Bugzilla – Attachment 2648 Details for
Bug 2361
seccomp filter (not only) for aarch64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
proposed patch - stat and shutdown on ix68
file_2361.txt (text/plain), 1.17 KB, created by
Jakub Jelen
on 2015-06-16 20:00:30 AEST
(
hide
)
Description:
proposed patch - stat and shutdown on ix68
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2015-06-16 20:00:30 AEST
Size:
1.17 KB
patch
obsolete
>diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index 5d508b0..6aff197 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -43,6 +43,7 @@ > #include <sys/resource.h> > #include <sys/prctl.h> > >+#include <linux/net.h> > #include <linux/audit.h> > #include <linux/filter.h> > #include <linux/seccomp.h> >@@ -94,6 +95,9 @@ static const struct sock_filter preauth_insns[] = { > #ifdef __NR_open > SC_DENY(open, EACCES), /* not on AArch64 */ > #endif >+#ifdef __NR_stat >+ SC_DENY(stat, EACCES), >+#endif > #ifdef __NR_fstat > SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */ > #endif >@@ -154,6 +158,13 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif >+#ifdef __NR_socketcall /* enable only shutdown on i386 */ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_socketcall, 0, 3), >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, /* load first argument of syscall */ >+ offsetof(struct seccomp_data, args[0])), >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_SHUTDOWN, 0, 1), >+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), >+#endif /* need to be last check -- it doesn't restore buffer*/ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2648">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 2361
:
2561
|
2601
|
2648
|
2649
|
2650
|
2651
|
2652
|
2655