|
Lines 43-48
Link Here
|
| 43 |
#include <sys/resource.h> |
43 |
#include <sys/resource.h> |
| 44 |
#include <sys/prctl.h> |
44 |
#include <sys/prctl.h> |
| 45 |
|
45 |
|
|
|
46 |
#include <linux/net.h> |
| 46 |
#include <linux/audit.h> |
47 |
#include <linux/audit.h> |
| 47 |
#include <linux/filter.h> |
48 |
#include <linux/filter.h> |
| 48 |
#include <linux/seccomp.h> |
49 |
#include <linux/seccomp.h> |
|
Lines 80-85
Link Here
|
| 80 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ |
81 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ |
| 81 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
82 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 82 |
|
83 |
|
|
|
84 |
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ |
| 85 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ |
| 86 |
/* load first syscall argument */ \ |
| 87 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 88 |
offsetof(struct seccomp_data, args[(_arg_nr)])), \ |
| 89 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ |
| 90 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ |
| 91 |
/* reload syscall number; all rules expect it in accumulator */ \ |
| 92 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
| 93 |
offsetof(struct seccomp_data, nr)) |
| 94 |
|
| 83 |
/* Syscall filtering set for preauth. */ |
95 |
/* Syscall filtering set for preauth. */ |
| 84 |
static const struct sock_filter preauth_insns[] = { |
96 |
static const struct sock_filter preauth_insns[] = { |
| 85 |
/* Ensure the syscall arch convention is as expected. */ |
97 |
/* Ensure the syscall arch convention is as expected. */ |
|
Lines 91-97
static const struct sock_filter preauth_insns[] = {
Link Here
|
| 91 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, |
103 |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, |
| 92 |
offsetof(struct seccomp_data, nr)), |
104 |
offsetof(struct seccomp_data, nr)), |
| 93 |
SC_DENY(open, EACCES), |
105 |
SC_DENY(open, EACCES), |
|
|
106 |
#ifdef __NR_stat |
| 94 |
SC_DENY(stat, EACCES), |
107 |
SC_DENY(stat, EACCES), |
|
|
108 |
#endif |
| 109 |
#ifdef __NR_fstat |
| 110 |
SC_DENY(fstat, EACCES), |
| 111 |
#endif |
| 95 |
SC_ALLOW(getpid), |
112 |
SC_ALLOW(getpid), |
| 96 |
SC_ALLOW(gettimeofday), |
113 |
SC_ALLOW(gettimeofday), |
| 97 |
SC_ALLOW(clock_gettime), |
114 |
SC_ALLOW(clock_gettime), |
|
Lines 129-134
static const struct sock_filter preauth_insns[] = {
Link Here
|
| 129 |
#else |
146 |
#else |
| 130 |
SC_ALLOW(sigprocmask), |
147 |
SC_ALLOW(sigprocmask), |
| 131 |
#endif |
148 |
#endif |
|
|
149 |
#ifdef __NR_socketcall |
| 150 |
/* enable only shutdown on i386 */ |
| 151 |
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), |
| 152 |
#endif |
| 132 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
153 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
| 133 |
}; |
154 |
}; |
| 134 |
|
155 |
|