change our tokenize to yield empty tokens Our tokenize function currently skips empty tokens. This means we incorrectly accept invalid syntax with our seccomp filter like: close: arg0 == 1 |||||| arg0 == 2 Change the tokenizer helper to yield an empty string in this case so we can correctly detect & reject these. We don't have any scenarios where we actually want to allow empty strings currently either (and if we did, the callers could check themselves). Bug: None Test: unittests pass Change-Id: I282e4e4544a24c0e5a7036b693429bdd209339cf

commit: b4c7e77340e2aa46c1ecb425d24b55dad9cebaa8 [log] [tgz]
author: Mike Frysinger <vapier@google.com> Wed Jan 17 17:40:15 2018 -0500
committer: Mike Frysinger <vapier@google.com> Thu Jan 18 20:04:13 2018 +0000
tree: 69891a0e8d815fa64f742b85abec741736358809
parent: 32c399278b7032c96fd8d680221062ba83547890 [diff] [blame]
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 6bc044d..db01fbb 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc

@@ -1261,6 +1261,19 @@
   ASSERT_NE(res, 0);
 }
 
+TEST(FilterTest, invalid_tokens) {
+  struct sock_fprog actual;
+  const char *policy = "read: arg0 == 1 |||| arg0 == 2\n";
+
+  FILE *policy_file = write_policy_to_pipe(policy, strlen(policy));
+  ASSERT_NE(policy_file, nullptr);
+
+  int res =
+      compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING);
+  fclose(policy_file);
+  ASSERT_NE(res, 0);
+}
+
 TEST(FilterTest, nonexistent) {
   struct sock_fprog actual;
   int res = compile_filter("policy", NULL, &actual, USE_RET_KILL, NO_LOGGING);
commit	b4c7e77340e2aa46c1ecb425d24b55dad9cebaa8	[log] [tgz]
author	Mike Frysinger <vapier@google.com>	Wed Jan 17 17:40:15 2018 -0500
committer	Mike Frysinger <vapier@google.com>	Thu Jan 18 20:04:13 2018 +0000
tree	69891a0e8d815fa64f742b85abec741736358809
parent	32c399278b7032c96fd8d680221062ba83547890 [diff] [blame]