diff --git a/configure.ac b/configure.ac index 4065d0e..d59ad44 100644 --- a/configure.ac +++ b/configure.ac @@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) i*86-*) seccomp_audit_arch=AUDIT_ARCH_I386 ;; - arm*-*) + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; + arm*-*) seccomp_audit_arch=AUDIT_ARCH_ARM - ;; + ;; esac if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 095b04a..52f6810 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -43,6 +43,7 @@ #include #include +#include #include #include #include @@ -80,6 +81,17 @@ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) +#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ + /* load first syscall argument */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[(_arg_nr)])), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, nr)) + /* Syscall filtering set for preauth. */ static const struct sock_filter preauth_insns[] = { /* Ensure the syscall arch convention is as expected. */ @@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = { /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), - SC_DENY(open, EACCES), +#ifdef __NR_stat SC_DENY(stat, EACCES), +#endif + SC_DENY(openat, EACCES), +#ifdef __NR_open + SC_DENY(open, EACCES), /* not on AArch64 */ +#endif +#ifdef __NR_fstat + SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */ +#endif +#if defined(__NR_stat64) && defined(__NR_fstat64) + SC_DENY(stat64, EACCES), /* ix86, arm */ + SC_DENY(fstat64, EACCES), +#endif +#ifdef __NR_newfstatat + SC_DENY(newfstatat, EACCES), /* Aarch64 */ +#endif SC_ALLOW(getpid), SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), @@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(shutdown), #endif SC_ALLOW(brk), +#ifdef __NR_poll /* not on AArch64 */ SC_ALLOW(poll), +#endif #ifdef __NR__newselect SC_ALLOW(_newselect), #else +#ifdef __NR_select /* not on AArch64 */ SC_ALLOW(select), #endif +#ifdef __NR_pselect6 /* AArch64 */ + SC_ALLOW(pselect6), +#endif +#endif SC_ALLOW(madvise), #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ SC_ALLOW(mmap2), @@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = { #else SC_ALLOW(sigprocmask), #endif +#ifdef __NR_socketcall + SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), +#endif BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), };