Bugzilla – Attachment 2601 Details for
Bug 2361
seccomp filter (not only) for aarch64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
flatten and sort syscall ACL
sandbox-aarch64.diff (text/plain), 2.85 KB, created by
Damien Miller
on 2015-04-24 13:36:35 AEST
(
hide
)
Description:
flatten and sort syscall ACL
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2015-04-24 13:36:35 AEST
Size:
2.85 KB
patch
obsolete
>diff --git a/configure.ac b/configure.ac >index 606c736..7a5674a 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -777,9 +777,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > i*86-*) > seccomp_audit_arch=AUDIT_ARCH_I386 > ;; >- arm*-*) >+ aarch64*-*) >+ seccomp_audit_arch=AUDIT_ARCH_AARCH64 >+ ;; >+ arm*-*) > seccomp_audit_arch=AUDIT_ARCH_ARM >- ;; >+ ;; > esac > if test "x$seccomp_audit_arch" != "x" ; then > AC_MSG_RESULT(["$seccomp_audit_arch"]) >diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index b6f6258..37b4f5b 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -90,45 +90,71 @@ static const struct sock_filter preauth_insns[] = { > /* Load the syscall number for checking. */ > BPF_STMT(BPF_LD+BPF_W+BPF_ABS, > offsetof(struct seccomp_data, nr)), >- SC_DENY(open, EACCES), >- SC_DENY(stat, EACCES), >+ /* Denied syscalls */ >+#ifdef __NR_fstat >+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */ >+#endif >+#ifdef __NR_fstat64 >+ SC_DENY(fstat64, EACCES), >+#endif >+#ifdef __NR_newfstatat >+ SC_DENY(newfstatat, EACCES), /* Aarch64 */ >+#endif >+#ifdef __NR_openat >+ SC_DENY(openat, EACCES), >+#endif >+#ifdef __NR_open >+ SC_DENY(open, EACCES), /* not on AArch64 */ >+#endif >+#ifdef __NR_stat64 >+ SC_DENY(stat64, EACCES), /* ix86, arm */ >+#endif >+ /* Allowed syscalls */ >+ SC_ALLOW(brk), >+ SC_ALLOW(clock_gettime), >+ SC_ALLOW(close), >+ SC_ALLOW(exit_group), > SC_ALLOW(getpid), > SC_ALLOW(gettimeofday), >- SC_ALLOW(clock_gettime), >-#ifdef __NR_time /* not defined on EABI ARM */ >- SC_ALLOW(time), >-#endif >+ SC_ALLOW(madvise), >+ SC_ALLOW(munmap), > SC_ALLOW(read), > SC_ALLOW(write), >- SC_ALLOW(close), >-#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ >- SC_ALLOW(shutdown), >+#ifdef __dietlibc__ >+ SC_ALLOW(mremap), >+ SC_ALLOW(exit), > #endif >- SC_ALLOW(brk), >- SC_ALLOW(poll), > #ifdef __NR__newselect > SC_ALLOW(_newselect), >-#else >- SC_ALLOW(select), >-#endif >- SC_ALLOW(madvise), >-#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ >- SC_ALLOW(mmap2), > #endif > #ifdef __NR_mmap > SC_ALLOW(mmap), > #endif >-#ifdef __dietlibc__ >- SC_ALLOW(mremap), >- SC_ALLOW(exit), >+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ >+ SC_ALLOW(mmap2), >+#endif >+#ifdef __NR_poll /* not on AArch64 */ >+ SC_ALLOW(poll), >+#endif >+#ifdef __NR_pselect6 /* AArch64 */ >+ SC_ALLOW(pselect6), >+#endif >+#ifdef __NR_select /* not on AArch64 */ >+ SC_ALLOW(select), >+#endif >+#ifdef __NR_sigprocmask >+ SC_ALLOW(sigprocmask), >+#endif >+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ >+ SC_ALLOW(shutdown), >+#endif >+#ifdef __NR_time /* not defined on EABI ARM */ >+ SC_ALLOW(time), > #endif >- SC_ALLOW(munmap), >- SC_ALLOW(exit_group), > #ifdef __NR_rt_sigprocmask > SC_ALLOW(rt_sigprocmask), >-#else >- SC_ALLOW(sigprocmask), > #endif >+ /* Catchall: fail for other syscalls */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2361
:
2561
|
2601
|
2648
|
2649
|
2650
|
2651
|
2652
|
2655