|
Lines 43-48
Link Here
|
| 43 |
#include <sys/resource.h> |
43 |
#include <sys/resource.h> |
| 44 |
#include <sys/prctl.h> |
44 |
#include <sys/prctl.h> |
| 45 |
|
45 |
|
|
|
46 |
#include <linux/net.h> |
| 46 |
#include <linux/audit.h> |
47 |
#include <linux/audit.h> |
| 47 |
#include <linux/filter.h> |
48 |
#include <linux/filter.h> |
| 48 |
#include <linux/seccomp.h> |
49 |
#include <linux/seccomp.h> |
|
Lines 80-85
Link Here
|
| 80 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ |
81 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ |
| 81 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
82 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 82 |
|
83 |
|
|
|
84 |
#define SC_ALLOW_1ARG(_nr, _arg0) \ |
| 85 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ |
| 86 |
/* load first syscall argument */ \ |
| 87 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 88 |
offsetof(struct seccomp_data, args[0])), \ |
| 89 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, _arg0, 0, 1), \ |
| 90 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ |
| 91 |
/* reload syscall number; all rules expect it in accumulator */ \ |
| 92 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 93 |
offsetof(struct seccomp_data, nr)), |
| 94 |
|
| 83 |
/* Syscall filtering set for preauth. */ |
95 |
/* Syscall filtering set for preauth. */ |
| 84 |
static const struct sock_filter preauth_insns[] = { |
96 |
static const struct sock_filter preauth_insns[] = { |
| 85 |
/* Ensure the syscall arch convention is as expected. */ |
97 |
/* Ensure the syscall arch convention is as expected. */ |
|
Lines 92-97
static const struct sock_filter preauth_insns[] = {
Link Here
|
| 92 |
offsetof(struct seccomp_data, nr)), |
104 |
offsetof(struct seccomp_data, nr)), |
| 93 |
SC_DENY(open, EACCES), |
105 |
SC_DENY(open, EACCES), |
| 94 |
SC_DENY(stat, EACCES), |
106 |
SC_DENY(stat, EACCES), |
|
|
107 |
SC_DENY(fstat, EACCES), |
| 95 |
SC_ALLOW(getpid), |
108 |
SC_ALLOW(getpid), |
| 96 |
SC_ALLOW(gettimeofday), |
109 |
SC_ALLOW(gettimeofday), |
| 97 |
SC_ALLOW(clock_gettime), |
110 |
SC_ALLOW(clock_gettime), |
|
Lines 129-134
static const struct sock_filter preauth_insns[] = {
Link Here
|
| 129 |
#else |
142 |
#else |
| 130 |
SC_ALLOW(sigprocmask), |
143 |
SC_ALLOW(sigprocmask), |
| 131 |
#endif |
144 |
#endif |
|
|
145 |
#ifdef __NR_socketcall |
| 146 |
/* enable only shutdown on i386 */ |
| 147 |
SC_ALLOW_1ARG(socketcall, SYS_SHUTDOWN); |
| 148 |
#endif |
| 132 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
149 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
| 133 |
}; |
150 |
}; |
| 134 |
|
151 |
|