Bugzilla – Attachment 2650 Details for
Bug 2361
seccomp filter (not only) for aarch64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
tweaked diff
seccomp-arg.diff (text/plain), 1.68 KB, created by
Damien Miller
on 2015-06-16 23:21:45 AEST
(
hide
)
Description:
tweaked diff
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2015-06-16 23:21:45 AEST
Size:
1.68 KB
patch
obsolete
>diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index b6f6258..77986b2 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -43,6 +43,7 @@ > #include <sys/resource.h> > #include <sys/prctl.h> > >+#include <linux/net.h> > #include <linux/audit.h> > #include <linux/filter.h> > #include <linux/seccomp.h> >@@ -80,6 +81,17 @@ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) > >+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ >+ /* load first syscall argument */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, args[(_arg_nr)])), \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ >+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ >+ /* reload syscall number; all rules expect it in accumulator */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, nr)) >+ > /* Syscall filtering set for preauth. */ > static const struct sock_filter preauth_insns[] = { > /* Ensure the syscall arch convention is as expected. */ >@@ -91,7 +103,12 @@ static const struct sock_filter preauth_insns[] = { > BPF_STMT(BPF_LD+BPF_W+BPF_ABS, > offsetof(struct seccomp_data, nr)), > SC_DENY(open, EACCES), >+#ifdef __NR_stat > SC_DENY(stat, EACCES), >+#endif >+#ifdef __NR_fstat >+ SC_DENY(fstat, EACCES), >+#endif > SC_ALLOW(getpid), > SC_ALLOW(gettimeofday), > SC_ALLOW(clock_gettime), >@@ -129,6 +146,10 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif >+#ifdef __NR_socketcall >+ /* enable only shutdown on i386 */ >+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), >+#endif > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2650">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2361
:
2561
|
2601
|
2648
|
2649
|
2650
|
2651
|
2652
|
2655