summaryrefslogtreecommitdiff
path: root/sandbox-seccomp-filter.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2017-03-14 17:48:43 +1100
committerDamien Miller <djm@mindrot.org>2017-03-14 17:53:17 +1100
commite3ea335abeab731c68f2b2141bee85a4b0bf680f (patch)
treed32b1aa11b8580d482b266f12326fd93a24429da /sandbox-seccomp-filter.c
parent5f1596e11d55539678c41f68aed358628d33d86f (diff)
Remove macro trickery; no binary change
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros prepending __NR_ to the syscall number parameter and just makes them explicit in the macro invocations. No binary change in stripped object file before/after.
Diffstat (limited to 'sandbox-seccomp-filter.c')
-rw-r--r--sandbox-seccomp-filter.c80
1 files changed, 40 insertions, 40 deletions
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6ceee33fe..14006b99a 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -85,13 +85,13 @@
85 85
86/* Simple helpers to avoid manual errors (but larger BPF programs). */ 86/* Simple helpers to avoid manual errors (but larger BPF programs). */
87#define SC_DENY(_nr, _errno) \ 87#define SC_DENY(_nr, _errno) \
88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 88 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) 89 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
90#define SC_ALLOW(_nr) \ 90#define SC_ALLOW(_nr) \
91 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ 91 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 1), \
92 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 92 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
93#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ 93#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
94 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \ 94 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 6), \
95 /* load and test first syscall argument, low word */ \ 95 /* load and test first syscall argument, low word */ \
96 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 96 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
97 offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \ 97 offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
@@ -120,114 +120,114 @@ static const struct sock_filter preauth_insns[] = {
120 120
121 /* Syscalls to non-fatally deny */ 121 /* Syscalls to non-fatally deny */
122#ifdef __NR_lstat 122#ifdef __NR_lstat
123 SC_DENY(lstat, EACCES), 123 SC_DENY(__NR_lstat, EACCES),
124#endif 124#endif
125#ifdef __NR_lstat64 125#ifdef __NR_lstat64
126 SC_DENY(lstat64, EACCES), 126 SC_DENY(__NR_lstat64, EACCES),
127#endif 127#endif
128#ifdef __NR_fstat 128#ifdef __NR_fstat
129 SC_DENY(fstat, EACCES), 129 SC_DENY(__NR_fstat, EACCES),
130#endif 130#endif
131#ifdef __NR_fstat64 131#ifdef __NR_fstat64
132 SC_DENY(fstat64, EACCES), 132 SC_DENY(__NR_fstat64, EACCES),
133#endif 133#endif
134#ifdef __NR_open 134#ifdef __NR_open
135 SC_DENY(open, EACCES), 135 SC_DENY(__NR_open, EACCES),
136#endif 136#endif
137#ifdef __NR_openat 137#ifdef __NR_openat
138 SC_DENY(openat, EACCES), 138 SC_DENY(__NR_openat, EACCES),
139#endif 139#endif
140#ifdef __NR_newfstatat 140#ifdef __NR_newfstatat
141 SC_DENY(newfstatat, EACCES), 141 SC_DENY(__NR_newfstatat, EACCES),
142#endif 142#endif
143#ifdef __NR_stat 143#ifdef __NR_stat
144 SC_DENY(stat, EACCES), 144 SC_DENY(__NR_stat, EACCES),
145#endif 145#endif
146#ifdef __NR_stat64 146#ifdef __NR_stat64
147 SC_DENY(stat64, EACCES), 147 SC_DENY(__NR_stat64, EACCES),
148#endif 148#endif
149 149
150 /* Syscalls to permit */ 150 /* Syscalls to permit */
151#ifdef __NR_brk 151#ifdef __NR_brk
152 SC_ALLOW(brk), 152 SC_ALLOW(__NR_brk),
153#endif 153#endif
154#ifdef __NR_clock_gettime 154#ifdef __NR_clock_gettime
155 SC_ALLOW(clock_gettime), 155 SC_ALLOW(__NR_clock_gettime),
156#endif 156#endif
157#ifdef __NR_close 157#ifdef __NR_close
158 SC_ALLOW(close), 158 SC_ALLOW(__NR_close),
159#endif 159#endif
160#ifdef __NR_exit 160#ifdef __NR_exit
161 SC_ALLOW(exit), 161 SC_ALLOW(__NR_exit),
162#endif 162#endif
163#ifdef __NR_exit_group 163#ifdef __NR_exit_group
164 SC_ALLOW(exit_group), 164 SC_ALLOW(__NR_exit_group),
165#endif 165#endif
166#ifdef __NR_getpgid 166#ifdef __NR_getpgid
167 SC_ALLOW(getpgid), 167 SC_ALLOW(__NR_getpgid),
168#endif 168#endif
169#ifdef __NR_getpid 169#ifdef __NR_getpid
170 SC_ALLOW(getpid), 170 SC_ALLOW(__NR_getpid),
171#endif 171#endif
172#ifdef __NR_getrandom 172#ifdef __NR_getrandom
173 SC_ALLOW(getrandom), 173 SC_ALLOW(__NR_getrandom),
174#endif 174#endif
175#ifdef __NR_gettimeofday 175#ifdef __NR_gettimeofday
176 SC_ALLOW(gettimeofday), 176 SC_ALLOW(__NR_gettimeofday),
177#endif 177#endif
178#ifdef __NR_madvise 178#ifdef __NR_madvise
179 SC_ALLOW(madvise), 179 SC_ALLOW(__NR_madvise),
180#endif 180#endif
181#ifdef __NR_mmap 181#ifdef __NR_mmap
182 SC_ALLOW(mmap), 182 SC_ALLOW(__NR_mmap),
183#endif 183#endif
184#ifdef __NR_mmap2 184#ifdef __NR_mmap2
185 SC_ALLOW(mmap2), 185 SC_ALLOW(__NR_mmap2),
186#endif 186#endif
187#ifdef __NR_mremap 187#ifdef __NR_mremap
188 SC_ALLOW(mremap), 188 SC_ALLOW(__NR_mremap),
189#endif 189#endif
190#ifdef __NR_munmap 190#ifdef __NR_munmap
191 SC_ALLOW(munmap), 191 SC_ALLOW(__NR_munmap),
192#endif 192#endif
193#ifdef __NR__newselect 193#ifdef __NR__newselect
194 SC_ALLOW(_newselect), 194 SC_ALLOW(__NR__newselect),
195#endif 195#endif
196#ifdef __NR_poll 196#ifdef __NR_poll
197 SC_ALLOW(poll), 197 SC_ALLOW(__NR_poll),
198#endif 198#endif
199#ifdef __NR_pselect6 199#ifdef __NR_pselect6
200 SC_ALLOW(pselect6), 200 SC_ALLOW(__NR_pselect6),
201#endif 201#endif
202#ifdef __NR_read 202#ifdef __NR_read
203 SC_ALLOW(read), 203 SC_ALLOW(__NR_read),
204#endif 204#endif
205#ifdef __NR_rt_sigprocmask 205#ifdef __NR_rt_sigprocmask
206 SC_ALLOW(rt_sigprocmask), 206 SC_ALLOW(__NR_rt_sigprocmask),
207#endif 207#endif
208#ifdef __NR_select 208#ifdef __NR_select
209 SC_ALLOW(select), 209 SC_ALLOW(__NR_select),
210#endif 210#endif
211#ifdef __NR_shutdown 211#ifdef __NR_shutdown
212 SC_ALLOW(shutdown), 212 SC_ALLOW(__NR_shutdown),
213#endif 213#endif
214#ifdef __NR_sigprocmask 214#ifdef __NR_sigprocmask
215 SC_ALLOW(sigprocmask), 215 SC_ALLOW(__NR_sigprocmask),
216#endif 216#endif
217#ifdef __NR_time 217#ifdef __NR_time
218 SC_ALLOW(time), 218 SC_ALLOW(__NR_time),
219#endif 219#endif
220#ifdef __NR_write 220#ifdef __NR_write
221 SC_ALLOW(write), 221 SC_ALLOW(__NR_write),
222#endif 222#endif
223#ifdef __NR_socketcall 223#ifdef __NR_socketcall
224 SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), 224 SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
225#endif 225#endif
226#if defined(__NR_ioctl) && defined(__s390__) 226#if defined(__NR_ioctl) && defined(__s390__)
227 /* Allow ioctls for ICA crypto card on s390 */ 227 /* Allow ioctls for ICA crypto card on s390 */
228 SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), 228 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
229 SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), 229 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
230 SC_ALLOW_ARG(ioctl, 1, ICARSACRT), 230 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
231#endif /* defined(__NR_ioctl) && defined(__s390__) */ 231#endif /* defined(__NR_ioctl) && defined(__s390__) */
232 232
233 /* Default deny */ 233 /* Default deny */