Skip to content

Commit aa4236c

Browse files
davidkyledavidkyle
committed
Use allowed list instead of banned list for linux syscalls
1 parent 7e31ed8 commit aa4236c

File tree

1 file changed

+35
-7
lines changed

1 file changed

+35
-7
lines changed

lib/seccomp/CSystemCallFilter_Linux.cc

Lines changed: 35 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -51,14 +51,42 @@ const struct sock_filter FILTER[] = {
5151
/* Load the system call number into accumulator */
5252
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_NR_OFFSET),
5353
/* Only applies to X86_64 arch. Fail calls for the x32 ABI */
54-
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, UPPER_NR_LIMIT, 4, 0),
55-
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fork, 3, 0),
56-
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_vfork, 2, 0),
57-
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 1, 0),
58-
/* Allow call */
59-
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
54+
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, UPPER_NR_LIMIT, 3, 0),
55+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_read, 30, 0),
56+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, 29, 0),
57+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_writev, 28, 0),
58+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_readlink, 27, 0),
59+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_lseek, 26, 0),
60+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_futex, 25, 0),
61+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_madvise, 24, 0),
62+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_unlink, 23, 0),
63+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mknod, 22, 0),
64+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_nanosleep, 21, 0),
65+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_lstat, 20, 0),
66+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_set_robust_list, 19, 0),
67+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_clone, 18, 0),
68+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_stat, 17, 0),
69+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mprotect, 16, 0),
70+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_munmap, 15, 0),
71+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap, 14, 0),
72+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fstat, 13, 0),
73+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_connect, 12, 0),
74+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_socket, 11, 0),
75+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_getuid, 10, 0),
76+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, 9, 0),
77+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_access, 8, 0),
78+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_close, 7, 0),
79+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_brk, 6, 0),
80+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_rt_sigreturn, 5, 0),
81+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_exit, 4, 0),
82+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_statfs, 3, 0),
83+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_dup2, 2, 0),
84+
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1, 0),
6085
/* Disallow call with error code EACCES */
61-
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))};
86+
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA)),
87+
/* Allow call */
88+
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
89+
};
6290

6391
bool canUseSeccompBpf() {
6492
// This call is expected to fail due to the nullptr argument

0 commit comments

Comments
 (0)