RFE: add support for comparisons against 32-bit arguments

[jhenstridge]

This is intended to fix #383.

The basic implementation strategy was:

1. add an SCMP_CMP_32BIT flag that can be bitwise ORed with the existing comparison operators, indicating that a 32-bit comparison is requested even on 64-bit platforms. This should be ABI backward compatible, and should also cleanly return an error should an application link against an old libseccomp.
2. extract the "per argument comparison" logic from _db_rule_gen_64 and _db_rule_gen_32 into _db_rule_gen_arg_64 and _db_rule_gen_arg_32 helper functions that share the same signature.
3. merge the two _db_rule_gen_* functions now that they are basically the same except for which helper they invoke in the loop.
4. have _db_rule_gen unconditionally generate 32-bit comparison tree nodes if the argument comparison had the SCMP_CMP_32BIT flag set.

[coveralls]

Coverage decreased (-0.1%) to 89.454% when pulling 518493f on jhenstridge:32-bit-comparisons into 72198d9 on seccomp:main.

[jhenstridge]

I think this is ready for review now. I've added tests to demonstrate that the 32-bit comparisons work and ignore data in the high bits, and also made sure rule_add() will return -EINVAL if unknown flags are set in the scmp_compare operation for better forward compatibility.

One thing I haven't done is change the SCMP_A?_32() macros to automatically set SCMP_CMP_32BIT in the comparison operation. I think it is probably what most people using those macros would actually want, but is a change in behaviour.

[jhenstridge]

I've rebased against main, and added a Python version of the new test. It all looked okay locally, but I hadn't built with --enable-python.

[pcmoore]

I want to apologize @jhenstridge, you've put a lot of work in on this and we haven't had a chance to look at it yet. I just want to let you know that this PR hasn't gone unnoticed or been forgotten, we just happen to have a lot on our plates and this is not only tricky code but an API addition so it takes some time to review.

Thank you for your help!

[drakenclimber]

Thanks, @jhenstridge!

I looked through the changes pretty closely, and it looks solid to me. I took a couple notes along the way as I worked through the patches, and I'll leave them in there for now in case they help others, but they don't affect the overall outcome of the review. Thanks for the refactor of the _db_rule_gen_* logic into a single function.

As a small nitpick, I am used to more descriptive commit comments, but I honestly can't fault what you've added. They explained each commit.

It feels like too significant of a change to be part of v2.5.5, and thus I would lean toward it going in v2.6.0. I'm open to discussion to hear others' thoughts here though.

Thanks!

Acked-by: Tom Hromatka <[email protected]>

[drakenclimber]

Note to self as much as anything - I don't see this function having any code coverage even though it's getting called 500,000+ times.

https://coveralls.io/builds/49252361/source?filename=src%2Fdb.c#L1918

[pcmoore]

Hmm, I think something is broken for me and coveralls.io, I'm not able to see the marked-up source anymore ... :/

[pcmoore]

Nevermind, it looks like I just needed to re-auth to coveralls.io.

[pcmoore]

Back to the original comment ... yes, something is odd here, both the 64-bit and 32-bit variants of this function appear to have zero code coverage, which is not right ...

[drakenclimber]

Another note to self - the prev_nodes[] change will become important in later commits. This commit is (slightly) more than just a refactoring of code to a separate function.

[pcmoore]

The fixed 4 is very "magic" too, which makes me uneasy. At the very least that needs a comment (why 4?), but a much better approach would be a macro definition and and comment with the macro.

[pcmoore]

Okay, I now understand where the 4 comes from, and to be fair we have similar constants in the current _db_rule_gen_64() function, but the important difference is that in the current implementation the magic numbers are contained as local variables within the function, here they are part of the function's signature and are thus much more important.

[pcmoore]

I'm hoping that as I get farther into this review we can revisit how this code was extracted, because I'm not really liking this right now.

[cyphar]

I wonder if it would be possible (or even preferable) to merge this PR with the requirements of #310 and just have a set of MASKED_* comparators so that you can do any masked comparison you like? It would result in the same BPF output for 32-bit but would be more general?

[jhenstridge]

@cyphar: I think handling 32-bit arguments is important enough to have on its own, given how many syscalls have 32-bit arguments. And if libseccomp ever leans how to perform signed comparisons, the argument width will be important due to different positions for the sign bit. It also has the benefit of generating smaller BPF for 32-bit argument checks compared to generalised masked 64-bit comparisons.

If the part of my proposal to add flag bits to scmp_compare is accepted though, it might provide a better basis for generalised mask comparisons. Rather than adding new scmp_compare values for the other comparisons like was done with SCMP_CMP_MASKED_EQ, you could have a flag that can be ORed to indicate that the argument should be masked before performing the comparison.

[pcmoore]

I'm still working my way through this PR, but I think we want to move SCMP_CMP_OPMASK and SCMP_CMP_32BIT out of the enum and have them be standalone preprocessor macros/constants.

[pcmoore]

I guess if we do that we need to add a "filler" value to cause the enum to be a certain size, which feels a little icky but I think it's okay if we make sure to represent all of the flag space, e.g.

enum scmp_compare {
	_SCMP_CMP_MIN = 0,
	SCMP_CMP_NE = 1,
	SCMP_CMP_LT = 2,
	SCMP_CMP_LE = 3,
	SCMP_CMP_EQ = 4,
	SCMP_CMP_GE = 5,
	SCMP_CMP_GT = 6,
	SCMP_CMP_MASKED_EQ = 7,
	_SCMP_CMP_MAX,
	_SCMP_CMP_OPMASK = 0x0000FFFF,
	_SCMP_CMP_FLAGMASK = 0xFFFF0000,
};

[pcmoore]

... which somewhat questions the value of moving the flag definitions out of the enum and into their own macros/constants, but that still seems like a goodish idea to me at this point.

[pcmoore]

I think I'd prefer to drop the is_32bit flag and just preserve the SCMP_CMP_XXX flags in the db_api_arg::op field; there aren't that many places that check the comparison op so masking them shouldn't be too terrible. If necessary we can always wrap it in a preprocessor macro, e.g.

#define CMP_OP(x) (x & __SCMP_CMP_OPMASK)
#define CMP_FLAGS(x) (x & __SCMP_CMP_FLAGMASK)

[pcmoore]

My apologies @jhenstridge, I just got pinged that I've run out of time today, if I don't get a chance to finish this over the weekend I'll pick it up next week.

[pcmoore]

I know braces ("{ ... }") aren't strictly required for this for-loop body, but please add them to help readability and prevent silly mistakes in the future.

[pcmoore]

A quick comment independent of any one particular commit - all of the commits in this PR appear pretty substantial, yet there are no commit descriptions in the first few commits I've reviewed. Please add some meaningful commit descriptions to each patch explaining what the patch does, and why this change is important.

We often let trivial patches go into the tree without commit descriptions, but that should be seen as a special case and not something that should be taken as a general rule.

[pcmoore]

This function also needs a comment block at the top like all the other functions in libseccomp.

[pcmoore]

Same as with the 64-bit variant, it looks like the comment block is added in 0936a72 ("db: merge _db_rule_gen_64 and _db_rule_gen_32"); it would be best to add the comment block in the first appearance of the function.

[pcmoore]

I'm thinking out-loud here, but I wonder if the readability would be better if the prev_nodes[] array was expanded into individual variables with more descriptive names?

[pcmoore]

Also, this function only appears to ever use one prev_nodes[] array slot, right?

[pcmoore]

Needs a comment block describing the function, see the others for an example.

[pcmoore]

Okay, so it looks like it is added in 0936a72 ("db: merge _db_rule_gen_64 and _db_rule_gen_32"); it would be best to add the comment block in the first appearance of the function.

[pcmoore]

The other comments about prev_nodes[] apply here.

[pcmoore]

I know braces ("{ ... }") aren't strictly required for this for-loop body, but please add them to help readability and prevent silly mistakes in the future.

[pcmoore]

Personal nit-pick: please don't chain assignments together like this, put them each on their own line.

[pcmoore]

Since is_32bit is only used once below, why not just drop the dedicated local variable and just do the arch->size comparison where needed?

[pcmoore]

Thank you for the new tests :)

[pcmoore]

It might be a good idea to check this up near the top of the if-block once the once the chain entry is considered valid (the fail early idea).

[pcmoore]

This may argue for a SCMP_CMP_FLAGMASK or similar, see the comments on the first patch in the PR.

[pcmoore]

Double bonus points for the Python tests :)

[pcmoore]

First off, I'm really sorry @jhenstridge that it took me so long to give this a proper review, that was pretty crappy and you deserved better considering the time and effort that no doubt went into this PR. That said, I'm finally done going through the PR, but please don't feel that my comments are "you MUST do this!", I think most of my comments were intended more as starting points for some discussion between you, @drakenclimber, myself, and anyone else who is interested in this functionality. Put another way, please don't rush out to change a lot of your code just yet, let's make sure we are all in agreement before you spend a bunch more time revising this patchset :)

[pcmoore]

Hi @jhenstridge, it's been a while so I just wanted to check in on this to see where things were at?