1d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes/* 2d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * Check verbose decoding of seccomp SECCOMP_SET_MODE_FILTER. 3d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 4d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * Copyright (c) 2015-2016 Dmitry V. Levin <ldv@altlinux.org> 5d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * All rights reserved. 6d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 7d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * Redistribution and use in source and binary forms, with or without 8d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * modification, are permitted provided that the following conditions 9d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * are met: 10d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 1. Redistributions of source code must retain the above copyright 11d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * notice, this list of conditions and the following disclaimer. 12d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 2. Redistributions in binary form must reproduce the above copyright 13d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * notice, this list of conditions and the following disclaimer in the 14d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * documentation and/or other materials provided with the distribution. 15d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 3. The name of the author may not be used to endorse or promote products 16d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * derived from this software without specific prior written permission. 17d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * 18d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes */ 29d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 30d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include "tests.h" 31d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 32d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include <errno.h> 33d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include <stddef.h> 34d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include <stdio.h> 35d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include <asm/unistd.h> 36d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#include <unistd.h> 37d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 38d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#ifdef HAVE_PRCTL 39d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes# include <sys/prctl.h> 40d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#endif 41d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#ifdef HAVE_LINUX_SECCOMP_H 42d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes# include <linux/seccomp.h> 43d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#endif 44d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#ifdef HAVE_LINUX_FILTER_H 45d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes# include <linux/filter.h> 46d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#endif 47d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 48d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#if defined __NR_seccomp \ 49d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes && defined PR_SET_NO_NEW_PRIVS \ 50d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes && defined SECCOMP_SET_MODE_FILTER \ 51d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes && defined SECCOMP_RET_ERRNO \ 52d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes && defined BPF_JUMP \ 53d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes && defined BPF_STMT 54d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 55d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#define SOCK_FILTER_ALLOW_SYSCALL(nr) \ 56d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \ 57d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW) 58d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 59d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#define SOCK_FILTER_DENY_SYSCALL(nr, err) \ 60d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \ 61d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|(SECCOMP_RET_DATA & (err))) 62d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 63d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#define SOCK_FILTER_KILL_PROCESS \ 64d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL) 65d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 66d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#define PRINT_ALLOW_SYSCALL(nr) \ 67d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#x, 0, 0x1), " \ 68d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), ", \ 69d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes __NR_ ## nr) 70d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 71d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#define PRINT_DENY_SYSCALL(nr, err) \ 72d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#x, 0, 0x1), " \ 73d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|%#x), ", \ 74d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes __NR_ ## nr, err) 75d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 76d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughesstatic const struct sock_filter filter_c[] = { 77d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes /* load syscall number */ 78d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_STMT(BPF_LD|BPF_W|BPF_ABS, offsetof(struct seccomp_data, nr)), 79d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 80d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes /* allow syscalls */ 81d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_ALLOW_SYSCALL(close), 82d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_ALLOW_SYSCALL(exit), 83d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_ALLOW_SYSCALL(exit_group), 84d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 85d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes /* deny syscalls */ 86d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_DENY_SYSCALL(sync, EBUSY), 87d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_DENY_SYSCALL(setsid, EPERM), 88d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 89d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes /* kill process */ 90d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes SOCK_FILTER_KILL_PROCESS 91d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes}; 92d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 93d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#ifndef BPF_MAXINSNS 94d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes# define BPF_MAXINSNS 4096 95d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#endif 96d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 97d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughesint 98d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughesmain(void) 99d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes{ 100d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("%s", ""); 101d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 102d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes static const char kill_stmt_txt[] = 103d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL)"; 104d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes struct sock_filter *const filter = 105d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tail_memdup(filter_c, sizeof(filter_c)); 106d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes struct sock_filter *const big_filter = 107d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tail_alloc(sizeof(*big_filter) * (BPF_MAXINSNS + 1)); 108d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes struct sock_fprog *const prog = tail_alloc(sizeof(*prog)); 109d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 110d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes int fds[2]; 111d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes if (pipe(fds)) 112d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes perror_msg_and_fail("pipe"); 113d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) 114d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes perror_msg_and_skip("PR_SET_NO_NEW_PRIVS"); 115d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 116d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->filter = filter + ARRAY_SIZE(filter_c); 117d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len = 1; 118d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog); 119d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=1, filter=%p})" 120d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes " = -1 EFAULT (%m)\n", prog->filter); 121d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 122d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->filter = filter + ARRAY_SIZE(filter_c) - 1; 123d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len = 3; 124d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog); 125d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=%u" 126d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes ", filter=[%s, %p]}) = -1 EFAULT (%m)\n", 127d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len, kill_stmt_txt, filter + ARRAY_SIZE(filter_c)); 128d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 129d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len = 0; 130d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog); 131d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=0, filter=[]})" 132d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes " = -1 EINVAL (%m)\n"); 133d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 134d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes unsigned int i; 135d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes for (i = 0; i <= BPF_MAXINSNS; ++i) { 136d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes const struct sock_filter stmt = 137d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes BPF_STMT(BPF_CLASS(i), i << 16); 138d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes big_filter[i] = stmt; 139d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes } 140d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 141d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->filter = big_filter; 142d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len = BPF_MAXINSNS + 1; 143d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("seccomp(SECCOMP_SET_MODE_FILTER, %s, {len=%u, filter=[", 144d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes "SECCOMP_FILTER_FLAG_TSYNC|0xfffffffe", prog->len); 145d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes for (i = 0; i < BPF_MAXINSNS; ++i) { 146d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes if (i) 147d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf(", "); 148d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes switch(BPF_CLASS(i)) { 149d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_LD: 150d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_LD|BPF_W|BPF_IMM, %#x)", i << 16); 151d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 152d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_LDX: 153d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_LDX|BPF_W|BPF_IMM, %#x)", i << 16); 154d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 155d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_ST: 156d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_ST, %#x)", i << 16); 157d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 158d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_STX: 159d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_STX, %#x)", i << 16); 160d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 161d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_ALU: 162d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_ALU|BPF_K|BPF_ADD, %#x)", i << 16); 163d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 164d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_JMP: 165d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_JMP|BPF_K|BPF_JA, %#x)", i << 16); 166d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 167d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_RET: 168d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_RET|BPF_K, %#x" 169d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes " /* SECCOMP_RET_??? */)", i << 16); 170d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 171d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes case BPF_MISC: 172d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_MISC|BPF_TAX, %#x)", i << 16); 173d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes break; 174d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes } 175d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes } 176d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf(", ...]})"); 177d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, -1, prog); 178d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf(" = -1 EINVAL (%m)\n"); 179d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 180d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->filter = filter; 181d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len = ARRAY_SIZE(filter_c); 182d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 183d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=%u, filter=[", 184d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes prog->len); 185d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 186d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("BPF_STMT(BPF_LD|BPF_W|BPF_ABS, %#x), ", 187d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes (unsigned) offsetof(struct seccomp_data, nr)); 188d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 189d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes PRINT_ALLOW_SYSCALL(close); 190d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes PRINT_ALLOW_SYSCALL(exit); 191d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes PRINT_ALLOW_SYSCALL(exit_group); 192d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 193d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes PRINT_DENY_SYSCALL(sync, EBUSY), 194d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes PRINT_DENY_SYSCALL(setsid, EPERM), 195d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 196d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes tprintf("%s]}) = 0\n+++ exited with 0 +++\n", kill_stmt_txt); 197d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 198d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog)) 199d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes perror_msg_and_skip("SECCOMP_SET_MODE_FILTER"); 200d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 201d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes if (close(0) || close(1)) 202d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes _exit(77); 203d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 204d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes _exit(0); 205d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes} 206d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 207d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#else 208d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 209d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott HughesSKIP_MAIN_UNDEFINED("__NR_seccomp && PR_SET_NO_NEW_PRIVS" 210d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes " && SECCOMP_SET_MODE_FILTER && SECCOMP_RET_ERRNO" 211d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes " && BPF_JUMP && BPF_STMT") 212d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes 213d35df493b4e7684c50d2d2fa032ee3a7ac228009Elliott Hughes#endif 214