Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture

This commit is contained in:
Jakub Jelen 2015-06-24 10:38:35 +02:00
parent b59dd83265
commit 252221e6a1

View File

@ -21,6 +21,32 @@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
#include <sys/resource.h>
#include <sys/prctl.h>
+#include <linux/net.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
@@ -80,6 +81,17 @@
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+ /* load first syscall argument */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg_nr)])), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+ /* reload syscall number; all rules expect it in accumulator */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, nr))
+
/* Syscall filtering set for preauth. */
static const struct sock_filter preauth_insns[] = {
/* Ensure the syscall arch convention is as expected. */
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
@ -66,3 +92,13 @@ index 095b04a..52f6810 100644
SC_ALLOW(madvise),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
SC_ALLOW(mmap2),
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
#else
SC_ALLOW(sigprocmask),
#endif
+#ifdef __NR_socketcall
+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
};