Attachment #2601 for bug #2361

Lines 777-785 main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) Link Here

(-)a/configure.ac (-2 / +5 lines)
777	i86-)	777	i86-)
778	seccomp_audit_arch=AUDIT_ARCH_I386	778	seccomp_audit_arch=AUDIT_ARCH_I386
779	;;	779	;;
780	arm-)	780	aarch64-)
		781	seccomp_audit_arch=AUDIT_ARCH_AARCH64
		782	;;
		783	arm-)
781	seccomp_audit_arch=AUDIT_ARCH_ARM	784	seccomp_audit_arch=AUDIT_ARCH_ARM
782	;;	785	;;
783	esac	786	esac
784	if test "x$seccomp_audit_arch" != "x" ; then	787	if test "x$seccomp_audit_arch" != "x" ; then
785	AC_MSG_RESULT(["$seccomp_audit_arch"])	788	AC_MSG_RESULT(["$seccomp_audit_arch"])




	/* Load the syscall number for checking. */
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
		offsetof(struct seccomp_data, nr)),
	/* Denied syscalls */
#ifdef __NR_fstat
	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
#endif
#ifdef __NR_fstat64
	SC_DENY(fstat64, EACCES),
#endif
#ifdef __NR_newfstatat
	SC_DENY(newfstatat, EACCES), /* Aarch64 */
#endif
#ifdef __NR_openat
	SC_DENY(openat, EACCES),
#endif
#ifdef __NR_open
	SC_DENY(open, EACCES), /* not on AArch64 */
#endif
#ifdef __NR_stat64
	SC_DENY(stat64, EACCES), /* ix86, arm */
#endif
	/* Allowed syscalls */
	SC_ALLOW(brk),
	SC_ALLOW(clock_gettime),
	SC_ALLOW(close),
	SC_ALLOW(exit_group),
	SC_ALLOW(getpid),
	SC_ALLOW(gettimeofday),
	SC_ALLOW(madvise),
	SC_ALLOW(munmap),
	SC_ALLOW(time),
#endif
	SC_ALLOW(read),
	SC_ALLOW(write),
#ifdef __dietlibc__
	SC_ALLOW(mremap),
	SC_ALLOW(exit),
#endif
	SC_ALLOW(brk),
	SC_ALLOW(poll),
#ifdef __NR__newselect
	SC_ALLOW(_newselect),
#else
	SC_ALLOW(select),
#endif
	SC_ALLOW(madvise),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
	SC_ALLOW(mmap2),
#endif
#ifdef __NR_mmap
	SC_ALLOW(mmap),
#endif
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
	SC_ALLOW(mmap2),
#endif
#ifdef __NR_poll /* not on AArch64 */
	SC_ALLOW(poll),
#endif
#ifdef __NR_pselect6 /* AArch64 */
	SC_ALLOW(pselect6),
#endif
#ifdef __NR_select /* not on AArch64 */
	SC_ALLOW(select),
#endif
#ifdef __NR_sigprocmask
	SC_ALLOW(sigprocmask),
#endif
#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
	SC_ALLOW(shutdown),
#endif
#ifdef __NR_time /* not defined on EABI ARM */
	SC_ALLOW(time),
#endif
	SC_ALLOW(munmap),
	SC_ALLOW(exit_group),
#ifdef __NR_rt_sigprocmask
	SC_ALLOW(rt_sigprocmask),
#else
	SC_ALLOW(sigprocmask),
#endif
	/* Catchall: fail for other syscalls */
	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
};


Return to bug 2361

Lines 90-134 static const struct sock_filter preauth_insns[] = { Link Here

(-)a/sandbox-seccomp-filter.c (-24 / +50 lines)
90	/* Load the syscall number for checking. */	90	/* Load the syscall number for checking. */
91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,	91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
92	offsetof(struct seccomp_data, nr)),	92	offsetof(struct seccomp_data, nr)),
93	SC_DENY(open, EACCES),	93	/* Denied syscalls */
94	SC_DENY(stat, EACCES),	94	#ifdef __NR_fstat
		95	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
		96	#endif
		97	#ifdef __NR_fstat64
		98	SC_DENY(fstat64, EACCES),
		99	#endif
		100	#ifdef __NR_newfstatat
		101	SC_DENY(newfstatat, EACCES), /* Aarch64 */
		102	#endif
		103	#ifdef __NR_openat
		104	SC_DENY(openat, EACCES),
		105	#endif
		106	#ifdef __NR_open
		107	SC_DENY(open, EACCES), /* not on AArch64 */
		108	#endif
		109	#ifdef __NR_stat64
		110	SC_DENY(stat64, EACCES), /* ix86, arm */
		111	#endif
		112	/* Allowed syscalls */
		113	SC_ALLOW(brk),
		114	SC_ALLOW(clock_gettime),
		115	SC_ALLOW(close),
		116	SC_ALLOW(exit_group),
95	SC_ALLOW(getpid),	117	SC_ALLOW(getpid),
96	SC_ALLOW(gettimeofday),	118	SC_ALLOW(gettimeofday),
97	SC_ALLOW(clock_gettime),	119	SC_ALLOW(madvise),
98	#ifdef __NR_time /* not defined on EABI ARM */	120	SC_ALLOW(munmap),
99	SC_ALLOW(time),
100	#endif
101	SC_ALLOW(read),	121	SC_ALLOW(read),
102	SC_ALLOW(write),	122	SC_ALLOW(write),
103	SC_ALLOW(close),	123	#ifdef __dietlibc__
104	#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */	124	SC_ALLOW(mremap),
105	SC_ALLOW(shutdown),	125	SC_ALLOW(exit),
106	#endif	126	#endif
107	SC_ALLOW(brk),
108	SC_ALLOW(poll),
109	#ifdef __NR__newselect	127	#ifdef __NR__newselect
110	SC_ALLOW(_newselect),	128	SC_ALLOW(_newselect),
111	#else
112	SC_ALLOW(select),
113	#endif
114	SC_ALLOW(madvise),
115	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
116	SC_ALLOW(mmap2),
117	#endif	129	#endif
118	#ifdef __NR_mmap	130	#ifdef __NR_mmap
119	SC_ALLOW(mmap),	131	SC_ALLOW(mmap),
120	#endif	132	#endif
121	#ifdef __dietlibc__	133	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
122	SC_ALLOW(mremap),	134	SC_ALLOW(mmap2),
123	SC_ALLOW(exit),	135	#endif
		136	#ifdef __NR_poll /* not on AArch64 */
		137	SC_ALLOW(poll),
		138	#endif
		139	#ifdef __NR_pselect6 /* AArch64 */
		140	SC_ALLOW(pselect6),
		141	#endif
		142	#ifdef __NR_select /* not on AArch64 */
		143	SC_ALLOW(select),
		144	#endif
		145	#ifdef __NR_sigprocmask
		146	SC_ALLOW(sigprocmask),
		147	#endif
		148	#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
		149	SC_ALLOW(shutdown),
		150	#endif
		151	#ifdef __NR_time /* not defined on EABI ARM */
		152	SC_ALLOW(time),
124	#endif	153	#endif
125	SC_ALLOW(munmap),
126	SC_ALLOW(exit_group),
127	#ifdef __NR_rt_sigprocmask	154	#ifdef __NR_rt_sigprocmask
128	SC_ALLOW(rt_sigprocmask),	155	SC_ALLOW(rt_sigprocmask),
129	#else
130	SC_ALLOW(sigprocmask),
131	#endif	156	#endif
		157	/* Catchall: fail for other syscalls */
132	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),	158	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
133	};	159	};
134		160