mirror of https://github.com/omar-polo/gmid.git
fix BPF
This commit is contained in:
parent
de4f713184
commit
3c0375e405
21
sandbox.c
21
sandbox.c
|
@ -24,6 +24,7 @@ sandbox()
|
|||
#include <linux/seccomp.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <seccomp.h>
|
||||
|
@ -162,18 +163,16 @@ sandbox()
|
|||
|
||||
SC_ALLOW(exit),
|
||||
SC_ALLOW(exit_group),
|
||||
|
||||
/* allow only F_GETFL and F_SETFL fcntl */
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
|
||||
/* allow only F_GETFL and F_SETFL fcntl */
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
|
||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||
(offsetof(struct seccomp_data, args[1])));
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
|
||||
BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
|
||||
|
||||
/* re-load the syscall number */
|
||||
(offsetof(struct seccomp_data, args[1]))),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
|
||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
||||
/* re-load the syscall number */
|
||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||
(offsetof(struct seccomp_data, nr))),
|
||||
|
||||
|
|
Loading…
Reference in New Issue