syscall_filter: Implement flag set inclusion.
When filtering syscalls that take flags as an argument, we usually want
to allow a small set of "safe" flags. This is hard to express with the
current language.
Implement this by adding a "flag set inclusion" mode using the 'in'
keyword. This works by allowing the syscall as long as the passed
flags, when viewed as a set, are included in the set of flags described
by the policy.
Also, clang-format all of bpf.c.
Bug: 31997910
Test: syscall_filter_unittest
Change-Id: I121af56b176bd3260904d367fd92d47a16bb3dcb
diff --git a/syscall_filter.c b/syscall_filter.c
index e42f017..34f6b3a 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -33,6 +33,8 @@
return NE;
} else if (!strcmp(op_str, "&")) {
return SET;
+ } else if (!strcmp(op_str, "in")) {
+ return IN;
} else {
return 0;
}