ansilove

ANSI and ASCII art to PNG converter in C
Log | Files | Refs | README | LICENSE

seccomp.h (2381B)

      1 /*
      2  * seccomp.h
      3  * Ansilove 4.1.6
      4  * https://www.ansilove.org
      5  *
      6  * Copyright (c) 2019-2022, Frederic Cambus
      7  * All rights reserved.
      8  *
      9  * Ansilove is licensed under the BSD 2-Clause license.
     10  * See LICENSE file for details.
     11  *
     12  * SPDX-License-Identifier: BSD-2-Clause
     13  */
     14 
     15 #ifndef SECCOMP_H
     16 #define SECCOMP_H
     17 
     18 #include <stddef.h>
     19 #include <sys/prctl.h>
     20 #include <sys/socket.h>
     21 #include <sys/syscall.h>
     22 #include <linux/audit.h>
     23 #include <linux/filter.h>
     24 #include <linux/seccomp.h>
     25 
     26 #if defined(__i386__)
     27 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
     28 #elif defined(__x86_64__)
     29 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
     30 #elif defined(__arm__)
     31 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
     32 #elif defined(__aarch64__)
     33 #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
     34 #else
     35 #error "Seccomp is only supported on i386, x86_64, arm, and aarch64 architectures."
     36 #endif
     37 
     38 #define ANSILOVE_SYSCALL_ALLOW(syscall) \
     39 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
     40 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
     41 
     42 static struct sock_filter filter[] = {
     43 	/* Validate architecture */
     44 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)),
     45 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
     46 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
     47 
     48 	/* Load syscall */
     49 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
     50 
     51 	ANSILOVE_SYSCALL_ALLOW(brk),
     52 	ANSILOVE_SYSCALL_ALLOW(clock_gettime),	/* i386 glibc */
     53 	ANSILOVE_SYSCALL_ALLOW(close),
     54 	ANSILOVE_SYSCALL_ALLOW(exit_group),
     55 	ANSILOVE_SYSCALL_ALLOW(fstat),
     56 #if defined(__NR_fstat64)
     57 	ANSILOVE_SYSCALL_ALLOW(fstat64),	/* i386 glibc */
     58 #endif
     59 	ANSILOVE_SYSCALL_ALLOW(ioctl),
     60 	ANSILOVE_SYSCALL_ALLOW(lseek),
     61 #if defined(__NR__llseek)
     62 	ANSILOVE_SYSCALL_ALLOW(_llseek),	/* i386 glibc */
     63 #endif
     64 #if defined(__NR_open)
     65 	ANSILOVE_SYSCALL_ALLOW(open),
     66 #endif
     67 	ANSILOVE_SYSCALL_ALLOW(openat),
     68 	ANSILOVE_SYSCALL_ALLOW(madvise),
     69 #if defined(__NR_mmap)
     70 	ANSILOVE_SYSCALL_ALLOW(mmap),
     71 #endif
     72 #if defined(__NR_mmap2)
     73 	ANSILOVE_SYSCALL_ALLOW(mmap2),		/* i386 glibc */
     74 #endif
     75 	ANSILOVE_SYSCALL_ALLOW(mremap),
     76 	ANSILOVE_SYSCALL_ALLOW(munmap),
     77 	ANSILOVE_SYSCALL_ALLOW(read),
     78 	ANSILOVE_SYSCALL_ALLOW(readv),
     79 	ANSILOVE_SYSCALL_ALLOW(write),
     80 	ANSILOVE_SYSCALL_ALLOW(writev),
     81 
     82 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
     83 };
     84 
     85 struct sock_fprog ansilove = {
     86 	.len = sizeof(filter)/sizeof(filter[0]),
     87 	.filter = filter
     88 };
     89 
     90 #endif /* SECCOMP_H */