Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture
This commit is contained in:
parent
b59dd83265
commit
252221e6a1
@ -21,6 +21,32 @@ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 095b04a..52f6810 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <sys/resource.h>
|
||||
#include <sys/prctl.h>
|
||||
|
||||
+#include <linux/net.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/filter.h>
|
||||
#include <linux/seccomp.h>
|
||||
@@ -80,6 +81,17 @@
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
|
||||
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
|
||||
+ /* load first syscall argument */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
+ offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
||||
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
||||
+ /* reload syscall number; all rules expect it in accumulator */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
+ offsetof(struct seccomp_data, nr))
|
||||
+
|
||||
/* Syscall filtering set for preauth. */
|
||||
static const struct sock_filter preauth_insns[] = {
|
||||
/* Ensure the syscall arch convention is as expected. */
|
||||
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
|
||||
/* Load the syscall number for checking. */
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||
@ -66,3 +92,13 @@ index 095b04a..52f6810 100644
|
||||
SC_ALLOW(madvise),
|
||||
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
||||
SC_ALLOW(mmap2),
|
||||
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#else
|
||||
SC_ALLOW(sigprocmask),
|
||||
#endif
|
||||
+#ifdef __NR_socketcall
|
||||
+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
+#endif
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user