seccomp: forbid duplicate thread names

alindima · alindima · commit ba6d19e1e11e · 2021-06-22T11:54:07.000+03:00
Signed-off-by: alindima &lt;alindima@amazon.com&gt;
diff --git a/src/seccompiler/src/compiler.rs b/src/seccompiler/src/compiler.rs
@@ -20,16 +20,18 @@
 use std::collections::HashMap;
 use std::convert::{Into, TryInto};
 use std::fmt;
+use std::result;
 
 use crate::backend::{
     Comment, Error as SeccompFilterError, SeccompAction, SeccompCondition, SeccompFilter,
     SeccompRule, SeccompRuleMap, TargetArch,
 };
 use crate::common::BpfProgram;
 use crate::syscall_table::SyscallTable;
+use serde::de::{self, Error as _, MapAccess, Visitor};
 use serde::Deserialize;
 
-type Result<T> = std::result::Result<T, Error>;
+type Result<T> = result::Result<T, Error>;
 
 /// Errors compiling Filters into BPF.
 #[derive(Debug, PartialEq)]
@@ -58,6 +60,43 @@ impl fmt::Display for Error {
     }
 }
 
+/// Deserializable object that represents the Json filter file.
+pub(crate) struct JsonFile(pub HashMap<String, Filter>);
+
+// Implement a custom deserializer, that returns an error for duplicate thread keys.
+impl<'de> Deserialize<'de> for JsonFile {
+    fn deserialize<D>(deserializer: D) -> result::Result<Self, D::Error>
+    where
+        D: de::Deserializer<'de>,
+    {
+        struct JsonFileVisitor;
+
+        impl<'d> Visitor<'d> for JsonFileVisitor {
+            type Value = HashMap<String, Filter>;
+
+            fn expecting(&self, f: &mut fmt::Formatter<'_>) -> result::Result<(), fmt::Error> {
+                f.write_str("a map of filters")
+            }
+
+            fn visit_map<M>(self, mut access: M) -> result::Result<Self::Value, M::Error>
+            where
+                M: MapAccess<'d>,
+            {
+                let mut values = Self::Value::with_capacity(access.size_hint().unwrap_or(0));
+
+                while let Some((key, value)) = access.next_entry()? {
+                    if values.insert(key, value).is_some() {
+                        return Err(M::Error::custom("duplicate filter key"));
+                    };
+                }
+
+                Ok(values)
+            }
+        }
+        Ok(JsonFile(deserializer.deserialize_map(JsonFileVisitor)?))
+    }
+}
+
 /// Deserializable object representing a syscall rule.
 #[derive(Debug, Deserialize, PartialEq, Clone)]
 #[serde(deny_unknown_fields)]
diff --git a/src/seccompiler/src/seccompiler_bin.rs b/src/seccompiler/src/seccompiler_bin.rs
@@ -47,7 +47,7 @@ use std::{fmt, io, process};
 use backend::{TargetArch, TargetArchError};
 use bincode::Error as BincodeError;
 use common::BpfProgram;
-use compiler::{Compiler, Error as FilterFormatError, Filter};
+use compiler::{Compiler, Error as FilterFormatError, JsonFile};
 use serde_json::error::Error as JSONError;
 use utils::arg_parser::{ArgParser, Argument, Arguments as ArgumentsBag};
 
@@ -158,7 +158,7 @@ fn get_argument_values(arguments: &ArgumentsBag) -> Result<Arguments> {
     })
 }
 
-fn parse_json(reader: &mut dyn Read) -> Result<HashMap<String, Filter>> {
+fn parse_json(reader: &mut dyn Read) -> Result<JsonFile> {
     serde_json::from_reader(reader).map_err(Error::Json)
 }
 
@@ -171,7 +171,7 @@ fn compile(args: &Arguments) -> Result<()> {
 
     // transform the IR into a Map of BPFPrograms
     let bpf_data: HashMap<String, BpfProgram> = compiler
-        .compile_blob(filters, args.is_basic)
+        .compile_blob(filters.0, args.is_basic)
         .map_err(Error::FileFormat)?;
 
     // serialize the BPF programs & output them to a file
@@ -681,6 +681,25 @@ mod tests {
             .to_string();
             let json_input = unsafe { json_input.as_bytes_mut() };
             assert!(parse_json(&mut json_input.as_ref()).is_err());
+
+            // duplicate filter keys
+            let mut json_input = r#"
+            {
+                "thread_1": {
+                    "default_action": "trap",
+                    "filter_action": "allow",
+                    "filter": []
+                },
+                "thread_1": {
+                    "default_action": "trap",
+                    "filter_action": "allow",
+                    "filter": []
+                }
+            }
+            "#
+            .to_string();
+            let json_input = unsafe { json_input.as_bytes_mut() };
+            assert!(parse_json(&mut json_input.as_ref()).is_err());
         }
 
         // test with correctly formed JSON
@@ -689,7 +708,7 @@ mod tests {
             let mut json_input = "{}".to_string();
             let json_input = unsafe { json_input.as_bytes_mut() };
 
-            assert_eq!(parse_json(&mut json_input.as_ref()).unwrap().len(), 0);
+            assert_eq!(parse_json(&mut json_input.as_ref()).unwrap().0.len(), 0);
 
             // empty Filter
             let mut json_input =
@@ -757,6 +776,7 @@ mod tests {
 
             let mut v2: Vec<_> = parse_json(&mut json_input.as_ref())
                 .unwrap()
+                .0
                 .into_iter()
                 .collect();
             v2.sort_by(|x, y| x.0.cmp(&y.0));
