b/internal/writer/write.go
@@ -6,7 +6,7 @@ import (
 	"path"
 
 	"github.com/alegrey91/harpoon/internal/archiver"
-	syscallsw "github.com/alegrey91/harpoon/internal/syscallswriter"
+	"github.com/alegrey91/harpoon/internal/seccomputils"
 )
 
 type WriteOptions struct {
@@ -32,10 +32,10 @@ func Write(syscalls []uint32, functionSymbol string, opts WriteOptions) error {
 			return fmt.Errorf("error setting permissions to %s: %v", file.Name(), err)
 		}
 		// write to file
-		errOut = syscallsw.Print(file, syscalls)
+		errOut = seccomputils.Print(file, syscalls)
 	} else {
 		// write to stdout
-		errOut = syscallsw.Print(os.Stdout, syscalls)
+		errOut = seccomputils.Print(os.Stdout, syscalls)
 	}
 	if errOut != nil {
 		return fmt.Errorf("error printing out system calls: %v", errOut)