Attachment #2561 for bug #2361

Lines 764-772 main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) Link Here

(-)a/configure.ac (-2 / +5 lines)
764	i86-)	764	i86-)
765	seccomp_audit_arch=AUDIT_ARCH_I386	765	seccomp_audit_arch=AUDIT_ARCH_I386
766	;;	766	;;
767	arm-)	767	aarch64-)
		768	seccomp_audit_arch=AUDIT_ARCH_AARCH64
		769	;;
		770	arm-)
768	seccomp_audit_arch=AUDIT_ARCH_ARM	771	seccomp_audit_arch=AUDIT_ARCH_ARM
769	;;	772	;;
770	esac	773	esac
771	if test "x$seccomp_audit_arch" != "x" ; then	774	if test "x$seccomp_audit_arch" != "x" ; then
772	AC_MSG_RESULT(["$seccomp_audit_arch"])	775	AC_MSG_RESULT(["$seccomp_audit_arch"])




	/* Load the syscall number for checking. */
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
		offsetof(struct seccomp_data, nr)),
	SC_DENY(openat, EACCES),
#ifdef __NR_open
	SC_DENY(open, EACCES), /* not on AArch64 */
#endif
#ifdef __NR_fstat
	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
#endif
#if defined(__NR_stat64) && defined(__NR_fstat64)
	SC_DENY(stat64, EACCES), /* ix86, arm */
	SC_DENY(fstat64, EACCES),
#endif
#ifdef __NR_newfstatat
	SC_DENY(newfstatat, EACCES), /* Aarch64 */
#endif
	SC_ALLOW(getpid),
	SC_ALLOW(gettimeofday),
	SC_ALLOW(clock_gettime),

	SC_ALLOW(shutdown),
#endif
	SC_ALLOW(brk),
#ifdef __NR_poll /* not on AArch64 */
	SC_ALLOW(poll),
#endif
#ifdef __NR__newselect
	SC_ALLOW(_newselect),
#else
#ifdef __NR_select /* not on AArch64 */
	SC_ALLOW(select),
#endif
#ifdef __NR_pselect6 /* AArch64 */
	SC_ALLOW(pselect6),
#endif
#endif
	SC_ALLOW(madvise),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
	SC_ALLOW(mmap2),

Return to bug 2361

Lines 90-97 static const struct sock_filter preauth_insns[] = { Link Here

(-)a/sandbox-seccomp-filter.c (-2 / +21 lines)
90	/* Load the syscall number for checking. */	90	/* Load the syscall number for checking. */
91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,	91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
92	offsetof(struct seccomp_data, nr)),	92	offsetof(struct seccomp_data, nr)),
93	SC_DENY(open, EACCES),	93	SC_DENY(openat, EACCES),
94	SC_DENY(stat, EACCES),	94	#ifdef __NR_open
		95	SC_DENY(open, EACCES), /* not on AArch64 */
		96	#endif
		97	#ifdef __NR_fstat
		98	SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
		99	#endif
		100	#if defined(__NR_stat64) && defined(__NR_fstat64)
		101	SC_DENY(stat64, EACCES), /* ix86, arm */
		102	SC_DENY(fstat64, EACCES),
		103	#endif
		104	#ifdef __NR_newfstatat
		105	SC_DENY(newfstatat, EACCES), /* Aarch64 */
		106	#endif
95	SC_ALLOW(getpid),	107	SC_ALLOW(getpid),
96	SC_ALLOW(gettimeofday),	108	SC_ALLOW(gettimeofday),
97	SC_ALLOW(clock_gettime),	109	SC_ALLOW(clock_gettime),
Lines 111-122 static const struct sock_filter preauth_insns[] = { Link Here
111	SC_ALLOW(shutdown),	123	SC_ALLOW(shutdown),
112	#endif	124	#endif
113	SC_ALLOW(brk),	125	SC_ALLOW(brk),
		126	#ifdef __NR_poll /* not on AArch64 */
114	SC_ALLOW(poll),	127	SC_ALLOW(poll),
		128	#endif
115	#ifdef __NR__newselect	129	#ifdef __NR__newselect
116	SC_ALLOW(_newselect),	130	SC_ALLOW(_newselect),
117	#else	131	#else
		132	#ifdef __NR_select /* not on AArch64 */
118	SC_ALLOW(select),	133	SC_ALLOW(select),
119	#endif	134	#endif
		135	#ifdef __NR_pselect6 /* AArch64 */
		136	SC_ALLOW(pselect6),
		137	#endif
		138	#endif
120	SC_ALLOW(madvise),	139	SC_ALLOW(madvise),
121	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */	140	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
122	SC_ALLOW(mmap2),	141	SC_ALLOW(mmap2),