Attachment #2651 for bug #2361




	i*86-*)
		seccomp_audit_arch=AUDIT_ARCH_I386
		;;
	arm*-*)
		seccomp_audit_arch=AUDIT_ARCH_ARM
		;;
	aarch64*-*)
		seccomp_audit_arch=AUDIT_ARCH_AARCH64
		;
	esac
	if test "x$seccomp_audit_arch" != "x" ; then
		AC_MSG_RESULT(["$seccomp_audit_arch"])
		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
		    [Specify the system call convention in use])
	else
		AC_MSG_RESULT([architecture not supported])
	fi

Lines 43-48 Link Here

(-)a/sandbox-seccomp-filter.c (-20 / +86 lines)
43	#include <sys/resource.h>	43	#include <sys/resource.h>
44	#include <sys/prctl.h>	44	#include <sys/prctl.h>
45		45
		46	#include <linux/net.h>
46	#include <linux/audit.h>	47	#include <linux/audit.h>
47	#include <linux/filter.h>	48	#include <linux/filter.h>
48	#include <linux/seccomp.h>	49	#include <linux/seccomp.h>
Lines 80-85 Link Here
80	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \	81	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
81	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	82	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
82		83
		84	#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
		85	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
		86	/* load first syscall argument */ \
		87	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
		88	offsetof(struct seccomp_data, args[(_arg_nr)])), \
		89	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
		90	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
		91	/* reload syscall number; all rules expect it in accumulator */ \
		92	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
		93	offsetof(struct seccomp_data, nr))
		94
83	/* Syscall filtering set for preauth. */	95	/* Syscall filtering set for preauth. */
84	static const struct sock_filter preauth_insns[] = {	96	static const struct sock_filter preauth_insns[] = {
85	/* Ensure the syscall arch convention is as expected. */	97	/* Ensure the syscall arch convention is as expected. */
Lines 90-134 static const struct sock_filter preauth_insns[] = { Link Here
90	/* Load the syscall number for checking. */	102	/* Load the syscall number for checking. */
91	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,	103	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
92	offsetof(struct seccomp_data, nr)),	104	offsetof(struct seccomp_data, nr)),
		105
		106	/* Syscalls to non-fatally deny */
		107	#ifdef __NR_fstat
		108	SC_DENY(fstat, EACCES),
		109	#endif
		110	#ifdef __NR_fstat64
		111	SC_DENY(fstat64, EACCES),
		112	#endif
		113	#ifdef __NR_open
93	SC_DENY(open, EACCES),	114	SC_DENY(open, EACCES),
		115	#endif
		116	#ifdef __NR_openat
		117	SC_DENY(openat, EACCES),
		118	#endif
		119	#ifdef __NR_newfstatat
		120	SC_DENY(newfstatat, EACCES),
		121	#endif
		122	#ifdef __NR_stat
94	SC_DENY(stat, EACCES),	123	SC_DENY(stat, EACCES),
95	SC_ALLOW(getpid),	124	#endif
96	SC_ALLOW(gettimeofday),	125	#ifdef __NR_stat64
		126	SC_DENY(stat64, EACCES),
		127	#endif
		128
		129	/* Syscalls to permit */
		130	#ifdef __NR_brk
		131	SC_ALLOW(brk),
		132	#endif
		133	#ifdef __NR_clock_gettime
97	SC_ALLOW(clock_gettime),	134	SC_ALLOW(clock_gettime),
98	#ifdef __NR_time /* not defined on EABI ARM */
99	SC_ALLOW(time),
100	#endif	135	#endif
101	SC_ALLOW(read),	136	#ifdef __NR_close
102	SC_ALLOW(write),
103	SC_ALLOW(close),	137	SC_ALLOW(close),
104	#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
105	SC_ALLOW(shutdown),
106	#endif	138	#endif
107	SC_ALLOW(brk),	139	#ifdef __NR_exit
108	SC_ALLOW(poll),	140	SC_ALLOW(exit),
109	#ifdef __NR__newselect
110	SC_ALLOW(_newselect),
111	#else
112	SC_ALLOW(select),
113	#endif	141	#endif
		142	#ifdef __NR_exit_group
		143	SC_ALLOW(exit_group),
		144	#endif
		145	#ifdef __NR_getpid
		146	SC_ALLOW(getpid),
		147	#endif
		148	#ifdef __NR_gettimeofday
		149	SC_ALLOW(gettimeofday),
		150	#endif
		151	#ifdef __NR_madvise
114	SC_ALLOW(madvise),	152	SC_ALLOW(madvise),
115	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
116	SC_ALLOW(mmap2),
117	#endif	153	#endif
118	#ifdef __NR_mmap	154	#ifdef __NR_mmap
119	SC_ALLOW(mmap),	155	SC_ALLOW(mmap),
120	#endif	156	#endif
121	#ifdef __dietlibc__	157	#ifdef __NR_mmap2
		158	SC_ALLOW(mmap2),
		159	#endif
		160	#ifdef __NR_mremap
122	SC_ALLOW(mremap),	161	SC_ALLOW(mremap),
123	SC_ALLOW(exit),
124	#endif	162	#endif
		163	#ifdef __NR_munmap
125	SC_ALLOW(munmap),	164	SC_ALLOW(munmap),
126	SC_ALLOW(exit_group),	165	#endif
		166	#ifdef __NR__newselect
		167	SC_ALLOW(_newselect),
		168	#endif
		169	#ifdef __NR_poll
		170	SC_ALLOW(poll),
		171	#endif
		172	#ifdef __NR_read
		173	SC_ALLOW(read),
		174	#endif
127	#ifdef __NR_rt_sigprocmask	175	#ifdef __NR_rt_sigprocmask
128	SC_ALLOW(rt_sigprocmask),	176	SC_ALLOW(rt_sigprocmask),
129	#else	177	#endif
		178	#ifdef __NR_select
		179	SC_ALLOW(select),
		180	#endif
		181	#ifdef __NR_shutdown
		182	SC_ALLOW(shutdown),
		183	#endif
		184	#ifdef __NR_sigprocmask
130	SC_ALLOW(sigprocmask),	185	SC_ALLOW(sigprocmask),
131	#endif	186	#endif
		187	#ifdef __NR_time
		188	SC_ALLOW(time),
		189	#endif
		190	#ifdef __NR_write
		191	SC_ALLOW(write),
		192	#endif
		193	#ifdef __NR_socketcall
		194	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
		195	#endif
		196
		197	/* Default deny */
132	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),	198	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
133	};	199	};
134		200

Return to bug 2361

Lines 781-794 main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) Link Here

(-)a/configure.ac (-4 / +7 lines)
781	i86-)	781	i86-)
782	seccomp_audit_arch=AUDIT_ARCH_I386	782	seccomp_audit_arch=AUDIT_ARCH_I386
783	;;	783	;;
784	arm-)	784	arm-)
785	seccomp_audit_arch=AUDIT_ARCH_ARM	785	seccomp_audit_arch=AUDIT_ARCH_ARM
786	;;	786	;;
		787	aarch64-)
		788	seccomp_audit_arch=AUDIT_ARCH_AARCH64
		789	;
787	esac	790	esac
788	if test "x$seccomp_audit_arch" != "x" ; then	791	if test "x$seccomp_audit_arch" != "x" ; then
789	AC_MSG_RESULT(["$seccomp_audit_arch"])	792	AC_MSG_RESULT(["$seccomp_audit_arch"])
790	AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],	793	AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
791	[Specify the system call convention in use])	794	[Specify the system call convention in use])
792	else	795	else
793	AC_MSG_RESULT([architecture not supported])	796	AC_MSG_RESULT([architecture not supported])
794	fi	797	fi