mirror of
https://github.com/omar-polo/gmid.git
synced 2024-09-27 21:11:51 +02:00
fix BPF
This commit is contained in:
parent
de4f713184
commit
3c0375e405
17
sandbox.c
17
sandbox.c
@ -24,6 +24,7 @@ sandbox()
|
|||||||
#include <linux/seccomp.h>
|
#include <linux/seccomp.h>
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <seccomp.h>
|
#include <seccomp.h>
|
||||||
@ -162,17 +163,15 @@ sandbox()
|
|||||||
|
|
||||||
SC_ALLOW(exit),
|
SC_ALLOW(exit),
|
||||||
SC_ALLOW(exit_group),
|
SC_ALLOW(exit_group),
|
||||||
|
|
||||||
/* allow only F_GETFL and F_SETFL fcntl */
|
/* allow only F_GETFL and F_SETFL fcntl */
|
||||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6);
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fcntl, 0, 6),
|
||||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||||
(offsetof(struct seccomp_data, args[1])));
|
(offsetof(struct seccomp_data, args[1]))),
|
||||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0 1);
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_GETFL, 0, 1),
|
||||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||||
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1);
|
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, F_SETFL, 0, 1),
|
||||||
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW);
|
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
|
||||||
BPF_STMT(BPF_RET | BPF_K, SC_FAIL);
|
BPF_STMT(BPF_RET | BPF_K, SC_FAIL),
|
||||||
|
|
||||||
/* re-load the syscall number */
|
/* re-load the syscall number */
|
||||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||||
(offsetof(struct seccomp_data, nr))),
|
(offsetof(struct seccomp_data, nr))),
|
||||||
|
Loading…
Reference in New Issue
Block a user