Bugzilla – Attachment 2649 Details for
Bug 2361
seccomp filter (not only) for aarch64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
use a macro for socketcall test
seccomp-1arg.diff (text/plain), 1.57 KB, created by
Damien Miller
on 2015-06-16 21:34:39 AEST
(
hide
)
Description:
use a macro for socketcall test
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2015-06-16 21:34:39 AEST
Size:
1.57 KB
patch
obsolete
>diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index b6f6258..34aeb27 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -43,6 +43,7 @@ > #include <sys/resource.h> > #include <sys/prctl.h> > >+#include <linux/net.h> > #include <linux/audit.h> > #include <linux/filter.h> > #include <linux/seccomp.h> >@@ -80,6 +81,17 @@ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) > >+#define SC_ALLOW_1ARG(_nr, _arg0) \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ >+ /* load first syscall argument */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, args[0])), \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, _arg0, 0, 1), \ >+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ >+ /* reload syscall number; all rules expect it in accumulator */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, nr)), >+ > /* Syscall filtering set for preauth. */ > static const struct sock_filter preauth_insns[] = { > /* Ensure the syscall arch convention is as expected. */ >@@ -92,6 +104,7 @@ static const struct sock_filter preauth_insns[] = { > offsetof(struct seccomp_data, nr)), > SC_DENY(open, EACCES), > SC_DENY(stat, EACCES), >+ SC_DENY(fstat, EACCES), > SC_ALLOW(getpid), > SC_ALLOW(gettimeofday), > SC_ALLOW(clock_gettime), >@@ -129,6 +142,10 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif >+#ifdef __NR_socketcall >+ /* enable only shutdown on i386 */ >+ SC_ALLOW_1ARG(socketcall, SYS_SHUTDOWN); >+#endif > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2649">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2361
:
2561
|
2601
|
2648
|
2649
|
2650
|
2651
|
2652
|
2655