Bugzilla – Attachment 2651 Details for
Bug 2361
seccomp filter (not only) for aarch64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
with aarch64 bits, re-sorted syscall list
seccomp-arg3.diff (text/plain), 4.16 KB, created by
Damien Miller
on 2015-06-17 08:47:20 AEST
(
hide
)
Description:
with aarch64 bits, re-sorted syscall list
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2015-06-17 08:47:20 AEST
Size:
4.16 KB
patch
obsolete
>diff --git a/configure.ac b/configure.ac >index b6f9302..a1a29a6 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -781,14 +781,17 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) > i*86-*) > seccomp_audit_arch=AUDIT_ARCH_I386 > ;; >- arm*-*) >+ arm*-*) > seccomp_audit_arch=AUDIT_ARCH_ARM >- ;; >+ ;; >+ aarch64*-*) >+ seccomp_audit_arch=AUDIT_ARCH_AARCH64 >+ ; > esac > if test "x$seccomp_audit_arch" != "x" ; then > AC_MSG_RESULT(["$seccomp_audit_arch"]) >- AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], >- [Specify the system call convention in use]) >+ AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], >+ [Specify the system call convention in use]) > else > AC_MSG_RESULT([architecture not supported]) > fi >diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >index b6f6258..5c2b984 100644 >--- a/sandbox-seccomp-filter.c >+++ b/sandbox-seccomp-filter.c >@@ -43,6 +43,7 @@ > #include <sys/resource.h> > #include <sys/prctl.h> > >+#include <linux/net.h> > #include <linux/audit.h> > #include <linux/filter.h> > #include <linux/seccomp.h> >@@ -80,6 +81,17 @@ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) > >+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ >+ /* load first syscall argument */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, args[(_arg_nr)])), \ >+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ >+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ >+ /* reload syscall number; all rules expect it in accumulator */ \ >+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ >+ offsetof(struct seccomp_data, nr)) >+ > /* Syscall filtering set for preauth. */ > static const struct sock_filter preauth_insns[] = { > /* Ensure the syscall arch convention is as expected. */ >@@ -90,45 +102,99 @@ static const struct sock_filter preauth_insns[] = { > /* Load the syscall number for checking. */ > BPF_STMT(BPF_LD+BPF_W+BPF_ABS, > offsetof(struct seccomp_data, nr)), >+ >+ /* Syscalls to non-fatally deny */ >+#ifdef __NR_fstat >+ SC_DENY(fstat, EACCES), >+#endif >+#ifdef __NR_fstat64 >+ SC_DENY(fstat64, EACCES), >+#endif >+#ifdef __NR_open > SC_DENY(open, EACCES), >+#endif >+#ifdef __NR_openat >+ SC_DENY(openat, EACCES), >+#endif >+#ifdef __NR_newfstatat >+ SC_DENY(newfstatat, EACCES), >+#endif >+#ifdef __NR_stat > SC_DENY(stat, EACCES), >- SC_ALLOW(getpid), >- SC_ALLOW(gettimeofday), >+#endif >+#ifdef __NR_stat64 >+ SC_DENY(stat64, EACCES), >+#endif >+ >+ /* Syscalls to permit */ >+#ifdef __NR_brk >+ SC_ALLOW(brk), >+#endif >+#ifdef __NR_clock_gettime > SC_ALLOW(clock_gettime), >-#ifdef __NR_time /* not defined on EABI ARM */ >- SC_ALLOW(time), > #endif >- SC_ALLOW(read), >- SC_ALLOW(write), >+#ifdef __NR_close > SC_ALLOW(close), >-#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ >- SC_ALLOW(shutdown), > #endif >- SC_ALLOW(brk), >- SC_ALLOW(poll), >-#ifdef __NR__newselect >- SC_ALLOW(_newselect), >-#else >- SC_ALLOW(select), >+#ifdef __NR_exit >+ SC_ALLOW(exit), > #endif >+#ifdef __NR_exit_group >+ SC_ALLOW(exit_group), >+#endif >+#ifdef __NR_getpid >+ SC_ALLOW(getpid), >+#endif >+#ifdef __NR_gettimeofday >+ SC_ALLOW(gettimeofday), >+#endif >+#ifdef __NR_madvise > SC_ALLOW(madvise), >-#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ >- SC_ALLOW(mmap2), > #endif > #ifdef __NR_mmap > SC_ALLOW(mmap), > #endif >-#ifdef __dietlibc__ >+#ifdef __NR_mmap2 >+ SC_ALLOW(mmap2), >+#endif >+#ifdef __NR_mremap > SC_ALLOW(mremap), >- SC_ALLOW(exit), > #endif >+#ifdef __NR_munmap > SC_ALLOW(munmap), >- SC_ALLOW(exit_group), >+#endif >+#ifdef __NR__newselect >+ SC_ALLOW(_newselect), >+#endif >+#ifdef __NR_poll >+ SC_ALLOW(poll), >+#endif >+#ifdef __NR_read >+ SC_ALLOW(read), >+#endif > #ifdef __NR_rt_sigprocmask > SC_ALLOW(rt_sigprocmask), >-#else >+#endif >+#ifdef __NR_select >+ SC_ALLOW(select), >+#endif >+#ifdef __NR_shutdown >+ SC_ALLOW(shutdown), >+#endif >+#ifdef __NR_sigprocmask > SC_ALLOW(sigprocmask), > #endif >+#ifdef __NR_time >+ SC_ALLOW(time), >+#endif >+#ifdef __NR_write >+ SC_ALLOW(write), >+#endif >+#ifdef __NR_socketcall >+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), >+#endif >+ >+ /* Default deny */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2651">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2361
:
2561
|
2601
|
2648
|
2649
|
2650
| 2651 |
2652
|
2655