/**

 * Enhanced Seccomp Filter DB

 *

 * Copyright (c) 2012,2016,2018 Red Hat <pmoore@redhat.com>

 * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>

 * Author: Paul Moore <paul@paul-moore.com>

 */

/*

 * This library is free software; you can redistribute it and/or modify it

 * under the terms of version 2.1 of the GNU Lesser General Public License as

 * published by the Free Software Foundation.

 *

 * This library is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License

 * for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this library; if not, see <http://www.gnu.org/licenses>.

 */

#include <assert.h>

#include <errno.h>

#include <inttypes.h>

#include <stdlib.h>

#include <string.h>

#include <stdarg.h>

#include <seccomp.h>

#include "arch.h"

#include "db.h"

#include "system.h"

#include "helper.h"

/* state values */

#define _DB_STA_VALID			0xA1B2C3D4

#define _DB_STA_FREED			0x1A2B3C4D

/* the priority field is fairly simple - without any user hints, or in the case

 * of a hint "tie", we give higher priority to syscalls with less chain nodes

 * (filter is easier to evaluate) */

#define _DB_PRI_MASK_CHAIN		0x0000FFFF

#define _DB_PRI_MASK_USER		0x00FF0000

#define _DB_PRI_USER(x)			(((x) << 16) & _DB_PRI_MASK_USER)

/* prove information about the sub-tree check results */

struct db_iter_state {

#define _DB_IST_NONE			0x00000000

#define _DB_IST_MATCH			0x00000001

#define _DB_IST_MATCH_ONCE		0x00000002

#define _DB_IST_X_FINISHED		0x00000010

#define _DB_IST_N_FINISHED		0x00000020

#define _DB_IST_X_PREFIX		0x00000100

#define _DB_IST_N_PREFIX		0x00000200

#define _DB_IST_M_MATCHSET		(_DB_IST_MATCH|_DB_IST_MATCH_ONCE)

#define _DB_IST_M_REDUNDANT		(_DB_IST_MATCH| \

					 _DB_IST_X_FINISHED| \

					 _DB_IST_N_PREFIX)

	unsigned int flags;

	uint32_t action;

	struct db_sys_list *sx;

};

static unsigned int _db_node_put(struct db_arg_chain_tree **node);

/**

 * Define the syscall argument priority for nodes on the same level of the tree

 * @param a tree node

 *

 * Prioritize the syscall argument value, taking into account hi/lo words.

 * Should only ever really be called by _db_chain_{lt,eq}().  Returns an

 * arbitrary value indicating priority.

 *

 */

static unsigned int __db_chain_arg_priority(const struct db_arg_chain_tree *a)

{

	return (a->arg << 1) + (a->arg_h_flg ? 1 : 0);

}

/**

 * Define the "op" priority for nodes on the same level of the tree

 * @param op the argument operator

 *

 * Prioritize the syscall argument comparison operator.  Should only ever

 * really be called by _db_chain_{lt,eq}().  Returns an arbitrary value

 * indicating priority.

 *

 */

static unsigned int __db_chain_op_priority(enum scmp_compare op)

{

	/* the distinction between LT/LT and GT/GE is mostly to make the

	 * ordering as repeatable as possible regardless of the order in which

	 * the rules are added */

	switch (op) {

	case SCMP_CMP_MASKED_EQ:

	case SCMP_CMP_EQ:

	case SCMP_CMP_NE:

		return 3;

	case SCMP_CMP_LE:

	case SCMP_CMP_LT:

		return 2;

	case SCMP_CMP_GE:

	case SCMP_CMP_GT:

		return 1;

	default:

		return 0;

	}

}

/**

 * Determine if node "a" is less than node "b"

 * @param a tree node

 * @param b tree node

 *

 * The logic is best explained by looking at the comparison code in the

 * function.

 *

 */

static bool _db_chain_lt(const struct db_arg_chain_tree *a,

			 const struct db_arg_chain_tree *b)

{

	unsigned int a_arg, b_arg;

	unsigned int a_op, b_op;

	a_arg = __db_chain_arg_priority(a);

	b_arg = __db_chain_arg_priority(b);

	if (a_arg < b_arg)

		return true;

	else if (a_arg > b_arg)

		return false;

	a_op = __db_chain_op_priority(a->op_orig);

	b_op = __db_chain_op_priority(b->op_orig);

	if (a_op < b_op)

		return true;

	else if (a_op > b_op)

		return false;

	/* NOTE: at this point the arg and op priorities are equal */

	switch (a->op_orig) {

	case SCMP_CMP_LE:

	case SCMP_CMP_LT:

		/* in order to ensure proper ordering for LT/LE comparisons we

		 * need to invert the argument value so smaller values come

		 * first */

		if (a->datum > b->datum)

			return true;

		break;

	default:

		if (a->datum < b->datum)

			return true;

		break;

	}

	return false;

}

/**

 * Determine if two nodes have equal argument datum values

 * @param a tree node

 * @param b tree node

 *

 * In order to return true the nodes must have the same datum and mask for the

 * same argument.

 *

 */

static bool _db_chain_eq(const struct db_arg_chain_tree *a,

			 const struct db_arg_chain_tree *b)

{

	unsigned int a_arg, b_arg;

	a_arg = __db_chain_arg_priority(a);

	b_arg = __db_chain_arg_priority(b);

	return ((a_arg == b_arg) && (a->op == b->op) &&

		(a->datum == b->datum) && (a->mask == b->mask));

}

/**

 * Determine if a given tree node is a leaf node

 * @param iter the node to test

 *

 * A leaf node is a node with no other nodes beneath it.

 *

 */

static bool _db_chain_leaf(const struct db_arg_chain_tree *iter)

{

	return (iter->nxt_t == NULL && iter->nxt_f == NULL);

}

/**

 * Determine if a given tree node is a zombie node

 * @param iter the node to test

 *

 * A zombie node is a leaf node that also has no true or false actions.

 *

 */

static bool _db_chain_zombie(const struct db_arg_chain_tree *iter)

{

	return (_db_chain_leaf(iter) &&

		!(iter->act_t_flg) && !(iter->act_f_flg));

}

/**

 * Get a node reference

 * @param node pointer to a node

 *

 * This function gets a reference to an individual node.  Returns a pointer

 * to the node.

 *

 */

static struct db_arg_chain_tree *_db_node_get(struct db_arg_chain_tree *node)

{

	if (node != NULL)

		node->refcnt++;

	return node;

}

/**

 * Garbage collect a level of the tree

 * @param node tree node

 *

 * Check the entire level on which @node resides, if there is no other part of

 * the tree which points to a node on this level, remove the entire level.

 * Returns the number of nodes removed.

 *

 */

static unsigned int _db_level_clean(struct db_arg_chain_tree *node)

{

	int cnt = 0;

	unsigned int links;

	struct db_arg_chain_tree *n = node;

	struct db_arg_chain_tree *start;

	while (n->lvl_prv)

		n = n->lvl_prv;

	start = n;

	while (n != NULL) {

		links = 0;

		if (n->lvl_prv)

			links++;

		if (n->lvl_nxt)

			links++;

		if (n->refcnt > links)

			return cnt;

		n = n->lvl_nxt;

	}

	n = start;

	while (n != NULL)

		cnt += _db_node_put(&n);

	return cnt;

}

/**

 * Free a syscall filter argument chain tree

 * @param tree the argument chain list

 *

 * This function drops a reference to the tree pointed to by @tree and garbage

 * collects the top level.  Returns the number of nodes removed.

 *

 */

static unsigned int _db_tree_put(struct db_arg_chain_tree **tree)

{

	unsigned int cnt;

	cnt = _db_node_put(tree);

	if (*tree)

		cnt += _db_level_clean(*tree);

	return cnt;

}

/**

 * Release a node reference

 * @param node pointer to a node

 *

 * This function drops a reference to an individual node, unless this is the

 * last reference in which the entire sub-tree is affected.  Returns the number

 * of nodes freed.

 *

 */

static unsigned int _db_node_put(struct db_arg_chain_tree **node)

{

	unsigned int cnt = 0;

	struct db_arg_chain_tree *n = *node;

	struct db_arg_chain_tree *lvl_p, *lvl_n, *nxt_t, *nxt_f;

	if (n == NULL)

		return 0;

	if (--(n->refcnt) == 0) {

		lvl_p = n->lvl_prv;

		lvl_n = n->lvl_nxt;

		nxt_t = n->nxt_t;

		nxt_f = n->nxt_f;

		/* split the current level */

		/* NOTE: we still hold a ref for both lvl_p and lvl_n */

		if (lvl_p)

			lvl_p->lvl_nxt = NULL;

		if (lvl_n)

			lvl_n->lvl_prv = NULL;

		/* drop refcnts on the current level */

		if (lvl_p)

			cnt += _db_node_put(&lvl_p);

		if (lvl_n)

			cnt += _db_node_put(&lvl_n);

		/* re-link current level if it still exists */

		if (lvl_p)

			lvl_p->lvl_nxt = _db_node_get(lvl_n);

		if (lvl_n)

			lvl_n->lvl_prv = _db_node_get(lvl_p);

		/* update caller's pointer */

		if (lvl_p)

			*node = lvl_p;

		else if (lvl_n)

			*node = lvl_n;

		else

			*node = NULL;

		/* drop the next level(s) */

		cnt += _db_tree_put(&nxt_t);

		cnt += _db_tree_put(&nxt_f);

		/* cleanup and accounting */

		free(n);

		cnt++;

	}

	return cnt;

}

/**

 * Remove a node from an argument chain tree

 * @param tree the pointer to the tree

 * @param node the node to remove

 *

 * This function searches the tree looking for the node and removes it as well

 * as any sub-trees beneath it.  Returns the number of nodes freed.

 *

 */

static unsigned int _db_tree_remove(struct db_arg_chain_tree **tree,

				    struct db_arg_chain_tree *node)

{

	int cnt = 0;

	struct db_arg_chain_tree *c_iter;

	if (tree == NULL || *tree == NULL || node == NULL)

		return 0;

	c_iter = *tree;

	while (c_iter->lvl_prv != NULL)

		c_iter = c_iter->lvl_prv;

	do {

		/* current node? */

		if (c_iter == node)

			goto remove;

		/* check the sub-trees */

		cnt += _db_tree_remove(&(c_iter->nxt_t), node);

		cnt += _db_tree_remove(&(c_iter->nxt_f), node);

		/* check for empty/zombie nodes */

		if (_db_chain_zombie(c_iter))

			goto remove;

		/* next node on this level */

		c_iter = c_iter->lvl_nxt;

	} while (c_iter != NULL && cnt == 0);

	return cnt;

remove:

	/* reset the tree pointer if needed */

	if (c_iter == *tree) {

		if (c_iter->lvl_prv != NULL)

			*tree = c_iter->lvl_prv;

		else

			*tree = c_iter->lvl_nxt;

	}

	/* remove the node from the current level */

	if (c_iter->lvl_prv)

		c_iter->lvl_prv->lvl_nxt = c_iter->lvl_nxt;

	if (c_iter->lvl_nxt)

		c_iter->lvl_nxt->lvl_prv = c_iter->lvl_prv;

	c_iter->lvl_prv = NULL;

	c_iter->lvl_nxt = NULL;

	/* free the node and any sub-trees */

	cnt += _db_node_put(&c_iter);

	return cnt;

}

/**

 * Traverse a tree checking the action values

 * @param tree the pointer to the tree

 * @param action the action

 *

 * Traverse the tree inspecting each action to see if it matches the given

 * action.  Returns zero if all actions match the given action, negative values

 * on failure.

 *

 */

static int _db_tree_act_check(struct db_arg_chain_tree *tree, uint32_t action)

{

	int rc;

	struct db_arg_chain_tree *c_iter;

	if (tree == NULL)

		return 0;

	c_iter = tree;

	while (c_iter->lvl_prv != NULL)

		c_iter = c_iter->lvl_prv;

	do {

		if (c_iter->act_t_flg && c_iter->act_t != action)

			return -EEXIST;

		if (c_iter->act_f_flg && c_iter->act_f != action)

			return -EEXIST;

		rc = _db_tree_act_check(c_iter->nxt_t, action);

		if (rc < 0)

			return rc;

		rc = _db_tree_act_check(c_iter->nxt_f, action);

		if (rc < 0)

			return rc;

		c_iter = c_iter->lvl_nxt;

	} while (c_iter != NULL);

	return 0;

}

/**

 * Checks for a sub-tree match in an existing tree and prunes the tree

 * @param existing pointer to the existing tree

 * @param new pointer to the new tree

 * @param state pointer to a state structure

 *

 * This function searches the existing tree trying to prune it based on the

 * new tree.  Returns the number of nodes removed from the tree on success,

 * zero if no changes were made.

 *

 */

static int _db_tree_prune(struct db_arg_chain_tree **existing,

			  struct db_arg_chain_tree *new,

			  struct db_iter_state *state)

{

	int cnt = 0;

	struct db_iter_state state_nxt;

	struct db_iter_state state_new = *state;

	struct db_arg_chain_tree *x_iter_next;

	struct db_arg_chain_tree *x_iter = *existing;

	struct db_arg_chain_tree *n_iter = new;

	/* check if either tree is finished */

	if (n_iter == NULL || x_iter == NULL)

		goto prune_return;

	/* bail out if we have a broken match */

	if ((state->flags & _DB_IST_M_MATCHSET) == _DB_IST_MATCH_ONCE)

		goto prune_return;

	/* get to the start of the existing level */

	while (x_iter->lvl_prv)

		x_iter = x_iter->lvl_prv;

	/* NOTE: a few comments on the code below ...

	 * 1) we need to take a reference before we go down a level in case

	 *    we end up dropping the sub-tree (see the _db_node_get() calls)

	 * 2) since the new tree really only has one branch, we can only ever

	 *    match on one branch in the existing tree, if we "hit" then we

	 *    can bail on the other branches */

	do {

		/* store this now in case we remove x_iter */

		x_iter_next = x_iter->lvl_nxt;

		/* compare the two nodes */

		if (_db_chain_eq(x_iter, n_iter)) {

			/* we have a match */

			state_new.flags |= _DB_IST_M_MATCHSET;

			/* check if either tree is finished */

			if (_db_chain_leaf(n_iter))

				state_new.flags |= _DB_IST_N_FINISHED;

			if (_db_chain_leaf(x_iter))

				state_new.flags |= _DB_IST_X_FINISHED;

			/* don't remove nodes if we have more actions/levels */

			if ((x_iter->act_t_flg || x_iter->nxt_t) &&

			    !(n_iter->act_t_flg || n_iter->nxt_t))

				goto prune_return;

			if ((x_iter->act_f_flg || x_iter->nxt_f) &&

			    !(n_iter->act_f_flg || n_iter->nxt_f))

				goto prune_return;

			/* if finished, compare actions */

			if ((state_new.flags & _DB_IST_N_FINISHED) &&

			    (state_new.flags & _DB_IST_X_FINISHED)) {

				if (n_iter->act_t_flg != x_iter->act_t_flg)

					goto prune_return;

				if (n_iter->act_t != x_iter->act_t)

					goto prune_return;

				if (n_iter->act_f_flg != x_iter->act_f_flg)

					goto prune_return;

				if (n_iter->act_f != x_iter->act_f)

					goto prune_return;

			}

			/* check next level */

			if (n_iter->nxt_t) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags |= _DB_IST_M_MATCHSET;

				cnt += _db_tree_prune(&x_iter->nxt_t,

						      n_iter->nxt_t,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					/* don't return yet, we need to check

					 * the current node */

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

			if (n_iter->nxt_f) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags |= _DB_IST_M_MATCHSET;

				cnt += _db_tree_prune(&x_iter->nxt_f,

						      n_iter->nxt_f,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					/* don't return yet, we need to check

					 * the current node */

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

			/* remove the node? */

			if (!_db_tree_act_check(x_iter, state_new.action) &&

			    (state_new.flags & _DB_IST_MATCH) &&

			    (state_new.flags & _DB_IST_N_FINISHED) &&

			    (state_new.flags & _DB_IST_X_PREFIX)) {

				/* yes - the new tree is "shorter" */

				cnt += _db_tree_remove(&state->sx->chains,

						       x_iter);

				if (state->sx->chains == NULL)

					goto prune_return;

			} else if (!_db_tree_act_check(x_iter, state_new.action)

				   && (state_new.flags & _DB_IST_MATCH) &&

				   (state_new.flags & _DB_IST_X_FINISHED) &&

				   (state_new.flags & _DB_IST_N_PREFIX)) {

				/* no - the new tree is "longer" */

				goto prune_return;

			}

		} else if (_db_chain_lt(x_iter, n_iter)) {

			/* bail if we have a prefix on the new tree */

			if (state->flags & _DB_IST_N_PREFIX)

				goto prune_return;

			/* check the next level in the existing tree */

			if (x_iter->nxt_t) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags &= ~_DB_IST_MATCH;

				state_nxt.flags |= _DB_IST_X_PREFIX;

				cnt += _db_tree_prune(&x_iter->nxt_t, n_iter,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					goto prune_return;

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

			if (x_iter->nxt_f) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags &= ~_DB_IST_MATCH;

				state_nxt.flags |= _DB_IST_X_PREFIX;

				cnt += _db_tree_prune(&x_iter->nxt_f, n_iter,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					goto prune_return;

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

		} else {

			/* bail if we have a prefix on the existing tree */

			if (state->flags & _DB_IST_X_PREFIX)

				goto prune_return;

			/* check the next level in the new tree */

			if (n_iter->nxt_t) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags &= ~_DB_IST_MATCH;

				state_nxt.flags |= _DB_IST_N_PREFIX;

				cnt += _db_tree_prune(&x_iter, n_iter->nxt_t,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					goto prune_return;

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

			if (n_iter->nxt_f) {

				_db_node_get(x_iter);

				state_nxt = *state;

				state_nxt.flags &= ~_DB_IST_MATCH;

				state_nxt.flags |= _DB_IST_N_PREFIX;

				cnt += _db_tree_prune(&x_iter, n_iter->nxt_f,

						      &state_nxt);

				cnt += _db_node_put(&x_iter);

				if (state_nxt.flags & _DB_IST_MATCH) {

					state_new.flags |= state_nxt.flags;

					goto prune_return;

				}

				if (x_iter == NULL)

					goto prune_next_node;

			}

		}

prune_next_node:

		/* check next node on this level */

		x_iter = x_iter_next;

	} while (x_iter);

	// if we are falling through, we clearly didn't match on anything

	state_new.flags &= ~_DB_IST_MATCH;

prune_return:

	/* no more nodes on this level, return to the level above */

	if (state_new.flags & _DB_IST_MATCH)

		state->flags |= state_new.flags;

	else

		state->flags &= ~_DB_IST_MATCH;

	return cnt;

}

/**

 * Add a new tree into an existing tree

 * @param existing pointer to the existing tree

 * @param new pointer to the new tree

 * @param state pointer to a state structure

 *

 * This function adds the new tree into the existing tree, fetching additional

 * references as necessary.  Returns zero on success, negative values on

 * failure.

 *

 */

static int _db_tree_add(struct db_arg_chain_tree **existing,

			struct db_arg_chain_tree *new,

			struct db_iter_state *state)

{

	int rc;

	struct db_arg_chain_tree *x_iter = *existing;

	struct db_arg_chain_tree *n_iter = new;

	do {

		if (_db_chain_eq(x_iter, n_iter)) {

			if (n_iter->act_t_flg) {

				if (!x_iter->act_t_flg) {

					/* new node has a true action */

					/* do the actions match? */

					rc = _db_tree_act_check(x_iter->nxt_t,

								n_iter->act_t);

					if (rc != 0)

						return rc;

					/* update with the new action */

					rc = _db_node_put(&x_iter->nxt_t);

					x_iter->nxt_t = NULL;

					x_iter->act_t = n_iter->act_t;

					x_iter->act_t_flg = true;

					state->sx->node_cnt -= rc;

				} else if (n_iter->act_t != x_iter->act_t) {

					/* if we are dealing with a 64-bit

					 * comparison, we need to adjust our

					 * action based on the full 64-bit

					 * value to ensure we handle GT/GE

					 * comparisons correctly */

					if (n_iter->arg_h_flg &&

					    (n_iter->datum_full >

					     x_iter->datum_full))

						x_iter->act_t = n_iter->act_t;

					if (_db_chain_leaf(x_iter) ||

					    _db_chain_leaf(n_iter))

						return -EEXIST;

				}

			}

			if (n_iter->act_f_flg) {

				if (!x_iter->act_f_flg) {

					/* new node has a false action */

					/* do the actions match? */

					rc = _db_tree_act_check(x_iter->nxt_f,

								n_iter->act_f);

					if (rc != 0)

						return rc;

					/* update with the new action */

					rc = _db_node_put(&x_iter->nxt_f);

					x_iter->nxt_f = NULL;

					x_iter->act_f = n_iter->act_f;

					x_iter->act_f_flg = true;

					state->sx->node_cnt -= rc;

				} else if (n_iter->act_f != x_iter->act_f) {

					/* if we are dealing with a 64-bit

					 * comparison, we need to adjust our

					 * action based on the full 64-bit

					 * value to ensure we handle LT/LE

					 * comparisons correctly */

					if (n_iter->arg_h_flg &&

					    (n_iter->datum_full <

					     x_iter->datum_full))

						x_iter->act_t = n_iter->act_t;

					if (_db_chain_leaf(x_iter) ||

					    _db_chain_leaf(n_iter))

						return -EEXIST;

				}

			}

			if (n_iter->nxt_t) {

				if (x_iter->nxt_t) {

					/* compare the next level */

					rc = _db_tree_add(&x_iter->nxt_t,

							  n_iter->nxt_t,

							  state);

					if (rc != 0)

						return rc;

				} else if (!x_iter->act_t_flg) {

					/* add a new sub-tree */

					x_iter->nxt_t = _db_node_get(n_iter->nxt_t);

				} else

					/* done - existing tree is "shorter" */

					return 0;

			}

			if (n_iter->nxt_f) {

				if (x_iter->nxt_f) {

					/* compare the next level */

					rc = _db_tree_add(&x_iter->nxt_f,

							  n_iter->nxt_f,

							  state);

					if (rc != 0)

						return rc;

				} else if (!x_iter->act_f_flg) {

					/* add a new sub-tree */

					x_iter->nxt_f = _db_node_get(n_iter->nxt_f);

				} else

					/* done - existing tree is "shorter" */

					return 0;

			}

			return 0;

		} else if (!_db_chain_lt(x_iter, n_iter)) {

			/* try to move along the current level */

			if (x_iter->lvl_nxt == NULL) {

				/* add to the end of this level */

				n_iter->lvl_prv = _db_node_get(x_iter);

				x_iter->lvl_nxt = _db_node_get(n_iter);

				return 0;

			} else

				/* next */

				x_iter = x_iter->lvl_nxt;

		} else {

			/* add before the existing node on this level*/

			if (x_iter->lvl_prv != NULL) {

				x_iter->lvl_prv->lvl_nxt = _db_node_get(n_iter);

				n_iter->lvl_prv = x_iter->lvl_prv;

				x_iter->lvl_prv = _db_node_get(n_iter);

				n_iter->lvl_nxt = x_iter;

			} else {

				x_iter->lvl_prv = _db_node_get(n_iter);

				n_iter->lvl_nxt = _db_node_get(x_iter);

			}

			if (*existing == x_iter) {

				*existing = _db_node_get(n_iter);

				_db_node_put(&x_iter);

			}

			return 0;

		}

	} while (x_iter);

	return 0;

}

/**

 * Free and reset the seccomp filter DB

 * @param db the seccomp filter DB

 *

 * This function frees any existing filters and resets the filter DB to a

 * default state; only the DB architecture is preserved.

 *

 */

static void _db_reset(struct db_filter *db)

{

	struct db_sys_list *s_iter;

	struct db_api_rule_list *r_iter;

	if (db == NULL)

		return;

	/* free any filters */

	if (db->syscalls != NULL) {

		s_iter = db->syscalls;

		while (s_iter != NULL) {

			db->syscalls = s_iter->next;

			_db_tree_put(&s_iter->chains);

			free(s_iter);

			s_iter = db->syscalls;

		}

		db->syscalls = NULL;

	}

	/* free any rules */

	if (db->rules != NULL) {

		/* split the loop first then loop and free */

		db->rules->prev->next = NULL;

		r_iter = db->rules;

		while (r_iter != NULL) {

			db->rules = r_iter->next;

			free(r_iter);

			r_iter = db->rules;

		}

		db->rules = NULL;

	}

}

/**

 * Intitalize a seccomp filter DB

 * @param arch the architecture definition

 *

 * This function initializes a seccomp filter DB and readies it for use.

 * Returns a pointer to the DB on success, NULL on failure.

 *

 */

static struct db_filter *_db_init(const struct arch_def *arch)

{

	struct db_filter *db;

	db = zmalloc(sizeof(*db));

	if (db == NULL)

		return NULL;

	/* set the arch and reset the DB to a known state */

	db->arch = arch;

	_db_reset(db);

	return db;

}