|
|
|
@ -1,4 +1,4 @@
|
|
|
|
/* Copyright (c) 2017-2020, Michael Santos <michael.santos@gmail.com>
|
|
|
|
/* Copyright (c) 2017-2022, Michael Santos <michael.santos@gmail.com>
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
@ -48,7 +48,7 @@
|
|
|
|
offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
|
|
|
offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_arg_val), 0, 1), \
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_arg_val), 0, 1), \
|
|
|
|
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), /* reload syscall number; \
|
|
|
|
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW), /* reload syscall number; \
|
|
|
|
all rules expect it in \
|
|
|
|
all rules expect it in \
|
|
|
|
accumulator */ \
|
|
|
|
accumulator */ \
|
|
|
|
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr))
|
|
|
|
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr))
|
|
|
|
|
|
|
|
|
|
|
|
@ -164,6 +164,9 @@ int restrict_process_init(xmppipe_state_t *state) {
|
|
|
|
#ifdef __NR_newfstatat
|
|
|
|
#ifdef __NR_newfstatat
|
|
|
|
SC_ALLOW(newfstatat),
|
|
|
|
SC_ALLOW(newfstatat),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __NR_getdents64
|
|
|
|
|
|
|
|
SC_ALLOW(getdents64),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
/* uuid */
|
|
|
|
/* uuid */
|
|
|
|
#ifdef __NR_gettimeofday
|
|
|
|
#ifdef __NR_gettimeofday
|
|
|
|
@ -200,13 +203,13 @@ int restrict_process_init(xmppipe_state_t *state) {
|
|
|
|
#ifdef __NR_fstat64
|
|
|
|
#ifdef __NR_fstat64
|
|
|
|
SC_ALLOW(fstat64),
|
|
|
|
SC_ALLOW(fstat64),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifdef __NR_getrandom
|
|
|
|
|
|
|
|
SC_ALLOW(getrandom),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef __NR_getppid
|
|
|
|
#ifdef __NR_getppid
|
|
|
|
SC_ALLOW(getppid),
|
|
|
|
SC_ALLOW(getppid),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __NR_getrandom
|
|
|
|
|
|
|
|
SC_ALLOW(getrandom),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
#ifdef __NR_gettid
|
|
|
|
#ifdef __NR_gettid
|
|
|
|
SC_ALLOW(gettid),
|
|
|
|
SC_ALLOW(gettid),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
@ -379,10 +382,19 @@ int restrict_process_stdin(xmppipe_state_t *state) {
|
|
|
|
#ifdef __NR_fstat64
|
|
|
|
#ifdef __NR_fstat64
|
|
|
|
SC_ALLOW(fstat64),
|
|
|
|
SC_ALLOW(fstat64),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __NR_newfstatat
|
|
|
|
|
|
|
|
SC_ALLOW(newfstatat),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __NR_getdents64
|
|
|
|
|
|
|
|
SC_ALLOW(getdents64),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef __NR_getppid
|
|
|
|
#ifdef __NR_getppid
|
|
|
|
SC_ALLOW(getppid),
|
|
|
|
SC_ALLOW(getppid),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __NR_getrandom
|
|
|
|
|
|
|
|
SC_ALLOW(getrandom),
|
|
|
|
|
|
|
|
#endif
|
|
|
|
#ifdef __NR_gettid
|
|
|
|
#ifdef __NR_gettid
|
|
|
|
SC_ALLOW(gettid),
|
|
|
|
SC_ALLOW(gettid),
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
Michael Santos
2 years ago