This commit is contained in:
Omar Polo 2021-01-20 16:09:04 +00:00
parent de4f713184
commit 3c0375e405
1 changed files with 10 additions and 11 deletions

View File

@ -24,6 +24,7 @@ sandbox()
#include <linux/seccomp.h>
#include <errno.h>
#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
#include <seccomp.h>
@ -162,18 +163,16 @@ sandbox()
SC_ALLOW(exit),
SC_ALLOW(exit_group),
/* allow only F_GETFL and F_SETFL fcntl */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
/* allow only F_GETFL and F_SETFL fcntl */
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, args[1])));
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
/* re-load the syscall number */
(offsetof(struct seccomp_data, args[1]))),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
/* re-load the syscall number */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))),