int rc;
scmp_filter_ctx ctx;
uint32_t attr;
- struct seccomp_notif *req = NULL;
- struct seccomp_notif_resp *resp = NULL;
/* seccomp_init errors */
ctx = seccomp_init(SCMP_ACT_ALLOW + 1);
return -1;
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, 2));
- if (rc != -EINVAL)
- return -1;
- rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0);
if (rc != -EINVAL)
return -1;
seccomp_release(ctx);
rc = seccomp_attr_set(ctx, 1000, 1);
if (rc != -EINVAL)
return -1;
- seccomp_release(ctx);
- ctx = NULL;
-
- /* seccomp_merge() errors */
- ctx = seccomp_init(SCMP_ACT_ALLOW);
- if (ctx == NULL)
- return -1;
- rc = seccomp_merge(ctx, NULL);
- if (rc == 0)
- return -1;
- seccomp_release(ctx);
- ctx = NULL;
-
- /* seccomp notify errors */
- ctx = seccomp_init(SCMP_ACT_ALLOW);
- if (ctx == NULL)
- return -1;
- rc = seccomp_notify_alloc(NULL, NULL);
- if (rc != 0)
- return -1;
- rc = seccomp_notify_alloc(&req, NULL);
- if (rc != 0)
- return -1;
- rc = seccomp_notify_alloc(NULL, &resp);
- if (rc != 0)
- return -1;
- seccomp_notify_free(NULL, NULL);
- seccomp_notify_free(req, resp);
- req = NULL;
- resp = NULL;
- rc = seccomp_notify_receive(-1, NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_respond(-1, NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_id_valid(-1, 0);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_fd(NULL);
- if (rc == 0)
- return -1;
- rc = seccomp_notify_fd(ctx);
- if (rc == 0)
- return -1;
- seccomp_release(ctx);
- ctx = NULL;
return 0;
}
goto fail;
while ((arch = arch_list[iter++]) != -1) {
- int sys;
int nr_open;
int nr_read;
int nr_socket;
goto fail;
free(name);
name = NULL;
-
- /* socket pseudo-syscalls */
- if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) {
- for (sys = -101; sys >= -120; sys--) {
- name = seccomp_syscall_resolve_num_arch(arch,
- sys);
- if (name == NULL)
- goto fail;
- free(name);
- name = NULL;
- }
- }
- /* ipc pseudo-syscalls */
- if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) {
- for (sys = -201; sys >= -204; sys--) {
- name = seccomp_syscall_resolve_num_arch(arch,
- sys);
- if (name == NULL)
- goto fail;
- free(name);
- name = NULL;
- }
- for (sys = -211; sys >= -214; sys--) {
- name = seccomp_syscall_resolve_num_arch(arch,
- sys);
- if (name == NULL)
- goto fail;
- free(name);
- name = NULL;
- }
- for (sys = -221; sys >= -224; sys--) {
- name = seccomp_syscall_resolve_num_arch(arch,
- sys);
- if (name == NULL)
- goto fail;
- free(name);
- name = NULL;
- }
- }
}
return 0;
if (rc != 0)
goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0);
- if (rc != 0)
- goto out;
-
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0);
- if (rc != 0)
- goto out;
-
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0);
- if (rc != 0)
- goto out;
-
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0);
- if (rc != 0)
- goto out;
-
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
if (rc != 0)
goto out;
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
- if (rc != 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
if (rc != 0)
goto out;
f.remove_arch(Arch())
f.add_arch(Arch("s390"))
f.add_arch(Arch("s390x"))
- f.add_arch(Arch("ppc"))
f.add_rule(ALLOW, "socket")
f.add_rule(ALLOW, "connect")
f.add_rule(ALLOW, "accept")
test type: bpf-sim
-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL
-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW
-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL
+33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL
+33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL
+33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL
test type: bpf-valgrind
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
- if (rc != 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
if (rc != 0)
goto out;
f.add_arch(Arch("x86_64"))
f.add_arch(Arch("x32"))
f.add_arch(Arch("ppc64le"))
- f.add_arch(Arch("mipsel"))
f.add_rule(ALLOW, "semop")
f.add_rule(ALLOW, "semtimedop")
f.add_rule(ALLOW, "semget")
test type: bpf-sim
-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW
-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW
-36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW
test type: bpf-valgrind
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
- if (rc != 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
if (rc != 0)
goto out;
f.remove_arch(Arch())
f.add_arch(Arch("s390"))
f.add_arch(Arch("s390x"))
- f.add_arch(Arch("ppc"))
f.add_rule(ALLOW, "semop")
f.add_rule(ALLOW, "semtimedop")
f.add_rule(ALLOW, "semget")
test type: bpf-sim
-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW
-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW
test type: bpf-valgrind
if (rc < 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
- if (rc < 0)
- goto out;
- rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
if (rc < 0)
goto out;
if (rc < 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
- if (rc < 0)
- goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0);
if (rc < 0)
goto out;
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
- # filter for syscall "exit_group" (231) [priority: 65535]
- if ($syscall == 231)
- action LOG;
# filter for syscall "exit" (60) [priority: 65535]
if ($syscall == 60)
action TRACE(1);
action ALLOW;
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
- # filter for syscall "exit_group" (252) [priority: 65535]
- if ($syscall == 252)
- action LOG;
# filter for syscall "fstat" (108) [priority: 65535]
if ($syscall == 108)
action KILL_PROCESS;
action KILL;
# default action
action ALLOW;
-# filter for arch x32 (3221225534)
-if ($arch == 3221225534)
- # filter for syscall "exit_group" (1073742055) [priority: 65535]
- if ($syscall == 1073742055)
- action LOG;
- # filter for syscall "exit" (1073741884) [priority: 65535]
- if ($syscall == 1073741884)
- action TRACE(1);
- # filter for syscall "fstat" (1073741829) [priority: 65535]
- if ($syscall == 1073741829)
- action KILL_PROCESS;
- # filter for syscall "close" (1073741827) [priority: 65535]
- if ($syscall == 1073741827)
- action ERRNO(1);
- # filter for syscall "open" (1073741826) [priority: 65535]
- if ($syscall == 1073741826)
- action KILL;
- # filter for syscall "write" (1073741825) [priority: 65532]
- if ($syscall == 1073741825)
- if ($a0 == 0)
- else
- if ($a1 > 1)
- else
- if ($a2 >= 2)
- else
- action TRAP;
- # filter for syscall "read" (1073741824) [priority: 65531]
- if ($syscall == 1073741824)
- if ($a0 == 0)
- if ($a1 >= 1)
- if ($a2 > 2)
- if ($a3 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch arm (1073741864)
-if ($arch == 1073741864)
- # filter for syscall "exit_group" (248) [priority: 65535]
- if ($syscall == 248)
- action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
- # filter for syscall "close" (6) [priority: 65535]
- if ($syscall == 6)
- action ERRNO(1);
- # filter for syscall "open" (5) [priority: 65535]
- if ($syscall == 5)
- action KILL;
- # filter for syscall "exit" (1) [priority: 65535]
- if ($syscall == 1)
- action TRACE(1);
- # filter for syscall "write" (4) [priority: 65532]
- if ($syscall == 4)
- if ($a0 == 0)
- else
- if ($a1 > 1)
- else
- if ($a2 >= 2)
- else
- action TRAP;
- # filter for syscall "read" (3) [priority: 65531]
- if ($syscall == 3)
- if ($a0 == 0)
- if ($a1 >= 1)
- if ($a2 > 2)
- if ($a3 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch aarch64 (3221225655)
-if ($arch == 3221225655)
- # filter for syscall "open" (4294957130) [priority: 65535]
- if ($syscall == 4294957130)
- action KILL;
- # filter for syscall "exit_group" (94) [priority: 65535]
- if ($syscall == 94)
- action LOG;
- # filter for syscall "exit" (93) [priority: 65535]
- if ($syscall == 93)
- action TRACE(1);
- # filter for syscall "fstat" (80) [priority: 65535]
- if ($syscall == 80)
- action KILL_PROCESS;
- # filter for syscall "close" (57) [priority: 65535]
- if ($syscall == 57)
- action ERRNO(1);
- # filter for syscall "write" (64) [priority: 65527]
- if ($syscall == 64)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- # filter for syscall "read" (63) [priority: 65525]
- if ($syscall == 63)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- if ($a1.hi32 > 0)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 >= 1)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch mipsel (1073741832)
-if ($arch == 1073741832)
- # filter for syscall "exit_group" (246) [priority: 65535]
- if ($syscall == 246)
- action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
- # filter for syscall "close" (6) [priority: 65535]
- if ($syscall == 6)
- action ERRNO(1);
- # filter for syscall "open" (5) [priority: 65535]
- if ($syscall == 5)
- action KILL;
- # filter for syscall "exit" (1) [priority: 65535]
- if ($syscall == 1)
- action TRACE(1);
- # filter for syscall "write" (4) [priority: 65532]
- if ($syscall == 4)
- if ($a0 == 0)
- else
- if ($a1 > 1)
- else
- if ($a2 >= 2)
- else
- action TRAP;
- # filter for syscall "read" (3) [priority: 65531]
- if ($syscall == 3)
- if ($a0 == 0)
- if ($a1 >= 1)
- if ($a2 > 2)
- if ($a3 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch mipsel64 (3221225480)
-if ($arch == 3221225480)
- # filter for syscall "exit_group" (5205) [priority: 65535]
- if ($syscall == 5205)
- action LOG;
- # filter for syscall "exit" (5058) [priority: 65535]
- if ($syscall == 5058)
- action TRACE(1);
- # filter for syscall "fstat" (5005) [priority: 65535]
- if ($syscall == 5005)
- action KILL_PROCESS;
- # filter for syscall "close" (5003) [priority: 65535]
- if ($syscall == 5003)
- action ERRNO(1);
- # filter for syscall "open" (5002) [priority: 65535]
- if ($syscall == 5002)
- action KILL;
- # filter for syscall "write" (5001) [priority: 65527]
- if ($syscall == 5001)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- # filter for syscall "read" (5000) [priority: 65525]
- if ($syscall == 5000)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- if ($a1.hi32 > 0)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 >= 1)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch mipsel64n32 (3758096392)
-if ($arch == 3758096392)
- # filter for syscall "exit_group" (6205) [priority: 65535]
- if ($syscall == 6205)
- action LOG;
- # filter for syscall "exit" (6058) [priority: 65535]
- if ($syscall == 6058)
- action TRACE(1);
- # filter for syscall "fstat" (6005) [priority: 65535]
- if ($syscall == 6005)
- action KILL_PROCESS;
- # filter for syscall "close" (6003) [priority: 65535]
- if ($syscall == 6003)
- action ERRNO(1);
- # filter for syscall "open" (6002) [priority: 65535]
- if ($syscall == 6002)
- action KILL;
- # filter for syscall "write" (6001) [priority: 65532]
- if ($syscall == 6001)
- if ($a0 == 0)
- else
- if ($a1 > 1)
- else
- if ($a2 >= 2)
- else
- action TRAP;
- # filter for syscall "read" (6000) [priority: 65531]
- if ($syscall == 6000)
- if ($a0 == 0)
- if ($a1 >= 1)
- if ($a2 > 2)
- if ($a3 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch ppc64le (3221225493)
-if ($arch == 3221225493)
- # filter for syscall "exit_group" (234) [priority: 65535]
- if ($syscall == 234)
- action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
- # filter for syscall "close" (6) [priority: 65535]
- if ($syscall == 6)
- action ERRNO(1);
- # filter for syscall "open" (5) [priority: 65535]
- if ($syscall == 5)
- action KILL;
- # filter for syscall "exit" (1) [priority: 65535]
- if ($syscall == 1)
- action TRACE(1);
- # filter for syscall "write" (4) [priority: 65527]
- if ($syscall == 4)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- # filter for syscall "read" (3) [priority: 65525]
- if ($syscall == 3)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- if ($a1.hi32 > 0)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 >= 1)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
-# filter for arch riscv64 (3221225715)
-if ($arch == 3221225715)
- # filter for syscall "open" (4294957130) [priority: 65535]
- if ($syscall == 4294957130)
- action KILL;
- # filter for syscall "exit_group" (94) [priority: 65535]
- if ($syscall == 94)
- action LOG;
- # filter for syscall "exit" (93) [priority: 65535]
- if ($syscall == 93)
- action TRACE(1);
- # filter for syscall "fstat" (80) [priority: 65535]
- if ($syscall == 80)
- action KILL_PROCESS;
- # filter for syscall "close" (57) [priority: 65535]
- if ($syscall == 57)
- action ERRNO(1);
- # filter for syscall "write" (64) [priority: 65527]
- if ($syscall == 64)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a1.hi32 > 0)
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 > 1)
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- else
- if ($a2.hi32 > 0)
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 >= 2)
- else
- action TRAP;
- else
- action TRAP;
- # filter for syscall "read" (63) [priority: 65525]
- if ($syscall == 63)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 0)
- if ($a1.hi32 > 0)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a1.hi32 == 0)
- if ($a1.lo32 >= 1)
- if ($a2.hi32 > 0)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- else
- if ($a2.hi32 == 0)
- if ($a2.lo32 > 2)
- if ($a3.hi32 & 0x00000000 == 0)
- if ($a3.lo32 & 0x0000000f == 3)
- action KILL;
- # default action
- action ALLOW;
# invalid architecture action
action KILL;
#
int rc;
struct util_options opts;
scmp_filter_ctx ctx = NULL;
- unsigned int api;
rc = util_getopt(argc, argv, &opts);
if (rc < 0)
goto out;
- api = seccomp_api_get();
- if (api == 0) {
- rc = -EFAULT;
- goto out;
- }
-
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL)
return ENOMEM;
- if (api >= 2) {
- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
- if (rc != 0)
- goto out;
- }
- if (api >= 3) {
- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);
- if (rc != 0)
- goto out;
- }
- if (api >= 4) {
- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
- if (rc != 0)
- goto out;
- }
-
rc = seccomp_load(ctx);
out:
projects / libseccomp.git / commitdiff