From 4625350465744c2446ac0b0dc821699fa1695c81 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 30 Nov 2020 00:44:53 +0000
Subject: [PATCH] jail: seccomp: improve code readability

Break overly long line, add some comments.
No functional changes.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/seccomp-oci.c | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/jail/seccomp-oci.c b/jail/seccomp-oci.c
index 2ba66cd..c82aebf 100644
--- a/jail/seccomp-oci.c
+++ b/jail/seccomp-oci.c
@@ -211,7 +211,8 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 	bool arch_matched;
 	char *op_str;
 
-	blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
+	blobmsg_parse(oci_linux_seccomp_policy, __OCI_LINUX_SECCOMP_MAX,
+		      tb, blobmsg_data(msg), blobmsg_len(msg));
 
 	if (!tb[OCI_LINUX_SECCOMP_DEFAULTACTION]) {
 		ERROR("seccomp: no default action set\n");
@@ -239,7 +240,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 	blobmsg_for_each_attr(cur, tb[OCI_LINUX_SECCOMP_SYSCALLS], rem) {
 		sz += 2; /* load and return */
 
-		blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
+		blobmsg_parse(oci_linux_seccomp_syscalls_policy,
+			      __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
+			      tbn, blobmsg_data(cur), blobmsg_len(cur));
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_NAMES], remn) {
 			sc = find_syscall(blobmsg_get_string(curn));
 			if (sc == -1) {
@@ -254,7 +257,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 			blobmsg_for_each_attr(curarg, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remargs) {
 				sz += 2; /* load and compare */
 
-				blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curarg), blobmsg_len(curarg));
+				blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+					      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+					      tba, blobmsg_data(curarg), blobmsg_len(curarg));
 				if (!tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_INDEX] ||
 				    !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_VALUE] ||
 				    !tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP])
@@ -300,13 +305,17 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 		int start_rule_idx;
 		int next_rule_idx;
 
-		blobmsg_parse(oci_linux_seccomp_syscalls_policy, __OCI_LINUX_SECCOMP_SYSCALLS_MAX, tbn, blobmsg_data(cur), blobmsg_len(cur));
-		action = resolve_action(blobmsg_get_string(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
+		blobmsg_parse(oci_linux_seccomp_syscalls_policy,
+			      __OCI_LINUX_SECCOMP_SYSCALLS_MAX,
+			      tbn, blobmsg_data(cur), blobmsg_len(cur));
+		action = resolve_action(blobmsg_get_string(
+				tbn[OCI_LINUX_SECCOMP_SYSCALLS_ACTION]));
 		if (tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]) {
 			if (action != SECCOMP_RET_ERRNO)
 				goto errout1;
 
-			action = SECCOMP_RET_ERROR(blobmsg_get_u32(tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
+			action = SECCOMP_RET_ERROR(blobmsg_get_u32(
+					tbn[OCI_LINUX_SECCOMP_SYSCALLS_ERRNORET]));
 		} else if (action == SECCOMP_RET_ERRNO)
 			action = SECCOMP_RET_ERROR(EPERM);
 
@@ -325,7 +334,9 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 
 		/* calculate length of argument filter rules */
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
-			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
+			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+				      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+				      tba, blobmsg_data(curn), blobmsg_len(curn));
 			next_rule_idx += 2;
 			op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
 			if (resolve_op_is_masked(op_str))
@@ -338,15 +349,24 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 			sc = find_syscall(blobmsg_get_string(curn));
 			if (sc == -1)
 				continue;
-			/* check syscall, skip other syscall checks if hit; if no match chain to next section */
-			set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K, start_rule_idx - (idx + 1), ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0, sc);
+			/*
+			 * check syscall, skip other syscall checks if match is found.
+			 * if no match is found, jump to next section
+			 */
+			set_filter(&filter[idx], BPF_JMP + BPF_JEQ + BPF_K,
+				   start_rule_idx - (idx + 1),
+				   ((idx + 1) == start_rule_idx)?(next_rule_idx - (idx + 1)):0,
+				   sc);
 			++idx;
 		}
 
 		assert(idx = start_rule_idx);
 
+		/* generate argument filter rules */
 		blobmsg_for_each_attr(curn, tbn[OCI_LINUX_SECCOMP_SYSCALLS_ARGS], remn) {
-			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy, __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX, tba, blobmsg_data(curn), blobmsg_len(curn));
+			blobmsg_parse(oci_linux_seccomp_syscalls_args_policy,
+				      __OCI_LINUX_SECCOMP_SYSCALLS_ARGS_MAX,
+				      tba, blobmsg_data(curn), blobmsg_len(curn));
 
 			op_str = blobmsg_get_string(tba[OCI_LINUX_SECCOMP_SYSCALLS_ARGS_OP]);
 			op_ins = resolve_op_ins(op_str);
@@ -373,6 +393,7 @@ struct sock_fprog *parseOCIlinuxseccomp(struct blob_attr *msg)
 			++idx;
 		}
 
+		/* if we have reached until here, all conditions were met and we can return */
 		set_filter(&filter[idx++], BPF_RET + BPF_K, 0, 0, action);
 
 		assert(idx == next_rule_idx);
-- 
2.30.2