emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

x86 has a slightly different syscall interface, so some changes are

Browse Source 
necessary for the seccomp filters to work.

Specifically, x86 has the old catch-all socketcall and the non-legacy
fnctl64 system calls.
This commit is contained in:
Nicholas J. Kain
2014-03-22 01:32:55 -04:00
parent 22dcfc00ee
commit 009f80b428
1 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
ndhc/seccomp.c
View File

@ -40,20 +40,30 @@ int enforce_seccomp_ndhc(void)
struct sock_filter filter[] = { struct sock_filter filter[] = {
VALIDATE_ARCHITECTURE, VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL, EXAMINE_SYSCALL,
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(epoll_wait), ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl), ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(read), ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write), ALLOW_SYSCALL(write),
ALLOW_SYSCALL(close), ALLOW_SYSCALL(close),
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(recvmsg), ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(socket), ALLOW_SYSCALL(socket),
ALLOW_SYSCALL(setsockopt), ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(open),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(getsockname), ALLOW_SYSCALL(getsockname),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(socketpair),
#elif defined(__i386__)
ALLOW_SYSCALL(socketcall),
ALLOW_SYSCALL(fcntl64),
#else
#error Target platform does not support seccomp-filter.
#endif
ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(open),
// Allowed by vDSO // Allowed by vDSO
ALLOW_SYSCALL(getcpu), ALLOW_SYSCALL(getcpu),
@ -67,7 +77,6 @@ int enforce_seccomp_ndhc(void)
ALLOW_SYSCALL(fsync), ALLOW_SYSCALL(fsync),
// These are for 'background()' // These are for 'background()'
ALLOW_SYSCALL(socketpair),
ALLOW_SYSCALL(clone), ALLOW_SYSCALL(clone),
ALLOW_SYSCALL(set_robust_list), ALLOW_SYSCALL(set_robust_list),
ALLOW_SYSCALL(setsid), ALLOW_SYSCALL(setsid),
@ -110,23 +119,33 @@ int enforce_seccomp_ifch(void)
EXAMINE_SYSCALL, EXAMINE_SYSCALL,
ALLOW_SYSCALL(read), ALLOW_SYSCALL(read),
ALLOW_SYSCALL(write), ALLOW_SYSCALL(write),
ALLOW_SYSCALL(sendto),
ALLOW_SYSCALL(epoll_wait), ALLOW_SYSCALL(epoll_wait),
ALLOW_SYSCALL(epoll_ctl), ALLOW_SYSCALL(epoll_ctl),
ALLOW_SYSCALL(close), ALLOW_SYSCALL(close),
#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
ALLOW_SYSCALL(sendto), // used for glibc syslog routines
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(socket), ALLOW_SYSCALL(socket),
ALLOW_SYSCALL(ioctl), ALLOW_SYSCALL(setsockopt),
ALLOW_SYSCALL(getsockname), ALLOW_SYSCALL(getsockname),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(socketpair),
#elif defined(__i386__)
ALLOW_SYSCALL(socketcall),
ALLOW_SYSCALL(fcntl64),
#else
#error Target platform does not support seccomp-filter.
#endif
ALLOW_SYSCALL(open), ALLOW_SYSCALL(open),
ALLOW_SYSCALL(fstat), ALLOW_SYSCALL(fstat),
ALLOW_SYSCALL(connect),
ALLOW_SYSCALL(recvmsg),
ALLOW_SYSCALL(fsync), ALLOW_SYSCALL(fsync),
ALLOW_SYSCALL(lseek), ALLOW_SYSCALL(lseek),
ALLOW_SYSCALL(truncate), ALLOW_SYSCALL(truncate),
ALLOW_SYSCALL(fcntl), ALLOW_SYSCALL(fcntl),
ALLOW_SYSCALL(unlink), ALLOW_SYSCALL(unlink),
ALLOW_SYSCALL(bind),
ALLOW_SYSCALL(chmod), ALLOW_SYSCALL(chmod),
ALLOW_SYSCALL(rt_sigreturn), ALLOW_SYSCALL(rt_sigreturn),