6279355589

Committed 21 Sep 2023 04:53PM UTC coverage: 89.542% (-0.3%) from 89.89%

Build # 6279355589

Build Type

push

github

Committed by

pcmoore

Commit Message

api: add transaction support to the libseccomp API

While libseccomp has internally has transaction support for some time
now, it hasn't been accessible to callers through the libseccomp API.
This patch adds a transaction API as well as supporting documentation
and a new unit regression test.

  int seccomp_transaction_start(const scmp_filter_ctx ctx)
  int seccomp_transaction_commit(const scmp_filter_ctx ctx)
  void seccomp_transaction_reject(const scmp_filter_ctx ctx)

Signed-off-by: Paul Moore <paul@paul-moore.com>

Run Details

30 of 30 new or added lines in 2 files covered. (100.0%)

2697 of 3012 relevant lines covered (89.54%)

299730.21 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.55

/src/db.c

/**
 * Enhanced Seccomp Filter DB
 *
 * Copyright (c) 2012,2016,2018 Red Hat <pmoore@redhat.com>
 * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
 * Copyright (c) 2022 Microsoft Corporation <paulmoore@microsoft.com>
 * Author: Paul Moore <paul@paul-moore.com>
 */

/*
 * This library is free software; you can redistribute it and/or modify it
 * under the terms of version 2.1 of the GNU Lesser General Public License as
 * published by the Free Software Foundation.
 *
 * This library is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
 * for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this library; if not, see <http://www.gnu.org/licenses>.
 */

#include <assert.h>
#include <errno.h>
#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>

#include <seccomp.h>

#include "arch.h"
#include "db.h"
#include "system.h"
#include "helper.h"

/* state values */
#define _DB_STA_VALID                        0xA1B2C3D4
#define _DB_STA_FREED                        0x1A2B3C4D

/* the priority field is fairly simple - without any user hints, or in the case
 * of a hint "tie", we give higher priority to syscalls with less chain nodes
 * (filter is easier to evaluate) */
#define _DB_PRI_MASK_CHAIN                0x0000FFFF
#define _DB_PRI_MASK_USER                0x00FF0000
#define _DB_PRI_USER(x)                        (((x) << 16) & _DB_PRI_MASK_USER)

/* prove information about the sub-tree check results */
struct db_iter_state {
#define _DB_IST_NONE                        0x00000000
#define _DB_IST_MATCH                        0x00000001
#define _DB_IST_MATCH_ONCE                0x00000002
#define _DB_IST_X_FINISHED                0x00000010
#define _DB_IST_N_FINISHED                0x00000020
#define _DB_IST_X_PREFIX                0x00000100
#define _DB_IST_N_PREFIX                0x00000200
#define _DB_IST_M_MATCHSET                (_DB_IST_MATCH|_DB_IST_MATCH_ONCE)
#define _DB_IST_M_REDUNDANT                (_DB_IST_MATCH| \
                                         _DB_IST_X_FINISHED| \
                                         _DB_IST_N_PREFIX)
        unsigned int flags;
        uint32_t action;
        struct db_sys_list *sx;
};

static unsigned int _db_node_put(struct db_arg_chain_tree **node);

/**
 * Define the syscall argument priority for nodes on the same level of the tree
 * @param a tree node
 *
 * Prioritize the syscall argument value, taking into account hi/lo words.
 * Should only ever really be called by _db_chain_{lt,eq}().  Returns an
 * arbitrary value indicating priority.
 *
 */
static unsigned int __db_chain_arg_priority(const struct db_arg_chain_tree *a)
{
        return (a->arg << 1) + (a->arg_h_flg ? 1 : 0);
}

/**
 * Define the "op" priority for nodes on the same level of the tree
 * @param op the argument operator
 *
 * Prioritize the syscall argument comparison operator.  Should only ever
 * really be called by _db_chain_{lt,eq}().  Returns an arbitrary value
 * indicating priority.
 *
 */
static unsigned int __db_chain_op_priority(enum scmp_compare op)
{
        /* the distinction between LT/LT and GT/GE is mostly to make the
         * ordering as repeatable as possible regardless of the order in which
         * the rules are added */
        switch (op) {
        case SCMP_CMP_MASKED_EQ:
        case SCMP_CMP_EQ:
        case SCMP_CMP_NE:
                return 3;
        case SCMP_CMP_LE:
        case SCMP_CMP_LT:
                return 2;
        case SCMP_CMP_GE:
        case SCMP_CMP_GT:
                return 1;
        default:
                return 0;
        }
}

/**
 * Determine if node "a" is less than node "b"
 * @param a tree node
 * @param b tree node
 *
 * The logic is best explained by looking at the comparison code in the
 * function.
 *
 */
static bool _db_chain_lt(const struct db_arg_chain_tree *a,
                         const struct db_arg_chain_tree *b)
{
        unsigned int a_arg, b_arg;
        unsigned int a_op, b_op;

        a_arg = __db_chain_arg_priority(a);
        b_arg = __db_chain_arg_priority(b);
        if (a_arg < b_arg)
                return true;
        else if (a_arg > b_arg)
                return false;

        a_op = __db_chain_op_priority(a->op_orig);
        b_op = __db_chain_op_priority(b->op_orig);
        if (a_op < b_op)
                return true;
        else if (a_op > b_op)
                return false;

        /* NOTE: at this point the arg and op priorities are equal */

        switch (a->op_orig) {
        case SCMP_CMP_LE:
        case SCMP_CMP_LT:
                /* in order to ensure proper ordering for LT/LE comparisons we
                 * need to invert the argument value so smaller values come
                 * first */
                if (a->datum > b->datum)
                        return true;
                break;
        default:
                if (a->datum < b->datum)
                        return true;
                break;
        }

        return false;
}

/**
 * Determine if two nodes have equal argument datum values
 * @param a tree node
 * @param b tree node
 *
 * In order to return true the nodes must have the same datum and mask for the
 * same argument.
 *
 */
static bool _db_chain_eq(const struct db_arg_chain_tree *a,
                         const struct db_arg_chain_tree *b)
{
        unsigned int a_arg, b_arg;

        a_arg = __db_chain_arg_priority(a);
        b_arg = __db_chain_arg_priority(b);

        return ((a_arg == b_arg) && (a->op == b->op) &&
                (a->datum == b->datum) && (a->mask == b->mask));
}

/**
 * Determine if a given tree node is a leaf node
 * @param iter the node to test
 *
 * A leaf node is a node with no other nodes beneath it.
 *
 */
static bool _db_chain_leaf(const struct db_arg_chain_tree *iter)
{
        return (iter->nxt_t == NULL && iter->nxt_f == NULL);
}

/**
 * Determine if a given tree node is a zombie node
 * @param iter the node to test
 *
 * A zombie node is a leaf node that also has no true or false actions.
 *
 */
static bool _db_chain_zombie(const struct db_arg_chain_tree *iter)
{
        return (_db_chain_leaf(iter) &&
                !(iter->act_t_flg) && !(iter->act_f_flg));
}

/**
 * Get a node reference
 * @param node pointer to a node
 *
 * This function gets a reference to an individual node.  Returns a pointer
 * to the node.
 *
 */
static struct db_arg_chain_tree *_db_node_get(struct db_arg_chain_tree *node)
{
        if (node != NULL)
                node->refcnt++;
        return node;
}

/**
 * Garbage collect a level of the tree
 * @param node tree node
 *
 * Check the entire level on which @node resides, if there is no other part of
 * the tree which points to a node on this level, remove the entire level.
 * Returns the number of nodes removed.
 *
 */
static unsigned int _db_level_clean(struct db_arg_chain_tree *node)
{
        int cnt = 0;
        unsigned int links;
        struct db_arg_chain_tree *n = node;
        struct db_arg_chain_tree *start;

        while (n->lvl_prv)
                n = n->lvl_prv;
        start = n;

        while (n != NULL) {
                links = 0;
                if (n->lvl_prv)
                        links++;
                if (n->lvl_nxt)
                        links++;

                if (n->refcnt > links)
                        return cnt;

                n = n->lvl_nxt;
        }

        n = start;
        while (n != NULL)
                cnt += _db_node_put(&n);

        return cnt;
}

/**
 * Free a syscall filter argument chain tree
 * @param tree the argument chain list
 *
 * This function drops a reference to the tree pointed to by @tree and garbage
 * collects the top level.  Returns the number of nodes removed.
 *
 */
static unsigned int _db_tree_put(struct db_arg_chain_tree **tree)
{
        unsigned int cnt;

        cnt = _db_node_put(tree);
        if (*tree)
                cnt += _db_level_clean(*tree);

        return cnt;
}

/**
 * Release a node reference
 * @param node pointer to a node
 *
 * This function drops a reference to an individual node, unless this is the
 * last reference in which the entire sub-tree is affected.  Returns the number
 * of nodes freed.
 *
 */
static unsigned int _db_node_put(struct db_arg_chain_tree **node)
{
        unsigned int cnt = 0;
        struct db_arg_chain_tree *n = *node;
        struct db_arg_chain_tree *lvl_p, *lvl_n, *nxt_t, *nxt_f;

        if (n == NULL)
                return 0;

        if (--(n->refcnt) == 0) {
                lvl_p = n->lvl_prv;
                lvl_n = n->lvl_nxt;
                nxt_t = n->nxt_t;
                nxt_f = n->nxt_f;

                /* split the current level */
                /* NOTE: we still hold a ref for both lvl_p and lvl_n */
                if (lvl_p)
                        lvl_p->lvl_nxt = NULL;
                if (lvl_n)
                        lvl_n->lvl_prv = NULL;

                /* drop refcnts on the current level */
                if (lvl_p)
                        cnt += _db_node_put(&lvl_p);
                if (lvl_n)
                        cnt += _db_node_put(&lvl_n);

                /* re-link current level if it still exists */
                if (lvl_p)
                        lvl_p->lvl_nxt = _db_node_get(lvl_n);
                if (lvl_n)
                        lvl_n->lvl_prv = _db_node_get(lvl_p);

                /* update caller's pointer */
                if (lvl_p)
                        *node = lvl_p;
                else if (lvl_n)
                        *node = lvl_n;
                else
                        *node = NULL;

                /* drop the next level(s) */
                cnt += _db_tree_put(&nxt_t);
                cnt += _db_tree_put(&nxt_f);

                /* cleanup and accounting */
                free(n);
                cnt++;
        }

        return cnt;
}

/**
 * Remove a node from an argument chain tree
 * @param tree the pointer to the tree
 * @param node the node to remove
 *
 * This function searches the tree looking for the node and removes it as well
 * as any sub-trees beneath it.  Returns the number of nodes freed.
 *
 */
static unsigned int _db_tree_remove(struct db_arg_chain_tree **tree,
                                    struct db_arg_chain_tree *node)
{
        int cnt = 0;
        struct db_arg_chain_tree *c_iter;

        if (tree == NULL || *tree == NULL || node == NULL)
                return 0;

        c_iter = *tree;
        while (c_iter->lvl_prv != NULL)
                c_iter = c_iter->lvl_prv;

        do {
                /* current node? */
                if (c_iter == node)
                        goto remove;

                /* check the sub-trees */
                cnt += _db_tree_remove(&(c_iter->nxt_t), node);
                cnt += _db_tree_remove(&(c_iter->nxt_f), node);

                /* check for empty/zombie nodes */
                if (_db_chain_zombie(c_iter))
                        goto remove;

                /* next node on this level */
                c_iter = c_iter->lvl_nxt;
        } while (c_iter != NULL && cnt == 0);

        return cnt;

remove:
        /* reset the tree pointer if needed */
        if (c_iter == *tree) {
                if (c_iter->lvl_prv != NULL)
                        *tree = c_iter->lvl_prv;
                else
                        *tree = c_iter->lvl_nxt;
        }

        /* remove the node from the current level */
        if (c_iter->lvl_prv)
                c_iter->lvl_prv->lvl_nxt = c_iter->lvl_nxt;
        if (c_iter->lvl_nxt)
                c_iter->lvl_nxt->lvl_prv = c_iter->lvl_prv;
        c_iter->lvl_prv = NULL;
        c_iter->lvl_nxt = NULL;

        /* free the node and any sub-trees */
        cnt += _db_node_put(&c_iter);

        return cnt;
}

/**
 * Traverse a tree checking the action values
 * @param tree the pointer to the tree
 * @param action the action
 *
 * Traverse the tree inspecting each action to see if it matches the given
 * action.  Returns zero if all actions match the given action, negative values
 * on failure.
 *
 */
static int _db_tree_act_check(struct db_arg_chain_tree *tree, uint32_t action)
{
        int rc;
        struct db_arg_chain_tree *c_iter;

        if (tree == NULL)
                return 0;

        c_iter = tree;
        while (c_iter->lvl_prv != NULL)
                c_iter = c_iter->lvl_prv;

        do {
                if (c_iter->act_t_flg && c_iter->act_t != action)
                        return -EEXIST;
                if (c_iter->act_f_flg && c_iter->act_f != action)
                        return -EEXIST;

                rc = _db_tree_act_check(c_iter->nxt_t, action);
                if (rc < 0)
                        return rc;
                rc = _db_tree_act_check(c_iter->nxt_f, action);
                if (rc < 0)
                        return rc;

                c_iter = c_iter->lvl_nxt;
        } while (c_iter != NULL);

        return 0;
}

/**
 * Checks for a sub-tree match in an existing tree and prunes the tree
 * @param existing pointer to the existing tree
 * @param new pointer to the new tree
 * @param state pointer to a state structure
 *
 * This function searches the existing tree trying to prune it based on the
 * new tree.  Returns the number of nodes removed from the tree on success,
 * zero if no changes were made.
 *
 */
static int _db_tree_prune(struct db_arg_chain_tree **existing,
                          struct db_arg_chain_tree *new,
                          struct db_iter_state *state)
{
        int cnt = 0;
        struct db_iter_state state_nxt;
        struct db_iter_state state_new = *state;
        struct db_arg_chain_tree *x_iter_next;
        struct db_arg_chain_tree *x_iter = *existing;
        struct db_arg_chain_tree *n_iter = new;

        /* check if either tree is finished */
        if (n_iter == NULL || x_iter == NULL)
                goto prune_return;

        /* bail out if we have a broken match */
        if ((state->flags & _DB_IST_M_MATCHSET) == _DB_IST_MATCH_ONCE)
                goto prune_return;

        /* get to the start of the existing level */
        while (x_iter->lvl_prv)
                x_iter = x_iter->lvl_prv;

        /* NOTE: a few comments on the code below ...
         * 1) we need to take a reference before we go down a level in case
         *    we end up dropping the sub-tree (see the _db_node_get() calls)
         * 2) since the new tree really only has one branch, we can only ever
         *    match on one branch in the existing tree, if we "hit" then we
         *    can bail on the other branches */

        do {
                /* store this now in case we remove x_iter */
                x_iter_next = x_iter->lvl_nxt;

                /* compare the two nodes */
                if (_db_chain_eq(x_iter, n_iter)) {
                        /* we have a match */
                        state_new.flags |= _DB_IST_M_MATCHSET;

                        /* check if either tree is finished */
                        if (_db_chain_leaf(n_iter))
                                state_new.flags |= _DB_IST_N_FINISHED;
                        if (_db_chain_leaf(x_iter))
                                state_new.flags |= _DB_IST_X_FINISHED;

                        /* don't remove nodes if we have more actions/levels */
                        if ((x_iter->act_t_flg || x_iter->nxt_t) &&
                            !(n_iter->act_t_flg || n_iter->nxt_t))
                                goto prune_return;
                        if ((x_iter->act_f_flg || x_iter->nxt_f) &&
                            !(n_iter->act_f_flg || n_iter->nxt_f))
                                goto prune_return;

                        /* if finished, compare actions */
                        if ((state_new.flags & _DB_IST_N_FINISHED) &&
                            (state_new.flags & _DB_IST_X_FINISHED)) {
                                if (n_iter->act_t_flg != x_iter->act_t_flg)
                                        goto prune_return;
                                if (n_iter->act_t != x_iter->act_t)
                                        goto prune_return;

                                if (n_iter->act_f_flg != x_iter->act_f_flg)
                                        goto prune_return;
                                if (n_iter->act_f != x_iter->act_f)
                                        goto prune_return;
                        }

                        /* check next level */
                        if (n_iter->nxt_t) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags |= _DB_IST_M_MATCHSET;
                                cnt += _db_tree_prune(&x_iter->nxt_t,
                                                      n_iter->nxt_t,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        /* don't return yet, we need to check
                                         * the current node */
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }
                        if (n_iter->nxt_f) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags |= _DB_IST_M_MATCHSET;
                                cnt += _db_tree_prune(&x_iter->nxt_f,
                                                      n_iter->nxt_f,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        /* don't return yet, we need to check
                                         * the current node */
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }

                        /* remove the node? */
                        if (!_db_tree_act_check(x_iter, state_new.action) &&
                            (state_new.flags & _DB_IST_MATCH) &&
                            (state_new.flags & _DB_IST_N_FINISHED) &&
                            (state_new.flags & _DB_IST_X_PREFIX)) {
                                /* yes - the new tree is "shorter" */
                                cnt += _db_tree_remove(&state->sx->chains,
                                                       x_iter);
                                if (state->sx->chains == NULL)
                                        goto prune_return;
                        } else if (!_db_tree_act_check(x_iter, state_new.action)
                                   && (state_new.flags & _DB_IST_MATCH) &&
                                   (state_new.flags & _DB_IST_X_FINISHED) &&
                                   (state_new.flags & _DB_IST_N_PREFIX)) {
                                /* no - the new tree is "longer" */
                                goto prune_return;
                        }
                } else if (_db_chain_lt(x_iter, n_iter)) {
                        /* bail if we have a prefix on the new tree */
                        if (state->flags & _DB_IST_N_PREFIX)
                                goto prune_return;

                        /* check the next level in the existing tree */
                        if (x_iter->nxt_t) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags &= ~_DB_IST_MATCH;
                                state_nxt.flags |= _DB_IST_X_PREFIX;
                                cnt += _db_tree_prune(&x_iter->nxt_t, n_iter,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        goto prune_return;
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }
                        if (x_iter->nxt_f) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags &= ~_DB_IST_MATCH;
                                state_nxt.flags |= _DB_IST_X_PREFIX;
                                cnt += _db_tree_prune(&x_iter->nxt_f, n_iter,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        goto prune_return;
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }
                } else {
                        /* bail if we have a prefix on the existing tree */
                        if (state->flags & _DB_IST_X_PREFIX)
                                goto prune_return;

                        /* check the next level in the new tree */
                        if (n_iter->nxt_t) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags &= ~_DB_IST_MATCH;
                                state_nxt.flags |= _DB_IST_N_PREFIX;
                                cnt += _db_tree_prune(&x_iter, n_iter->nxt_t,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        goto prune_return;
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }
                        if (n_iter->nxt_f) {
                                _db_node_get(x_iter);
                                state_nxt = *state;
                                state_nxt.flags &= ~_DB_IST_MATCH;
                                state_nxt.flags |= _DB_IST_N_PREFIX;
                                cnt += _db_tree_prune(&x_iter, n_iter->nxt_f,
                                                      &state_nxt);
                                cnt += _db_node_put(&x_iter);
                                if (state_nxt.flags & _DB_IST_MATCH) {
                                        state_new.flags |= state_nxt.flags;
                                        goto prune_return;
                                }
                                if (x_iter == NULL)
                                        goto prune_next_node;
                        }
                }

prune_next_node:
                /* check next node on this level */
                x_iter = x_iter_next;
        } while (x_iter);

        /* if we are falling through, we clearly didn't match on anything */
        state_new.flags &= ~_DB_IST_MATCH;

prune_return:
        /* no more nodes on this level, return to the level above */
        if (state_new.flags & _DB_IST_MATCH)
                state->flags |= state_new.flags;
        else
                state->flags &= ~_DB_IST_MATCH;
        return cnt;
}

/**
 * Add a new tree into an existing tree
 * @param existing pointer to the existing tree
 * @param new pointer to the new tree
 * @param state pointer to a state structure
 *
 * This function adds the new tree into the existing tree, fetching additional
 * references as necessary.  Returns zero on success, negative values on
 * failure.
 *
 */
static int _db_tree_add(struct db_arg_chain_tree **existing,
                        struct db_arg_chain_tree *new,
                        struct db_iter_state *state)
{
        int rc;
        struct db_arg_chain_tree *x_iter = *existing;
        struct db_arg_chain_tree *n_iter = new;

        do {
                if (_db_chain_eq(x_iter, n_iter)) {
                        if (n_iter->act_t_flg) {
                                if (!x_iter->act_t_flg) {
                                        /* new node has a true action */

                                        /* do the actions match? */
                                        rc = _db_tree_act_check(x_iter->nxt_t,
                                                                n_iter->act_t);
                                        if (rc != 0)
                                                return rc;

                                        /* update with the new action */
                                        rc = _db_node_put(&x_iter->nxt_t);
                                        x_iter->nxt_t = NULL;
                                        x_iter->act_t = n_iter->act_t;
                                        x_iter->act_t_flg = true;
                                        state->sx->node_cnt -= rc;
                                } else if (n_iter->act_t != x_iter->act_t) {
                                        /* if we are dealing with a 64-bit
                                         * comparison, we need to adjust our
                                         * action based on the full 64-bit
                                         * value to ensure we handle GT/GE
                                         * comparisons correctly */
                                        if (n_iter->arg_h_flg &&
                                            (n_iter->datum_full >
                                             x_iter->datum_full))
                                                x_iter->act_t = n_iter->act_t;
                                        if (_db_chain_leaf(x_iter) ||
                                            _db_chain_leaf(n_iter))
                                                return -EEXIST;
                                }
                        }
                        if (n_iter->act_f_flg) {
                                if (!x_iter->act_f_flg) {
                                        /* new node has a false action */

                                        /* do the actions match? */
                                        rc = _db_tree_act_check(x_iter->nxt_f,
                                                                n_iter->act_f);
                                        if (rc != 0)
                                                return rc;

                                        /* update with the new action */
                                        rc = _db_node_put(&x_iter->nxt_f);
                                        x_iter->nxt_f = NULL;
                                        x_iter->act_f = n_iter->act_f;
                                        x_iter->act_f_flg = true;
                                        state->sx->node_cnt -= rc;
                                } else if (n_iter->act_f != x_iter->act_f) {
                                        /* if we are dealing with a 64-bit
                                         * comparison, we need to adjust our
                                         * action based on the full 64-bit
                                         * value to ensure we handle LT/LE
                                         * comparisons correctly */
                                        if (n_iter->arg_h_flg &&
                                            (n_iter->datum_full <
                                             x_iter->datum_full))
                                                x_iter->act_t = n_iter->act_t;
                                        if (_db_chain_leaf(x_iter) ||
                                            _db_chain_leaf(n_iter))
                                                return -EEXIST;
                                }
                        }

                        if (n_iter->nxt_t) {
                                if (x_iter->nxt_t) {
                                        /* compare the next level */
                                        rc = _db_tree_add(&x_iter->nxt_t,
                                                          n_iter->nxt_t,
                                                          state);
                                        if (rc != 0)
                                                return rc;
                                } else if (!x_iter->act_t_flg) {
                                        /* add a new sub-tree */
                                        x_iter->nxt_t = _db_node_get(n_iter->nxt_t);
                                } else
                                        /* done - existing tree is "shorter" */
                                        return 0;
                        }
                        if (n_iter->nxt_f) {
                                if (x_iter->nxt_f) {
                                        /* compare the next level */
                                        rc = _db_tree_add(&x_iter->nxt_f,
                                                          n_iter->nxt_f,
                                                          state);
                                        if (rc != 0)
                                                return rc;
                                } else if (!x_iter->act_f_flg) {
                                        /* add a new sub-tree */
                                        x_iter->nxt_f = _db_node_get(n_iter->nxt_f);
                                } else
                                        /* done - existing tree is "shorter" */
                                        return 0;
                        }

                        return 0;
                } else if (!_db_chain_lt(x_iter, n_iter)) {
                        /* try to move along the current level */
                        if (x_iter->lvl_nxt == NULL) {
                                /* add to the end of this level */
                                n_iter->lvl_prv = _db_node_get(x_iter);
                                x_iter->lvl_nxt = _db_node_get(n_iter);
                                return 0;
                        } else
                                /* next */
                                x_iter = x_iter->lvl_nxt;
                } else {
                        /* add before the existing node on this level*/
                        if (x_iter->lvl_prv != NULL) {
                                x_iter->lvl_prv->lvl_nxt = _db_node_get(n_iter);
                                n_iter->lvl_prv = x_iter->lvl_prv;
                                x_iter->lvl_prv = _db_node_get(n_iter);
                                n_iter->lvl_nxt = x_iter;
                        } else {
                                x_iter->lvl_prv = _db_node_get(n_iter);
                                n_iter->lvl_nxt = _db_node_get(x_iter);
                        }
                        if (*existing == x_iter) {
                                *existing = _db_node_get(n_iter);
                                _db_node_put(&x_iter);
                        }
                        return 0;
                }
        } while (x_iter);

        return 0;
}

/**
 * Free and reset the seccomp filter DB
 * @param db the seccomp filter DB
 *
 * This function frees any existing filters and resets the filter DB to a
 * default state; only the DB architecture is preserved.
 *
 */
static void _db_reset(struct db_filter *db)
{
        struct db_sys_list *s_iter;
        struct db_api_rule_list *r_iter;

        if (db == NULL)
                return;

        /* free any filters */
        if (db->syscalls != NULL) {
                s_iter = db->syscalls;
                while (s_iter != NULL) {
                        db->syscalls = s_iter->next;
                        _db_tree_put(&s_iter->chains);
                        free(s_iter);
                        s_iter = db->syscalls;
                }
                db->syscalls = NULL;
        }
        db->syscall_cnt = 0;

        /* free any rules */
        if (db->rules != NULL) {
                /* split the loop first then loop and free */
                db->rules->prev->next = NULL;
                r_iter = db->rules;
                while (r_iter != NULL) {
                        db->rules = r_iter->next;
                        free(r_iter);
                        r_iter = db->rules;
                }
                db->rules = NULL;
        }
}

/**
 * Intitalize a seccomp filter DB
 * @param arch the architecture definition
 *
 * This function initializes a seccomp filter DB and readies it for use.
 * Returns a pointer to the DB on success, NULL on failure.
 *
 */
static struct db_filter *_db_init(const struct arch_def *arch)
{
        struct db_filter *db;

        db = zmalloc(sizeof(*db));
        if (db == NULL)
                return NULL;

        /* set the arch and reset the DB to a known state */
        db->arch = arch;
        _db_reset(db);

        return db;
}

/**
 * Destroy a seccomp filter DB
 * @param db the seccomp filter DB
 *
 * This function destroys a seccomp filter DB.  After calling this function,
 * the filter should no longer be referenced.
 *
 */
static void _db_release(struct db_filter *db)
{
        if (db == NULL)
                return;

        /* free and reset the DB */
        _db_reset(db);
        free(db);
}

/**
 * Destroy a seccomp filter snapshot
 * @param snap the seccomp filter snapshot
 *
 * This function destroys a seccomp filter snapshot.  After calling this
 * function, the snapshot should no longer be referenced.
 *
 */
static void _db_snap_release(struct db_filter_snap *snap)
{
        unsigned int iter;

        if (snap == NULL)
                return;

        if (snap->filter_cnt > 0) {
                for (iter = 0; iter < snap->filter_cnt; iter++) {
                        if (snap->filters[iter])
                                _db_release(snap->filters[iter]);
                }
                free(snap->filters);
        }
        free(snap);
}

/**
 * Update the user specified portion of the syscall priority
 * @param db the seccomp filter db
 * @param syscall the syscall number
 * @param priority the syscall priority
 *
 * This function sets, or updates, the syscall priority; the highest priority
 * value between the existing and specified value becomes the new syscall
 * priority.  If the syscall entry does not already exist, a new phantom
 * syscall entry is created as a placeholder.  Returns zero on success,
 * negative values on failure.
 *
 */
static int _db_syscall_priority(struct db_filter *db,
                                int syscall, uint8_t priority)
{
        unsigned int sys_pri = _DB_PRI_USER(priority);
        struct db_sys_list *s_new, *s_iter, *s_prev = NULL;

        assert(db != NULL);

        s_iter = db->syscalls;
        while (s_iter != NULL && s_iter->num < syscall) {
                s_prev = s_iter;
                s_iter = s_iter->next;
        }

        /* matched an existing syscall entry */
        if (s_iter != NULL && s_iter->num == syscall) {
                if (sys_pri > (s_iter->priority & _DB_PRI_MASK_USER)) {
                        s_iter->priority &= (~_DB_PRI_MASK_USER);
                        s_iter->priority |= sys_pri;
                }
                return 0;
        }

        /* no existing syscall entry - create a phantom entry */
        s_new = zmalloc(sizeof(*s_new));
        if (s_new == NULL)
                return -ENOMEM;
        s_new->num = syscall;
        s_new->priority = sys_pri;
        s_new->valid = false;

        /* add it before s_iter */
        if (s_prev != NULL) {
                s_new->next = s_prev->next;
                s_prev->next = s_new;
        } else {
                s_new->next = db->syscalls;
                db->syscalls = s_new;
        }

        return 0;
}

/**
 * Create a new rule
 * @param strict the strict value
 * @param action the rule's action
 * @param syscall the syscall number
 * @param chain the syscall argument filter
 *
 * This function creates a new rule structure based on the given arguments.
 * Returns a pointer to the new rule on success, NULL on failure.
 *
 */
static struct db_api_rule_list *_db_rule_new(bool strict,
                                             uint32_t action, int syscall,
                                             struct db_api_arg *chain)
{
        struct db_api_rule_list *rule;

        rule = zmalloc(sizeof(*rule));
        if (rule == NULL)
                return NULL;
        rule->action = action;
        rule->syscall = syscall;
        rule->strict = strict;
        memcpy(rule->args, chain, sizeof(*chain) * ARG_COUNT_MAX);

        return rule;
}

/**
 * Duplicate an existing filter rule
 * @param src the rule to duplicate
 *
 * This function makes an exact copy of the given rule, but does not add it
 * to any lists.  Returns a pointer to the new rule on success, NULL on
 * failure.
 *
 */
struct db_api_rule_list *db_rule_dup(const struct db_api_rule_list *src)
{
        struct db_api_rule_list *dest;

        dest = malloc(sizeof(*dest));
        if (dest == NULL)
                return NULL;
        memcpy(dest, src, sizeof(*dest));
        dest->prev = NULL;
        dest->next = NULL;

        return dest;
}

/**
 * Free and reset the seccomp filter collection
 * @param col the seccomp filter collection
 * @param def_action the default filter action
 *
 * This function frees any existing filter DBs and resets the collection to a
 * default state.  In the case of failure the filter collection may be in an
 * unknown state and should be released.  Returns zero on success, negative
 * values on failure.
 *
 */
int db_col_reset(struct db_filter_col *col, uint32_t def_action)
{
        unsigned int iter;
        struct db_filter *db;
        struct db_filter_snap *snap;

        if (col == NULL)
                return -EINVAL;

        /* free any filters */
        for (iter = 0; iter < col->filter_cnt; iter++)
                _db_release(col->filters[iter]);
        col->filter_cnt = 0;
        if (col->filters)
                free(col->filters);
        col->filters = NULL;

        /* set the endianness to undefined */
        col->endian = 0;

        /* set the default attribute values */
        col->attr.act_default = def_action;
        col->attr.act_badarch = SCMP_ACT_KILL;
        col->attr.nnp_enable = 1;
        col->attr.tsync_enable = 0;
        col->attr.api_tskip = 0;
        col->attr.log_enable = 0;
        col->attr.spec_allow = 0;
        col->attr.optimize = 1;
        col->attr.api_sysrawrc = 0;
        col->attr.wait_killable_recv = 0;

        /* set the state */
        col->state = _DB_STA_VALID;
        if (def_action == SCMP_ACT_NOTIFY)
                col->notify_used = true;
        else
                col->notify_used = false;

        /* reset the initial db */
        db = _db_init(arch_def_native);
        if (db == NULL)
                return -ENOMEM;
        if (db_col_db_add(col, db) < 0) {
                _db_release(db);
                return -ENOMEM;
        }

        /* reset the transactions */
        while (col->snapshots) {
                snap = col->snapshots;
                col->snapshots = snap->next;
                for (iter = 0; iter < snap->filter_cnt; iter++)
                        _db_release(snap->filters[iter]);
                free(snap->filters);
                free(snap);
        }

        /* reset the precomputed programs */
        db_col_precompute_reset(col);

        return 0;
}

/**
 * Intitalize a seccomp filter collection
 * @param def_action the default filter action
 *
 * This function initializes a seccomp filter collection and readies it for
 * use.  Returns a pointer to the collection on success, NULL on failure.
 *
 */
struct db_filter_col *db_col_init(uint32_t def_action)
{
        struct db_filter_col *col;

        col = zmalloc(sizeof(*col));
        if (col == NULL)
                return NULL;

        /* reset the DB to a known state */
        if (db_col_reset(col, def_action) < 0) {
                db_col_release(col);
                return NULL;
        }

        return col;
}

/**
 * Destroy a seccomp filter collection
 * @param col the seccomp filter collection
 *
 * This function destroys a seccomp filter collection.  After calling this
 * function, the filter should no longer be referenced.
 *
 */
void db_col_release(struct db_filter_col *col)
{
        unsigned int iter;
        struct db_filter_snap *snap;

        if (col == NULL)
                return;

        /* set the state, just in case */
        col->state = _DB_STA_FREED;

        /* free any snapshots */
        while (col->snapshots != NULL) {
                snap = col->snapshots;
                col->snapshots = snap->next;
                _db_snap_release(snap);
        }

        /* free any filters */
        for (iter = 0; iter < col->filter_cnt; iter++)
                _db_release(col->filters[iter]);
        col->filter_cnt = 0;
        if (col->filters)
                free(col->filters);
        col->filters = NULL;

        /* free any precompute */
        db_col_precompute_reset(col);

        /* free the collection */
        free(col);
}

/**
 * Validate a filter collection
 * @param col the seccomp filter collection
 *
 * This function validates a seccomp filter collection.  Returns zero if the
 * collection is valid, negative values on failure.
 *
 */
int db_col_valid(struct db_filter_col *col)
{
        if (col != NULL && col->state == _DB_STA_VALID && col->filter_cnt > 0)
                return 0;
        return -EINVAL;
}

/**
 * Validate the seccomp action
 * @param col the seccomp filter collection
 * @param action the seccomp action
 *
 * Verify that the given action is a valid seccomp action; return zero if
 * valid, -EINVAL if invalid.
 */
int db_col_action_valid(const struct db_filter_col *col, uint32_t action)
{
        if (col != NULL) {
                /* NOTE: in some cases we don't have a filter collection yet,
                 *       but when we do we need to do the following checks */

                /* kernel disallows TSYNC and NOTIFY in one filter unless we
                 * have the TSYNC_ESRCH flag */
                if (sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH) < 1 &&
                    col->attr.tsync_enable && action == SCMP_ACT_NOTIFY)
                        return -EINVAL;
        }

        if (sys_chk_seccomp_action(action) == 1)
                return 0;
        return -EINVAL;
}

/**
 * Merge two filter collections
 * @param col_dst the destination filter collection
 * @param col_src the source filter collection
 *
 * This function merges two filter collections into the given destination
 * collection.  The source filter collection is no longer valid if the function
 * returns successfully.  Returns zero on success, negative values on failure.
 *
 */
int db_col_merge(struct db_filter_col *col_dst, struct db_filter_col *col_src)
{
        unsigned int iter_a, iter_b;
        struct db_filter **dbs;

        /* verify that the endianness is a match */
        if (col_dst->endian != col_src->endian)
                return -EDOM;

        /* make sure we don't have any arch/filter collisions */
        for (iter_a = 0; iter_a < col_dst->filter_cnt; iter_a++) {
                for (iter_b = 0; iter_b < col_src->filter_cnt; iter_b++) {
                        if (col_dst->filters[iter_a]->arch->token ==
                            col_src->filters[iter_b]->arch->token)
                                return -EEXIST;
                }
        }

        /* expand the destination */
        dbs = realloc(col_dst->filters,
                      sizeof(struct db_filter *) *
                      (col_dst->filter_cnt + col_src->filter_cnt));
        if (dbs == NULL)
                return -ENOMEM;
        col_dst->filters = dbs;

        /* transfer the architecture filters */
        for (iter_a = col_dst->filter_cnt, iter_b = 0;
             iter_b < col_src->filter_cnt; iter_a++, iter_b++) {
                col_dst->filters[iter_a] = col_src->filters[iter_b];
                col_dst->filter_cnt++;
        }

        /* reset the precompute */
        db_col_precompute_reset(col_dst);

        /* free the source */
        col_src->filter_cnt = 0;
        db_col_release(col_src);

        return 0;
}

/**
 * Check to see if an architecture filter exists in the filter collection
 * @param col the seccomp filter collection
 * @param arch_token the architecture token
 *
 * Iterate through the given filter collection checking to see if a filter
 * exists for the specified architecture.  Returns -EEXIST if a filter is found,
 * zero if a matching filter does not exist.
 *
 */
int db_col_arch_exist(struct db_filter_col *col, uint32_t arch_token)
{
        unsigned int iter;

        for (iter = 0; iter < col->filter_cnt; iter++)
                if (col->filters[iter]->arch->token == arch_token)
                        return -EEXIST;

        return 0;
}

/**
 * Get a filter attribute
 * @param col the seccomp filter collection
 * @param attr the filter attribute
 * @param value the filter attribute value
 *
 * Get the requested filter attribute and provide it via @value.  Returns zero
 * on success, negative values on failure.
 *
 */
int db_col_attr_get(const struct db_filter_col *col,
                    enum scmp_filter_attr attr, uint32_t *value)
{
        int rc = 0;

        switch (attr) {
        case SCMP_FLTATR_ACT_DEFAULT:
                *value = col->attr.act_default;
                break;
        case SCMP_FLTATR_ACT_BADARCH:
                *value = col->attr.act_badarch;
                break;
        case SCMP_FLTATR_CTL_NNP:
                *value = col->attr.nnp_enable;
                break;
        case SCMP_FLTATR_CTL_TSYNC:
                *value = col->attr.tsync_enable;
                break;
        case SCMP_FLTATR_API_TSKIP:
                *value = col->attr.api_tskip;
                break;
        case SCMP_FLTATR_CTL_LOG:
                *value = col->attr.log_enable;
                break;
        case SCMP_FLTATR_CTL_SSB:
                *value = col->attr.spec_allow;
                break;
        case SCMP_FLTATR_CTL_OPTIMIZE:
                *value = col->attr.optimize;
                break;
        case SCMP_FLTATR_API_SYSRAWRC:
                *value = col->attr.api_sysrawrc;
                break;
        case SCMP_FLTATR_CTL_WAITKILL:
                *value = col->attr.wait_killable_recv;
                break;
        default:
                rc = -EINVAL;
                break;
        }

        return rc;
}

/**
 * Get a filter attribute
 * @param col the seccomp filter collection
 * @param attr the filter attribute
 *
 * Returns the requested filter attribute value with zero on any error.
 * Special care must be given with this function as error conditions can be
 * hidden from the caller.
 *
 */
uint32_t db_col_attr_read(const struct db_filter_col *col,
                          enum scmp_filter_attr attr)
{
        uint32_t value = 0;

        db_col_attr_get(col, attr, &value);
        return value;
}

/**
 * Set a filter attribute
 * @param col the seccomp filter collection
 * @param attr the filter attribute
 * @param value the filter attribute value
 *
 * Set the requested filter attribute with the given value.  Returns zero on
 * success, negative values on failure.
 *
 */
int db_col_attr_set(struct db_filter_col *col,
                    enum scmp_filter_attr attr, uint32_t value)
{
        int rc = 0;

        switch (attr) {
        case SCMP_FLTATR_ACT_DEFAULT:
                /* read only */
                return -EACCES;
                break;
        case SCMP_FLTATR_ACT_BADARCH:
                if (db_col_action_valid(col, value) == 0)
                        col->attr.act_badarch = value;
                else
                        return -EINVAL;
                db_col_precompute_reset(col);
                break;
        case SCMP_FLTATR_CTL_NNP:
                col->attr.nnp_enable = (value ? 1 : 0);
                break;
        case SCMP_FLTATR_CTL_TSYNC:
                rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC);
                if (rc == 1) {
                        /* supported */
                        rc = 0;
                        /* kernel disallows TSYNC and NOTIFY in one filter
                         * unless we have TSYNC_ESRCH */
                        if (sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH) < 1 &&
                            value && col->notify_used)
                                return -EINVAL;
                        col->attr.tsync_enable = (value ? 1 : 0);
                } else if (rc == 0)
                        /* unsupported */
                        rc = -EOPNOTSUPP;
                break;
        case SCMP_FLTATR_API_TSKIP:
                col->attr.api_tskip = (value ? 1 : 0);
                db_col_precompute_reset(col);
                break;
        case SCMP_FLTATR_CTL_LOG:
                rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG);
                if (rc == 1) {
                        /* supported */
                        rc = 0;
                        col->attr.log_enable = (value ? 1 : 0);
                } else if (rc == 0) {
                        /* unsupported */
                        rc = -EOPNOTSUPP;
                }
                break;
        case SCMP_FLTATR_CTL_SSB:
                rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW);
                if (rc == 1) {
                        /* supported */
                        rc = 0;
                        col->attr.spec_allow = (value ? 1 : 0);
                } else if (rc == 0) {
                        /* unsupported */
                        rc = -EOPNOTSUPP;
                }
                break;
        case SCMP_FLTATR_CTL_OPTIMIZE:
                switch (value) {
                case 1:
                case 2:
                        col->attr.optimize = value;
                        break;
                default:
                        rc = -EOPNOTSUPP;
                        break;
                }
                db_col_precompute_reset(col);
                break;
        case SCMP_FLTATR_API_SYSRAWRC:
                col->attr.api_sysrawrc = (value ? 1 : 0);
                break;
        case SCMP_FLTATR_CTL_WAITKILL:
                col->attr.wait_killable_recv = (value ? 1 : 0);
                break;
        default:
                rc = -EINVAL;
                break;
        }

        return rc;
}

/**
 * Add a new architecture filter to a filter collection
 * @param col the seccomp filter collection
 * @param arch the architecture
 *
 * This function adds a new architecture filter DB to an existing seccomp
 * filter collection assuming there isn't a filter DB already present with the
 * same architecture.  Returns zero on success, negative values on failure.
 *
 */
int db_col_db_new(struct db_filter_col *col, const struct arch_def *arch)
{
        int rc;
        struct db_filter *db;

        db = _db_init(arch);
        if (db == NULL)
                return -ENOMEM;
        rc = db_col_db_add(col, db);
        if (rc < 0)
                _db_release(db);
        else
                db_col_precompute_reset(col);

        return rc;
}

/**
 * Add a new filter DB to a filter collection
 * @param col the seccomp filter collection
 * @param db the seccomp filter DB
 *
 * This function adds an existing seccomp filter DB to an existing seccomp
 * filter collection assuming there isn't a filter DB already present with the
 * same architecture.  Returns zero on success, negative values on failure.
 *
 */
int db_col_db_add(struct db_filter_col *col, struct db_filter *db)
{
        struct db_filter **dbs;

        if (col->endian != 0 && col->endian != db->arch->endian)
                return -EDOM;

        if (db_col_arch_exist(col, db->arch->token))
                return -EEXIST;

        dbs = realloc(col->filters,
                      sizeof(struct db_filter *) * (col->filter_cnt + 1));
        if (dbs == NULL)
                return -ENOMEM;
        col->filters = dbs;
        col->filter_cnt++;
        col->filters[col->filter_cnt - 1] = db;
        if (col->endian == 0)
                col->endian = db->arch->endian;

        return 0;
}

/**
 * Remove a filter DB from a filter collection
 * @param col the seccomp filter collection
 * @param arch_token the architecture token
 *
 * This function removes an existing seccomp filter DB from an existing seccomp
 * filter collection.  Returns zero on success, negative values on failure.
 *
 */
int db_col_db_remove(struct db_filter_col *col, uint32_t arch_token)
{
        unsigned int iter;
        unsigned int found;
        struct db_filter **dbs;

        if ((col->filter_cnt <= 0) || (db_col_arch_exist(col, arch_token) == 0))
                return -EINVAL;

        for (found = 0, iter = 0; iter < col->filter_cnt; iter++) {
                if (found)
                        col->filters[iter - 1] = col->filters[iter];
                else if (col->filters[iter]->arch->token == arch_token) {
                        _db_release(col->filters[iter]);
                        found = 1;
                }
        }
        col->filters[--col->filter_cnt] = NULL;

        if (col->filter_cnt > 0) {
                /* NOTE: if we can't do the realloc it isn't fatal, we just
                 *       have some extra space allocated */
                dbs = realloc(col->filters,
                              sizeof(struct db_filter *) * col->filter_cnt);
                if (dbs != NULL)
                        col->filters = dbs;
        } else {
                /* this was the last filter so free all the associated memory
                 * and reset the endian token */
                free(col->filters);
                col->filters = NULL;
                col->endian = 0;
        }

        db_col_precompute_reset(col);

        return 0;
}

/**
 * Test if the argument filter can be skipped because it's a tautology
 * @param arg argument filter
 *
 * If this argument filter applied to the lower 32 bit can be skipped this
 * function returns false.
 *
 */
static bool _db_arg_cmp_need_lo(const struct db_api_arg *arg)
{
        if (arg->op == SCMP_CMP_MASKED_EQ && D64_LO(arg->mask) == 0)
                return false;

        return true;
}

/**
 * Test if the argument filter can be skipped because it's a tautology
 * @param arg argument filter
 *
 * If this argument filter applied to the upper 32 bit can be skipped this
 * function returns false.
 *
 */
static bool _db_arg_cmp_need_hi(const struct db_api_arg *arg)
{
        if (arg->op == SCMP_CMP_MASKED_EQ && D64_HI(arg->mask) == 0)
                return false;

        return true;
}

/**
 * Fixup the node based on the op/mask
 * @param node the chain node
 *
 * Ensure the datum is masked as well.
 *
 */
static void _db_node_mask_fixup(struct db_arg_chain_tree *node)
{
        node->datum &= node->mask;
}

/**
 * Generate a new filter rule for a 64 bit system
 * @param arch the architecture definition
 * @param rule the new filter rule
 *
 * This function generates a new syscall filter for a 64 bit system. Returns
 * zero on success, negative values on failure.
 *
 */
static struct db_sys_list *_db_rule_gen_64(const struct arch_def *arch,
                                           const struct db_api_rule_list *rule)
{
        unsigned int iter;
        struct db_sys_list *s_new;
        const struct db_api_arg *chain = rule->args;
        struct db_arg_chain_tree *c_iter[3] = { NULL, NULL, NULL };
        struct db_arg_chain_tree *c_prev[3] = { NULL, NULL, NULL };
        enum scmp_compare op_prev = _SCMP_CMP_MIN;
        unsigned int arg;
        scmp_datum_t mask;
        scmp_datum_t datum;

        s_new = zmalloc(sizeof(*s_new));
        if (s_new == NULL)
                return NULL;
        s_new->num = rule->syscall;
        s_new->valid = true;
        /* run through the argument chain */
        for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
                if (chain[iter].valid == 0)
                        continue;

                /* TODO: handle the case were either hi or lo isn't needed */

                /* skip generating instruction which are no-ops */
                if (!_db_arg_cmp_need_hi(&chain[iter]) &&
                    !_db_arg_cmp_need_lo(&chain[iter]))
                        continue;

                c_iter[0] = zmalloc(sizeof(*c_iter[0]));
                if (c_iter[0] == NULL)
                        goto gen_64_failure;
                c_iter[1] = zmalloc(sizeof(*c_iter[1]));
                if (c_iter[1] == NULL) {
                        free(c_iter[0]);
                        goto gen_64_failure;
                }
                c_iter[2] = NULL;

                arg = chain[iter].arg;
                mask = chain[iter].mask;
                datum = chain[iter].datum;

                /* NOTE: with the idea that a picture is worth a thousand
                 *       words, i'm presenting the following diagrams which
                 *       show how we should compare 64-bit syscall arguments
                 *       using 32-bit comparisons.
                 *
                 *       in the diagrams below "A(x)" is the syscall argument
                 *       being evaluated and "R(x)" is the syscall argument
                 *       value specified in the libseccomp rule.  the "ACCEPT"
                 *       verdict indicates a rule match and processing should
                 *       continue on to the rest of the rule, or the final rule
                 *       action should be triggered.  the "REJECT" verdict
                 *       indicates that the rule does not match and processing
                 *       should continue to the next rule or the default
                 *       action.
                 *
                 * SCMP_CMP_GT:
                 *                   +------------------+
                 *                +--|  Ah(x) >  Rh(x)  |------+
                 *                |  +------------------+      |
                 *              FALSE                         TRUE     A
                 *                |                            |       C
                 *                +-----------+                +---->  C
                 *                            v                +---->  E
                 *                   +------------------+      |       P
                 *                +--|  Ah(x) == Rh(x)  |--+   |       T
                 *        R       |  +------------------+  |   |
                 *        E     FALSE                     TRUE |
                 *        J  <----+                        |   |
                 *        E  <----+           +------------+   |
                 *        C     FALSE         v                |
                 *        T       |  +------------------+      |
                 *                +--|  Al(x) >  Rl(x)  |------+
                 *                   +------------------+
                 *
                 * SCMP_CMP_GE:
                 *                   +------------------+
                 *                +--|  Ah(x) >  Rh(x)  |------+
                 *                |  +------------------+      |
                 *              FALSE                         TRUE     A
                 *                |                            |       C
                 *                +-----------+                +---->  C
                 *                            v                +---->  E
                 *                   +------------------+      |       P
                 *                +--|  Ah(x) == Rh(x)  |--+   |       T
                 *        R       |  +------------------+  |   |
                 *        E     FALSE                     TRUE |
                 *        J  <----+                        |   |
                 *        E  <----+           +------------+   |
                 *        C     FALSE         v                |
                 *        T       |  +------------------+      |
                 *                +--|  Al(x) >= Rl(x)  |------+
                 *                   +------------------+
                 *
                 * SCMP_CMP_LT:
                 *                   +------------------+
                 *                +--|  Ah(x) >  Rh(x)  |------+
                 *                |  +------------------+      |
                 *              FALSE                         TRUE     R
                 *                |                            |       E
                 *                +-----------+                +---->  J
                 *                            v                +---->  E
                 *                   +------------------+      |       C
                 *                +--|  Ah(x) == Rh(x)  |--+   |       T
                 *        A       |  +------------------+  |   |
                 *        C     FALSE                     TRUE |
                 *        C  <----+                        |   |
                 *        E  <----+           +------------+   |
                 *        P     FALSE         v                |
                 *        T       |  +------------------+      |
                 *                +--|  Al(x) >= Rl(x)  |------+
                 *                   +------------------+
                 *
                 * SCMP_CMP_LE:
                 *                   +------------------+
                 *                +--|  Ah(x) >  Rh(x)  |------+
                 *                |  +------------------+      |
                 *              FALSE                         TRUE     R
                 *                |                            |       E
                 *                +-----------+                +---->  J
                 *                            v                +---->  E
                 *                   +------------------+      |       C
                 *                +--|  Ah(x) == Rh(x)  |--+   |       T
                 *        A       |  +------------------+  |   |
                 *        C     FALSE                     TRUE |
                 *        C  <----+                        |   |
                 *        E  <----+           +------------+   |
                 *        P     FALSE         v                |
                 *        T       |  +------------------+      |
                 *                +--|  Al(x) >  Rl(x)  |------+
                 *                   +------------------+
                 *
                 * SCMP_CMP_EQ:
                 *                   +------------------+
                 *                +--|  Ah(x) == Rh(x)  |--+
                 *        R       |  +------------------+  |           A
                 *        E     FALSE                     TRUE         C
                 *        J  <----+                        |           C
                 *        E  <----+           +------------+   +---->  E
                 *        C     FALSE         v                |       P
                 *        T       |  +------------------+      |       T
                 *                +--|  Al(x) == Rl(x)  |------+
                 *                   +------------------+
                 *
                 * SCMP_CMP_NE:
                 *                   +------------------+
                 *                +--|  Ah(x) == Rh(x)  |--+
                 *        A       |  +------------------+  |           R
                 *        C     FALSE                     TRUE         E
                 *        C  <----+                        |           J
                 *        E  <----+           +------------+   +---->  E
                 *        P     FALSE         v                |       C
                 *        T       |  +------------------+      |       T
                 *                +--|  Al(x) == Rl(x)  |------+
                 *                   +------------------+
                 *
                 */

                /* setup the level */
                switch (chain[iter].op) {
                case SCMP_CMP_GT:
                case SCMP_CMP_GE:
                case SCMP_CMP_LE:
                case SCMP_CMP_LT:
                        c_iter[2] = zmalloc(sizeof(*c_iter[2]));
                        if (c_iter[2] == NULL) {
                                free(c_iter[0]);
                                free(c_iter[1]);
                                goto gen_64_failure;
                        }

                        c_iter[0]->arg = arg;
                        c_iter[1]->arg = arg;
                        c_iter[2]->arg = arg;
                        c_iter[0]->arg_h_flg = true;
                        c_iter[1]->arg_h_flg = true;
                        c_iter[2]->arg_h_flg = false;
                        c_iter[0]->arg_offset = arch_arg_offset_hi(arch, arg);
                        c_iter[1]->arg_offset = arch_arg_offset_hi(arch, arg);
                        c_iter[2]->arg_offset = arch_arg_offset_lo(arch, arg);

                        c_iter[0]->mask = D64_HI(mask);
                        c_iter[1]->mask = D64_HI(mask);
                        c_iter[2]->mask = D64_LO(mask);
                        c_iter[0]->datum = D64_HI(datum);
                        c_iter[1]->datum = D64_HI(datum);
                        c_iter[2]->datum = D64_LO(datum);
                        c_iter[0]->datum_full = datum;
                        c_iter[1]->datum_full = datum;
                        c_iter[2]->datum_full = datum;

                        _db_node_mask_fixup(c_iter[0]);
                        _db_node_mask_fixup(c_iter[1]);
                        _db_node_mask_fixup(c_iter[2]);

                        c_iter[0]->op = SCMP_CMP_GT;
                        c_iter[1]->op = SCMP_CMP_EQ;
                        switch (chain[iter].op) {
                        case SCMP_CMP_GT:
                        case SCMP_CMP_LE:
                                c_iter[2]->op = SCMP_CMP_GT;
                                break;
                        case SCMP_CMP_GE:
                        case SCMP_CMP_LT:
                                c_iter[2]->op = SCMP_CMP_GE;
                                break;
                        default:
                                /* we should never get here */
                                goto gen_64_failure;
                        }
                        c_iter[0]->op_orig = chain[iter].op;
                        c_iter[1]->op_orig = chain[iter].op;
                        c_iter[2]->op_orig = chain[iter].op;

                        c_iter[0]->nxt_f = _db_node_get(c_iter[1]);
                        c_iter[1]->nxt_t = _db_node_get(c_iter[2]);
                        break;
                case SCMP_CMP_EQ:
                case SCMP_CMP_MASKED_EQ:
                case SCMP_CMP_NE:
                        c_iter[0]->arg = arg;
                        c_iter[1]->arg = arg;
                        c_iter[0]->arg_h_flg = true;
                        c_iter[1]->arg_h_flg = false;
                        c_iter[0]->arg_offset = arch_arg_offset_hi(arch, arg);
                        c_iter[1]->arg_offset = arch_arg_offset_lo(arch, arg);

                        c_iter[0]->mask = D64_HI(mask);
                        c_iter[1]->mask = D64_LO(mask);
                        c_iter[0]->datum = D64_HI(datum);
                        c_iter[1]->datum = D64_LO(datum);
                        c_iter[0]->datum_full = datum;
                        c_iter[1]->datum_full = datum;

                        _db_node_mask_fixup(c_iter[0]);
                        _db_node_mask_fixup(c_iter[1]);

                        switch (chain[iter].op) {
                        case SCMP_CMP_MASKED_EQ:
                                c_iter[0]->op = SCMP_CMP_MASKED_EQ;
                                c_iter[1]->op = SCMP_CMP_MASKED_EQ;
                                break;
                        default:
                                c_iter[0]->op = SCMP_CMP_EQ;
                                c_iter[1]->op = SCMP_CMP_EQ;
                        }
                        c_iter[0]->op_orig = chain[iter].op;
                        c_iter[1]->op_orig = chain[iter].op;

                        c_iter[0]->nxt_t = _db_node_get(c_iter[1]);
                        break;
                default:
                        /* we should never get here */
                        goto gen_64_failure;
                }

                /* link this level to the previous level */
                if (c_prev[0] != NULL) {
                        switch (op_prev) {
                        case SCMP_CMP_GT:
                        case SCMP_CMP_GE:
                                c_prev[0]->nxt_t = _db_node_get(c_iter[0]);
                                c_prev[2]->nxt_t = _db_node_get(c_iter[0]);
                                break;
                        case SCMP_CMP_EQ:
                        case SCMP_CMP_MASKED_EQ:
                                c_prev[1]->nxt_t = _db_node_get(c_iter[0]);
                                break;
                        case SCMP_CMP_LE:
                        case SCMP_CMP_LT:
                                c_prev[1]->nxt_f = _db_node_get(c_iter[0]);
                                c_prev[2]->nxt_f = _db_node_get(c_iter[0]);
                                break;
                        case SCMP_CMP_NE:
                                c_prev[0]->nxt_f = _db_node_get(c_iter[0]);
                                c_prev[1]->nxt_f = _db_node_get(c_iter[0]);
                                break;
                        default:
                                /* we should never get here */
                                goto gen_64_failure;
                        }
                } else
                        s_new->chains = _db_node_get(c_iter[0]);

                /* update the node count */
                switch (chain[iter].op) {
                case SCMP_CMP_NE:
                case SCMP_CMP_EQ:
                case SCMP_CMP_MASKED_EQ:
                        s_new->node_cnt += 2;
                        break;
                default:
                        s_new->node_cnt += 3;
                }

                /* keep pointers to this level */
                c_prev[0] = c_iter[0];
                c_prev[1] = c_iter[1];
                c_prev[2] = c_iter[2];
                op_prev = chain[iter].op;
        }
        if (c_iter[0] != NULL) {
                /* set the actions on the last layer */
                switch (op_prev) {
                case SCMP_CMP_GT:
                case SCMP_CMP_GE:
                        c_iter[0]->act_t_flg = true;
                        c_iter[0]->act_t = rule->action;
                        c_iter[2]->act_t_flg = true;
                        c_iter[2]->act_t = rule->action;
                        break;
                case SCMP_CMP_LE:
                case SCMP_CMP_LT:
                        c_iter[1]->act_f_flg = true;
                        c_iter[1]->act_f = rule->action;
                        c_iter[2]->act_f_flg = true;
                        c_iter[2]->act_f = rule->action;
                        break;
                case SCMP_CMP_EQ:
                case SCMP_CMP_MASKED_EQ:
                        c_iter[1]->act_t_flg = true;
                        c_iter[1]->act_t = rule->action;
                        break;
                case SCMP_CMP_NE:
                        c_iter[0]->act_f_flg = true;
                        c_iter[0]->act_f = rule->action;
                        c_iter[1]->act_f_flg = true;
                        c_iter[1]->act_f = rule->action;
                        break;
                default:
                        /* we should never get here */
                        goto gen_64_failure;
                }
        } else
                s_new->action = rule->action;

        return s_new;

gen_64_failure:
        /* free the new chain and its syscall struct */
        _db_tree_put(&s_new->chains);
        free(s_new);
        return NULL;
}

/**
 * Generate a new filter rule for a 32 bit system
 * @param arch the architecture definition
 * @param rule the new filter rule
 *
 * This function generates a new syscall filter for a 32 bit system. Returns
 * zero on success, negative values on failure.
 *
 */
static struct db_sys_list *_db_rule_gen_32(const struct arch_def *arch,
                                           const struct db_api_rule_list *rule)
{
        unsigned int iter;
        struct db_sys_list *s_new;
        const struct db_api_arg *chain = rule->args;
        struct db_arg_chain_tree *c_iter = NULL, *c_prev = NULL;
        bool tf_flag;

        s_new = zmalloc(sizeof(*s_new));
        if (s_new == NULL)
                return NULL;
        s_new->num = rule->syscall;
        s_new->valid = true;
        /* run through the argument chain */
        for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
                if (chain[iter].valid == 0)
                        continue;

                /* skip generating instructions which are no-ops */
                if (!_db_arg_cmp_need_lo(&chain[iter]))
                        continue;

                c_iter = zmalloc(sizeof(*c_iter));
                if (c_iter == NULL)
                        goto gen_32_failure;
                c_iter->arg = chain[iter].arg;
                c_iter->arg_h_flg = false;
                c_iter->arg_offset = arch_arg_offset(arch, c_iter->arg);
                c_iter->op = chain[iter].op;
                c_iter->op_orig = chain[iter].op;
                /* implicitly strips off the upper 32 bit */
                c_iter->mask = chain[iter].mask;
                c_iter->datum = chain[iter].datum;
                c_iter->datum_full = chain[iter].datum;

                /* link in the new node and update the chain */
                if (c_prev != NULL) {
                        if (tf_flag)
                                c_prev->nxt_t = _db_node_get(c_iter);
                        else
                                c_prev->nxt_f = _db_node_get(c_iter);
                } else
                        s_new->chains = _db_node_get(c_iter);
                s_new->node_cnt++;

                /* rewrite the op to reduce the op/datum combos */
                switch (c_iter->op) {
                case SCMP_CMP_NE:
                        c_iter->op = SCMP_CMP_EQ;
                        tf_flag = false;
                        break;
                case SCMP_CMP_LT:
                        c_iter->op = SCMP_CMP_GE;
                        tf_flag = false;
                        break;
                case SCMP_CMP_LE:
                        c_iter->op = SCMP_CMP_GT;
                        tf_flag = false;
                        break;
                default:
                        tf_flag = true;
                }

                /* fixup the mask/datum */
                _db_node_mask_fixup(c_iter);

                c_prev = c_iter;
        }
        if (c_iter != NULL) {
                /* set the leaf node */
                if (tf_flag) {
                        c_iter->act_t_flg = true;
                        c_iter->act_t = rule->action;
                } else {
                        c_iter->act_f_flg = true;
                        c_iter->act_f = rule->action;
                }
        } else
                s_new->action = rule->action;

        return s_new;

gen_32_failure:
        /* free the new chain and its syscall struct */
        _db_tree_put(&s_new->chains);
        free(s_new);
        return NULL;
}

/**
 * Add a new rule to the seccomp filter DB
 * @param db the seccomp filter db
 * @param rule the filter rule
 *
 * This function adds a new syscall filter to the seccomp filter DB, adding to
 * the existing filters for the syscall, unless no argument specific filters
 * are present (filtering only on the syscall).  When adding new chains, the
 * shortest chain, or most inclusive filter match, will be entered into the
 * filter DB. Returns zero on success, negative values on failure.
 *
 * It is important to note that in the case of failure the db may be corrupted,
 * the caller must use the transaction mechanism if the db integrity is
 * important.
 *
 */
int db_rule_add(struct db_filter *db, const struct db_api_rule_list *rule)
{
        int rc = -ENOMEM;
        struct db_sys_list *s_new, *s_iter, *s_prev = NULL;
        struct db_iter_state state;
        bool rm_flag = false;

        assert(db != NULL);

        /* do all our possible memory allocation up front so we don't have to
         * worry about failure once we get to the point where we start updating
         * the filter db */
        if (db->arch->size == ARCH_SIZE_64)
                s_new = _db_rule_gen_64(db->arch, rule);
        else if (db->arch->size == ARCH_SIZE_32)
                s_new = _db_rule_gen_32(db->arch, rule);
        else
                return -EFAULT;
        if (s_new == NULL)
                return -ENOMEM;

        /* find a matching syscall/chain or insert a new one */
        s_iter = db->syscalls;
        while (s_iter != NULL && s_iter->num < rule->syscall) {
                s_prev = s_iter;
                s_iter = s_iter->next;
        }
        s_new->priority = _DB_PRI_MASK_CHAIN - s_new->node_cnt;
add_reset:
        if (s_iter == NULL || s_iter->num != rule->syscall) {
                /* new syscall, add before s_iter */
                if (s_prev != NULL) {
                        s_new->next = s_prev->next;
                        s_prev->next = s_new;
                } else {
                        s_new->next = db->syscalls;
                        db->syscalls = s_new;
                }
                db->syscall_cnt++;
                return 0;
        } else if (s_iter->chains == NULL) {
                if (rm_flag || !s_iter->valid) {
                        /* we are here because our previous pass cleared the
                         * entire syscall chain when searching for a subtree
                         * match or the existing syscall entry is a phantom,
                         * so either way add the new chain */
                        s_iter->chains = s_new->chains;
                        s_iter->action = s_new->action;
                        s_iter->node_cnt = s_new->node_cnt;
                        if (s_iter->valid)
                                s_iter->priority = s_new->priority;
                        s_iter->valid = true;
                        free(s_new);
                        rc = 0;
                        goto add_priority_update;
                } else {
                        /* syscall exists without any chains - existing filter
                         * is at least as large as the new entry so cleanup and
                         * exit */
                        _db_tree_put(&s_new->chains);
                        free(s_new);
                        goto add_free_ok;
                }
        } else if (s_iter->chains != NULL && s_new->chains == NULL) {
                /* syscall exists with chains but the new filter has no chains
                 * so we need to clear the existing chains and exit */
                _db_tree_put(&s_iter->chains);
                s_iter->chains = NULL;
                s_iter->node_cnt = 0;
                s_iter->action = rule->action;

                /* cleanup the new tree and return */
                _db_tree_put(&s_new->chains);
                free(s_new);
                goto add_free_ok;
        }

        /* prune any sub-trees that are no longer required */
        memset(&state, 0, sizeof(state));
        state.sx = s_iter;
        state.action = rule->action;
        rc = _db_tree_prune(&s_iter->chains, s_new->chains, &state);
        if (rc > 0) {
                /* we pruned at least some of the existing tree */
                rm_flag = true;
                s_iter->node_cnt -= rc;
                if (s_iter->chains == NULL)
                        /* we pruned the entire tree */
                        goto add_reset;
        } else if ((state.flags & _DB_IST_M_REDUNDANT) == _DB_IST_M_REDUNDANT) {
                /* the existing tree is "shorter", drop the new one */
                _db_tree_put(&s_new->chains);
                free(s_new);
                goto add_free_ok;
        }

        /* add the new rule to the existing filter and cleanup */
        memset(&state, 0, sizeof(state));
        state.sx = s_iter;
        rc = _db_tree_add(&s_iter->chains, s_new->chains, &state);
        if (rc < 0)
                goto add_failure;
        s_iter->node_cnt += s_new->node_cnt;
        s_iter->node_cnt -= _db_tree_put(&s_new->chains);
        free(s_new);

add_free_ok:
        rc = 0;
add_priority_update:
        /* update the priority */
        if (s_iter != NULL) {
                s_iter->priority &= (~_DB_PRI_MASK_CHAIN);
                s_iter->priority |= (_DB_PRI_MASK_CHAIN - s_iter->node_cnt);
        }
        return rc;

add_failure:
        /* NOTE: another reminder that we don't do any db error recovery here,
         * use the transaction mechanism as previously mentioned */
        _db_tree_put(&s_new->chains);
        free(s_new);
        return rc;
}

/**
 * Set the priority of a given syscall
 * @param col the filter collection
 * @param syscall the syscall number
 * @param priority priority value, higher value == higher priority
 *
 * This function sets the priority of the given syscall; this value is used
 * when generating the seccomp filter code such that higher priority syscalls
 * will incur less filter code overhead than the lower priority syscalls in the
 * filter.  Returns zero on success, negative values on failure.
 *
 */
int db_col_syscall_priority(struct db_filter_col *col,
                            int syscall, uint8_t priority)
{
        int rc = 0, rc_tmp;
        unsigned int iter;
        int sc_tmp;
        struct db_filter *filter;

        for (iter = 0; iter < col->filter_cnt; iter++) {
                filter = col->filters[iter];
                sc_tmp = syscall;

                rc_tmp = arch_syscall_translate(filter->arch, &sc_tmp);
                if (rc_tmp < 0)
                        goto priority_failure;

                /* if this is a pseudo syscall then we need to rewrite the
                 * syscall for some arch specific reason, don't forget the
                 * special handling for syscall -1 */
                if (sc_tmp < -1) {
                        /* we set this as a strict op - we don't really care
                         * since priorities are a "best effort" thing - as we
                         * want to catch the -EDOM error and bail on this
                         * architecture */
                        rc_tmp = arch_syscall_rewrite(filter->arch, &sc_tmp);
                        if (rc_tmp == -EDOM)
                                continue;
                        if (rc_tmp < 0)
                                goto priority_failure;
                }

                rc_tmp = _db_syscall_priority(filter, sc_tmp, priority);

priority_failure:
                if (rc == 0 && rc_tmp < 0)
                        rc = rc_tmp;
        }

        if (rc == 0)
                db_col_precompute_reset(col);

        return rc;
}

/**
 * Add a new rule to a single filter
 * @param filter the filter
 * @param rule the filter rule
 *
 * This is a helper function for db_col_rule_add() and similar functions, it
 * isn't generally useful.  Returns zero on success, negative values on error.
 *
 */
static int _db_col_rule_add(struct db_filter *filter,
                            struct db_api_rule_list *rule)
{
        int rc;
        struct db_api_rule_list *iter;

        /* add the rule to the filter */
        rc = arch_filter_rule_add(filter, rule);
        if (rc != 0)
                return rc;

        /* insert the chain to the end of the rule list */
        iter = rule;
        while (iter->next)
                iter = iter->next;
        if (filter->rules != NULL) {
                rule->prev = filter->rules->prev;
                iter->next = filter->rules;
                filter->rules->prev->next = rule;
                filter->rules->prev = iter;
        } else {
                rule->prev = iter;
                iter->next = rule;
                filter->rules = rule;
        }

        return 0;
}

/**
 * Add a new rule to the current filter
 * @param col the filter collection
 * @param strict the strict flag
 * @param action the filter action
 * @param syscall the syscall number
 * @param arg_cnt the number of argument filters in the argument filter chain
 * @param arg_array the argument filter chain, (uint, enum scmp_compare, ulong)
 *
 * This function adds a new argument/comparison/value to the seccomp filter for
 * a syscall; multiple arguments can be specified and they will be chained
 * together (essentially AND'd together) in the filter.  When the strict flag
 * is true the function will fail if the exact rule can not be added to the
 * filter, if the strict flag is false the function will not fail if the
 * function needs to adjust the rule due to architecture specifics.  Returns
 * zero on success, negative values on failure.
 *
 */
int db_col_rule_add(struct db_filter_col *col,
                    bool strict, uint32_t action, int syscall,
                    unsigned int arg_cnt, const struct scmp_arg_cmp *arg_array)
{
        int rc = 0, rc_tmp;
        unsigned int iter;
        unsigned int arg_num;
        size_t chain_size;
        struct db_api_arg *chain = NULL;
        struct scmp_arg_cmp arg_data;
        struct db_api_rule_list *rule;
        struct db_filter *db;

        /* collect the arguments for the filter rule */
        chain_size = sizeof(*chain) * ARG_COUNT_MAX;
        chain = zmalloc(chain_size);
        if (chain == NULL)
                return -ENOMEM;
        for (iter = 0; iter < arg_cnt; iter++) {
                arg_data = arg_array[iter];
                arg_num = arg_data.arg;
                if (arg_num < ARG_COUNT_MAX && chain[arg_num].valid == 0) {
                        chain[arg_num].valid = 1;
                        chain[arg_num].arg = arg_num;
                        chain[arg_num].op = arg_data.op;
                        /* TODO: we should check datum/mask size against the
                         *         arch definition, e.g. 64 bit datum on x86 */
                        switch (chain[arg_num].op) {
                        case SCMP_CMP_NE:
                        case SCMP_CMP_LT:
                        case SCMP_CMP_LE:
                        case SCMP_CMP_EQ:
                        case SCMP_CMP_GE:
                        case SCMP_CMP_GT:
                                chain[arg_num].mask = DATUM_MAX;
                                chain[arg_num].datum = arg_data.datum_a;
                                break;
                        case SCMP_CMP_MASKED_EQ:
                                chain[arg_num].mask = arg_data.datum_a;
                                chain[arg_num].datum = arg_data.datum_b;
                                break;
                        default:
                                rc = -EINVAL;
                                goto add_return;
                        }
                } else {
                        rc = -EINVAL;
                        goto add_return;
                }
        }

        /* create a checkpoint */
        rc = db_col_transaction_start(col, false);
        if (rc != 0)
                goto add_return;

        /* add the rule to the different filters in the collection */
        for (iter = 0; iter < col->filter_cnt; iter++) {
                db = col->filters[iter];

                /* create the rule */
                rule = _db_rule_new(strict, action, syscall, chain);
                if (rule == NULL) {
                        rc_tmp = -ENOMEM;
                        goto add_arch_fail;
                }

                /* add the rule */
                rc_tmp = _db_col_rule_add(db, rule);
                if (rc_tmp != 0)
                        free(rule);

add_arch_fail:
                if (rc_tmp != 0 && rc == 0)
                        rc = rc_tmp;
        }

        /* commit the transaction or abort */
        if (rc == 0)
                db_col_transaction_commit(col, false);
        else
                db_col_transaction_abort(col, false);

add_return:
        /* update the misc state */
        if (rc == 0) {
                if (action == SCMP_ACT_NOTIFY)
                        col->notify_used = true;
                db_col_precompute_reset(col);
        }
        if (chain != NULL)
                free(chain);
        return rc;
}

/**
 * Start a new seccomp filter transaction
 * @param col the filter collection
 * @param user true if initiated by a user
 *
 * This function starts a new seccomp filter transaction for the given filter
 * collection.  Returns zero on success, negative values on failure.
 *
 */
int db_col_transaction_start(struct db_filter_col *col, bool user)
{
        int rc;
        unsigned int iter;
        struct db_filter_snap *snap;
        struct db_filter *filter_o, *filter_s;
        struct db_api_rule_list *rule_o, *rule_s = NULL;

        /* check to see if a shadow snapshot exists */
        if (col->snapshots && col->snapshots->shadow) {
                /* we have a shadow!  this will be easy */

                /* NOTE: we don't bother to do any verification of the shadow
                 *       because we start a new transaction every time we add
                 *       a new rule to the filter(s); if this ever changes we
                 *       will need to add a mechanism to verify that the shadow
                 *       transaction is current/correct */

                col->snapshots->shadow = false;
                col->snapshots->user = user;
                return 0;
        }

        /* allocate the snapshot */
        snap = zmalloc(sizeof(*snap));
        if (snap == NULL)
                return -ENOMEM;
        snap->filters = zmalloc(sizeof(struct db_filter *) * col->filter_cnt);
        if (snap->filters == NULL) {
                free(snap);
                return -ENOMEM;
        }
        snap->filter_cnt = col->filter_cnt;
        for (iter = 0; iter < snap->filter_cnt; iter++)
                snap->filters[iter] = NULL;
        snap->next = NULL;

        /* create a snapshot of the current filter state */
        for (iter = 0; iter < col->filter_cnt; iter++) {
                /* allocate a new filter */
                filter_o = col->filters[iter];
                filter_s = _db_init(filter_o->arch);
                if (filter_s == NULL)
                        goto trans_start_failure;
                snap->filters[iter] = filter_s;

                /* create a filter snapshot from existing rules */
                rule_o = filter_o->rules;
                if (rule_o == NULL)
                        continue;
                do {
                        /* duplicate the rule */
                        rule_s = db_rule_dup(rule_o);
                        if (rule_s == NULL)
                                goto trans_start_failure;

                        /* add the rule */
                        rc = _db_col_rule_add(filter_s, rule_s);
                        if (rc != 0)
                                goto trans_start_failure;
                        rule_s = NULL;

                        /* next rule */
                        rule_o = rule_o->next;
                } while (rule_o != filter_o->rules);
        }

        snap->user = user;

        /* add the snapshot to the list */
        snap->next = col->snapshots;
        col->snapshots = snap;

        return 0;

trans_start_failure:
        if (rule_s != NULL)
                free(rule_s);
        _db_snap_release(snap);
        return -ENOMEM;
}

/**
 * Abort the top most seccomp filter transaction
 * @param col the filter collection
 * @param user true if initiated by a user
 *
 * This function aborts the most recent seccomp filter transaction.
 *
 */
void db_col_transaction_abort(struct db_filter_col *col, bool user)
{
        int iter;
        unsigned int filter_cnt;
        struct db_filter **filters;
        struct db_filter_snap *snap;

        snap = col->snapshots;
        if (snap == NULL)
                return;

        /* replace the current filter with the last snapshot, skipping shadow
         * snapshots are they are duplicates of the current snapshot */
        if (snap->shadow) {
                struct db_filter_snap *tmp = snap;
                snap = snap->next;
                _db_snap_release(tmp);
        }

        if (snap->user != user)
                return;

        col->snapshots = snap->next;

        filter_cnt = col->filter_cnt;
        filters = col->filters;
        col->filter_cnt = snap->filter_cnt;
        col->filters = snap->filters;
        free(snap);

        /* free the filter we swapped out */
        for (iter = 0; iter < filter_cnt; iter++)
                _db_release(filters[iter]);
        free(filters);

        /* free any precompute */
        db_col_precompute_reset(col);
}

/**
 * Commit the top most seccomp filter transaction
 * @param col the filter collection
 * @param user true if initiated by a user
 *
 * This function commits the most recent seccomp filter transaction and
 * attempts to create a shadow transaction that is a duplicate of the current
 * filter to speed up future transactions.
 *
 */
void db_col_transaction_commit(struct db_filter_col *col, bool user)
{
        int rc;
        unsigned int iter;
        struct db_filter_snap *snap;
        struct db_filter *filter_o, *filter_s;
        struct db_api_rule_list *rule_o, *rule_s;

        snap = col->snapshots;
        if (snap == NULL)
                return;
        if (snap->user != user)
                return;

        /* check for a shadow set by a higher transaction commit */
        if (snap->shadow) {
                /* leave the shadow intact, but drop the next snapshot */
                if (snap->next) {
                        struct db_filter_snap *tmp = snap->next;
                        snap->next = tmp->next;
                        _db_snap_release(tmp);
                }
                return;
        }

        /* adjust the number of filters if needed */
        if (col->filter_cnt > snap->filter_cnt) {
                unsigned int tmp_i;
                struct db_filter **tmp_f;

                /* add filters */
                tmp_f = realloc(snap->filters,
                                sizeof(struct db_filter *) * col->filter_cnt);
                if (tmp_f == NULL)
                        goto shadow_err;
                snap->filters = tmp_f;
                do {
                        tmp_i = snap->filter_cnt;
                        snap->filters[tmp_i] =
                                _db_init(col->filters[tmp_i]->arch);
                        if (snap->filters[tmp_i] == NULL)
                                goto shadow_err;
                        snap->filter_cnt++;
                } while (snap->filter_cnt < col->filter_cnt);
        } else if (col->filter_cnt < snap->filter_cnt) {
                /* remove filters */

                /* NOTE: while we release the filters we no longer need, we
                 *       don't bother to resize the filter array, we just
                 *       adjust the filter counter, this *should* be harmless
                 *       at the cost of a not reaping all the memory possible */

                do {
                        _db_release(snap->filters[snap->filter_cnt--]);
                } while (snap->filter_cnt > col->filter_cnt);
        }

        /* loop through each filter and update the rules on the snapshot */
        for (iter = 0; iter < col->filter_cnt; iter++) {
                filter_o = col->filters[iter];
                filter_s = snap->filters[iter];

                /* skip ahead to the new rule(s) */
                rule_o = filter_o->rules;
                rule_s = filter_s->rules;
                if (rule_o == NULL)
                        /* nothing to shadow */
                        continue;
                if (rule_s != NULL) {
                        do {
                                rule_o = rule_o->next;
                                rule_s = rule_s->next;
                        } while (rule_s != filter_s->rules);

                        /* did we actually add any rules? */
                        if (rule_o == filter_o->rules)
                                /* no, we are done in this case */
                                continue;
                }

                /* update the old snapshot to make it a shadow */
                do {
                        /* duplicate the rule */
                        rule_s = db_rule_dup(rule_o);
                        if (rule_s == NULL)
                                goto shadow_err;

                        /* add the rule */
                        rc = _db_col_rule_add(filter_s, rule_s);
                        if (rc != 0) {
                                free(rule_s);
                                goto shadow_err;
                        }

                        /* next rule */
                        rule_o = rule_o->next;
                } while (rule_o != filter_o->rules);
        }

        /* success, mark the snapshot as a shadow and return */
        snap->shadow = true;
        return;

shadow_err:
        /* we failed making a shadow, cleanup and return */
        col->snapshots = snap->next;
        _db_snap_release(snap);
        return;
}

/**
 * Precompute the seccomp filters
 * @param col the filter collection
 *
 * This function precomputes the seccomp filters before they are needed,
 * returns zero on success, negative values on error.
 *
 */
int db_col_precompute(struct db_filter_col *col)
{
        if (!col->prgm_bpf)
                return gen_bpf_generate(col, &col->prgm_bpf);
        return 0;
}

/**
 * Free any precomputed filter programs
 * @param col the filter collection
 *
 * This function releases any precomputed filter programs.
 */
void db_col_precompute_reset(struct db_filter_col *col)
{
        if (!col->prgm_bpf)
                return;

        gen_bpf_release(col->prgm_bpf);
        col->prgm_bpf = NULL;
}

drakenclimber / libseccomp / 6279355589

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous