diff --git a/configure.ac b/configure.ac index b6f930201..a1a29a657 100644 --- a/configure.ac +++ b/configure.ac @@ -781,14 +781,17 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) i*86-*) seccomp_audit_arch=AUDIT_ARCH_I386 ;; - arm*-*) + arm*-*) seccomp_audit_arch=AUDIT_ARCH_ARM - ;; + ;; + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ; esac if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) - AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], - [Specify the system call convention in use]) + AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], + [Specify the system call convention in use]) else AC_MSG_RESULT([architecture not supported]) fi diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258f2..badfee2ec 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -43,6 +43,7 @@ #include #include +#include #include #include #include @@ -79,6 +80,16 @@ #define SC_ALLOW(_nr) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) +#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ + /* load first syscall argument */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[(_arg_nr)])), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, nr)) /* Syscall filtering set for preauth. */ static const struct sock_filter preauth_insns[] = { @@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = { /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), + + /* Syscalls to non-fatally deny */ +#ifdef __NR_fstat + SC_DENY(fstat, EACCES), +#endif +#ifdef __NR_fstat64 + SC_DENY(fstat64, EACCES), +#endif +#ifdef __NR_open SC_DENY(open, EACCES), +#endif +#ifdef __NR_openat + SC_DENY(openat, EACCES), +#endif +#ifdef __NR_newfstatat + SC_DENY(newfstatat, EACCES), +#endif +#ifdef __NR_stat SC_DENY(stat, EACCES), - SC_ALLOW(getpid), - SC_ALLOW(gettimeofday), - SC_ALLOW(clock_gettime), -#ifdef __NR_time /* not defined on EABI ARM */ - SC_ALLOW(time), #endif - SC_ALLOW(read), - SC_ALLOW(write), - SC_ALLOW(close), -#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ - SC_ALLOW(shutdown), +#ifdef __NR_stat64 + SC_DENY(stat64, EACCES), #endif + + /* Syscalls to permit */ +#ifdef __NR_brk SC_ALLOW(brk), - SC_ALLOW(poll), -#ifdef __NR__newselect - SC_ALLOW(_newselect), -#else - SC_ALLOW(select), #endif +#ifdef __NR_clock_gettime + SC_ALLOW(clock_gettime), +#endif +#ifdef __NR_close + SC_ALLOW(close), +#endif +#ifdef __NR_exit + SC_ALLOW(exit), +#endif +#ifdef __NR_exit_group + SC_ALLOW(exit_group), +#endif +#ifdef __NR_getpid + SC_ALLOW(getpid), +#endif +#ifdef __NR_gettimeofday + SC_ALLOW(gettimeofday), +#endif +#ifdef __NR_madvise SC_ALLOW(madvise), -#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ - SC_ALLOW(mmap2), #endif #ifdef __NR_mmap SC_ALLOW(mmap), #endif -#ifdef __dietlibc__ - SC_ALLOW(mremap), - SC_ALLOW(exit), +#ifdef __NR_mmap2 + SC_ALLOW(mmap2), #endif +#ifdef __NR_mremap + SC_ALLOW(mremap), +#endif +#ifdef __NR_munmap SC_ALLOW(munmap), - SC_ALLOW(exit_group), +#endif +#ifdef __NR__newselect + SC_ALLOW(_newselect), +#endif +#ifdef __NR_poll + SC_ALLOW(poll), +#endif +#ifdef __NR_read + SC_ALLOW(read), +#endif #ifdef __NR_rt_sigprocmask SC_ALLOW(rt_sigprocmask), -#else +#endif +#ifdef __NR_select + SC_ALLOW(select), +#endif +#ifdef __NR_shutdown + SC_ALLOW(shutdown), +#endif +#ifdef __NR_sigprocmask SC_ALLOW(sigprocmask), #endif +#ifdef __NR_time + SC_ALLOW(time), +#endif +#ifdef __NR_write + SC_ALLOW(write), +#endif +#ifdef __NR_socketcall + SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), +#endif + + /* Default deny */ BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), };