|
Lines 95-100
Link Here
|
| 95 |
#define SC_DENY(_nr, _errno) \ |
95 |
#define SC_DENY(_nr, _errno) \ |
| 96 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
96 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
| 97 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) |
97 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) |
|
|
98 |
#define SC_FAIL(_nr) \ |
| 99 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
| 100 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL) |
| 98 |
#define SC_ALLOW(_nr) \ |
101 |
#define SC_ALLOW(_nr) \ |
| 99 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
102 |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \ |
| 100 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
103 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
|
Lines 334-341
static const struct sock_filter preauth_insns[] = {
Link Here
|
| 334 |
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), |
337 |
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), |
| 335 |
#endif |
338 |
#endif |
| 336 |
|
339 |
|
|
|
340 |
/* |
| 341 |
* umask never returns an error, so explicitly kill the process if |
| 342 |
* it tries to use that. See |
| 343 |
* https://bugzilla.mozilla.org/show_bug.cgi?id=1724098. |
| 344 |
*/ |
| 345 |
SC_FAIL(__NR_umask), |
| 346 |
|
| 337 |
/* Default deny */ |
347 |
/* Default deny */ |
| 338 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), |
348 |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|ENOSYS), |
| 339 |
}; |
349 |
}; |
| 340 |
|
350 |
|
| 341 |
static const struct sock_fprog preauth_program = { |
351 |
static const struct sock_fprog preauth_program = { |
| 342 |
- |
|
|