@@ -44,49 +44,54 @@ const std::uint32_t SECCOMP_DATA_ARCH_OFFSET = 0x04;
4444#endif
4545
4646const struct sock_filter FILTER[] = {
47- /* Load architecture from 'seccomp_data' buffer into accumulator */
47+ // Load architecture from 'seccomp_data' buffer into accumulator
4848 BPF_STMT (BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_ARCH_OFFSET),
49- /* Jump to disallow if architecture is not X86_64 */
49+ // Jump to disallow if architecture is not X86_64
5050 BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 0 , 5 ),
51- /* Load the system call number into accumulator */
51+ // Load the system call number into accumulator
5252 BPF_STMT (BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_NR_OFFSET),
53- /* Only applies to X86_64 arch. Fail calls for the x32 ABI */
54- BPF_JUMP (BPF_JMP | BPF_JGT | BPF_K, UPPER_NR_LIMIT, 3 , 0 ),
55- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_read, 30 , 0 ),
56- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_write, 29 , 0 ),
57- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_writev, 28 , 0 ),
58- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_readlink, 27 , 0 ),
59- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_lseek, 26 , 0 ),
60- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_futex, 25 , 0 ),
61- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_madvise, 24 , 0 ),
62- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_unlink, 23 , 0 ),
63- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mknod, 22 , 0 ),
64- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_nanosleep, 21 , 0 ),
65- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_lstat, 20 , 0 ),
66- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_set_robust_list, 19 , 0 ),
67- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_clone, 18 , 0 ),
68- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_stat, 17 , 0 ),
69- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mprotect, 16 , 0 ),
70- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_munmap, 15 , 0 ),
71- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap, 14 , 0 ),
72- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_fstat, 13 , 0 ),
73- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_connect, 12 , 0 ),
74- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_socket, 11 , 0 ),
75- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_getuid, 10 , 0 ),
76- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, 9 , 0 ),
77- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_access, 8 , 0 ),
78- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_close, 7 , 0 ),
79- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_brk, 6 , 0 ),
80- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_rt_sigreturn, 5 , 0 ),
81- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_exit, 4 , 0 ),
82- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_statfs, 3 , 0 ),
83- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_dup2, 2 , 0 ),
84- BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1 , 0 ),
85- /* Disallow call with error code EACCES */
53+ // Only applies to X86_64 arch. Jump to disallow for calls using the x32 ABI
54+ BPF_JUMP (BPF_JMP | BPF_JGT | BPF_K, UPPER_NR_LIMIT, 35 , 0 ),
55+ // Allowed sys calls, jump to return allow on match
56+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_read, 35 , 0 ),
57+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_write, 34 , 0 ),
58+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_writev, 33 , 0 ),
59+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_lseek, 32 , 0 ),
60+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_lstat, 31 , 0 ),
61+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_readlink, 30 , 0 ),
62+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_stat, 29 , 0 ),
63+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_fstat, 28 , 0 ),
64+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 27 , 0 ),
65+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_close, 26 , 0 ),
66+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_socket, 25 , 0 ),
67+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_connect, 24 , 0 ),
68+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_clone, 23 , 0 ),
69+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_statfs, 22 , 0 ),
70+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_dup2, 21 , 0 ),
71+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_rmdir, 20 , 0 ), // for forecast temp storage
72+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_getdents, 19 , 0 ), // for forecast temp storage
73+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 18 , 0 ), // for forecast temp storage
74+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_tgkill, 17 , 0 ), // for the crash handler
75+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_rt_sigaction, 16 , 0 ), // for the crash handler
76+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_rt_sigreturn, 15 , 0 ),
77+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_futex, 14 , 0 ),
78+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_madvise, 13 , 0 ),
79+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_unlink, 12 , 0 ),
80+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mknod, 11 , 0 ),
81+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_nanosleep, 10 , 0 ),
82+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_set_robust_list, 9 , 0 ),
83+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mprotect, 8 , 0 ),
84+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_munmap, 7 , 0 ),
85+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap, 6 , 0 ),
86+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_getuid, 5 , 0 ),
87+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, 4 , 0 ),
88+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_access, 3 , 0 ),
89+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_brk, 2 , 0 ),
90+ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, __NR_exit, 1 , 0 ),
91+ // Disallow call with error code EACCES
8692 BPF_STMT (BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA)),
87- /* Allow call */
88- BPF_STMT (BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
89- };
93+ // Allow call
94+ BPF_STMT (BPF_RET | BPF_K, SECCOMP_RET_ALLOW)};
9095
9196bool canUseSeccompBpf () {
9297 // This call is expected to fail due to the nullptr argument
0 commit comments